EU Signature Levels (eIDAS) and the eIDAS Seal – A Guide for Small Businesses

Electronic signatures are commonplace, but did you know there are three different levels in the EU? In this article, we explain in plain language what the eIDAS Regulation (EU Regulation on electronic identification and trust services) means, how the signature levels differ, and what an eIDAS seal is. At the end, we explain how EpicSign helps small business owners in practice.

What is eIDAS and why is it important?

eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation that creates uniform rules for electronic identification and electronic signatures in all EU countries. It came into force in 2016 and was updated in 2024 (eIDAS 2.0). In practice, eIDAS means that an electronic signature made in Finland is also valid in Germany, Spain, or any other EU country. It builds trust and removes borders from digital transactions. For a small business owner, eIDAS is important because it specifies what level of signature is needed in different situations and what legal protection it has.

The EU's three signature levels

eIDAS defines three levels for electronic signatures. Each level provides a different strength of evidence of the signer's identity.

SES – Simple Electronic Signature

SES is the simplest level. It could be, for example, a name typed in an email, a digital checkbox, or a signature image. The identification is weak: the signer's identity is not separately verified.

Use cases: internal documents, low-risk contracts, order confirmations
Risk: easy to dispute who actually signed
Example: clicking an "I confirm my order" button in an online store

AES – Advanced Electronic Signature

AES requires that the signer is uniquely identified and the signature is linked to them in such a way that it cannot be altered afterwards. Identification can be done, for example, with bank credentials or a mobile certificate.

Use cases: contracts, quotes, employment contracts, client agreements
Risk: low – strong link to the signer
Example: a customer authenticates with bank credentials and signs a contract in EpicSign

QES – Qualified Electronic Signature

QES is the strongest level. In EU law, it is equivalent to a handwritten signature. QES requires a certificate issued by a qualified trust service provider and a qualified signature creation device.

Use cases: real estate transactions, government interactions, high-risk contracts
Risk: very low – legally the same as handwritten
Example: a lawyer signs a document for court with a QES certificate

Comparison table: when to choose which level?

Need	Recommendation	Why	Example
Internal acknowledgment or order confirmation	SES	Sufficient, fast, and affordable	An employee acknowledges reading an instruction
Customer contract or quote	AES	Reliably identifies the signer	A customer signs a quote with bank credentials
Employment contract or NDA	AES	Important to identify both parties	A new employee signs an employment contract in EpicSign
Real estate transaction or government document	QES	The law requires the strongest level	A lawyer signs a document for court
International contract within the EU	AES or QES	EU-wide validity under the eIDAS regulation	A Finnish company and a Spanish partner sign a collaboration agreement

What is an eIDAS seal (eSeal)?

An eIDAS seal (electronic Seal, eSeal) is an organisation's "digital stamp". It differs from an electronic signature in that a signature indicates a person's consent, while a seal proves that a document originates from a specific organisation and has not been altered. In practice, an eIDAS seal is like a corporate stamp in the digital world.

Use cases: invoices, reports, official filings, mass documents
Benefit: automatically proves the document's origin and integrity
Difference from a signature: a seal does not require an individual's action – it can be automated

A small business can benefit from a seal, for example, when sending large quantities of invoices or reports and wanting the recipient to be able to verify that the document truly comes from that company.

Strong authentication in plain language

Strong authentication means that the signer's identity is reliably verified before signing. In practice, this usually means bank credentials, a mobile certificate, or a similar method. Why is strong authentication important?

It significantly reduces the risk of misuse
It is harder to dispute a contract when the signer's identity has been verified
It is often a requirement for AES and QES level signatures
It increases trust between all parties

Example stories: eIDAS in practice

A three-person consulting firm in Tampere makes 10–15 client contracts per month. Previously, contracts were printed, signed, and scanned back. With EpicSign, the company switched to AES-level electronic signatures: the customer authenticates with bank credentials and signs the contract in a few minutes. Time saving: about 2 hours per week. A small online store uses SES-level signatures for order confirmations. The customer ticks a box to accept the terms and confirms their order electronically. This is perfectly fine for low-risk situations and does not require separate authentication.

EpicSign in practice

EpicSign supports strong authentication. With our service, you can send contracts for signature, and the recipient is reliably authenticated before signing. Coming soon: Strong authentication for the Baltics and Nordics, and the eIDAS seal. We are currently developing support for more countries' authentication methods and organisation-level eIDAS seals. EpicSign is designed for small businesses: a clear user interface, no complex technical requirements, and pricing that scales with use.

Summary

The EU's eIDAS regulation creates clear rules for electronic signatures. The three levels (SES, AES, QES) meet different needs:

SES is sufficient for simple acknowledgments and internal documents.
AES is the best choice for most contracts and quotes – with strong authentication included.
QES is the strongest level and is equivalent to a handwritten signature.
An eIDAS seal automatically proves the origin of an organisation's document.

Frequently Asked Questions

What is the difference between SES, AES, and QES signatures?

SES is the simplest level (e.g., a name typed in an email). AES requires strong authentication, like bank credentials. QES is the strongest level, equivalent to a handwritten signature, and requires a qualified certificate.

Does a small business need QES-level signatures?

Usually not. A small business's standard contracts, quotes, and employment contracts can be handled at the AES level. QES is primarily needed for government interactions or in situations specifically required by law.

What is an eIDAS seal?

An eIDAS seal (eSeal) is an organisation's digital stamp. It proves that a document originates from a specific organisation and has not been altered. It differs from a signature in that it does not require an individual's action.

Does EpicSign support strong authentication?

Yes. EpicSign supports strong authentication, and we are currently developing support for authentication methods in the Baltics and Nordics, as well as the eIDAS seal.

Is an electronic signature legally valid in Finland?

Yes. According to the eIDAS regulation, an electronic signature cannot be denied legal effect in court solely because of its electronic form. AES and QES levels offer stronger evidentiary value.

How do I choose the right signature level?

Assess the risk and value of the contract. SES is sufficient for internal documents, AES for client contracts, and QES for government documents or high-risk contracts.