By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: GlobalSignPublished October 3, 2025

TL;DR: AdES and QES both support digital signing, but QES only carries full legal equivalence when qualified certificates, a QTSP, a QSCD, and strict identity verification are in place, according to GlobalSign. For IAM and compliance teams, the real issue is not signature branding but whether the trust chain, onboarding, and jurisdictional controls actually meet the intended assurance level.


At a glance

What this is: This guide contrasts Advanced Electronic Signatures and Qualified Electronic Signatures, with the key finding that QES depends on stricter identity verification, qualified certificates, and regulated signing devices.

Why it matters: It matters because IAM, IGA, and compliance teams need to know when digital signature workflows are merely convenient versus legally binding, and where identity proofing and control assurance must be tightened.

👉 Read GlobalSign's guide to AdES vs QES and qualified signature checks


Context

Advanced Electronic Signatures and Qualified Electronic Signatures sit on the same digital-signing spectrum, but they do not deliver the same assurance. The practical question for identity and compliance teams is whether the signing process is only secure enough for business convenience, or strong enough to support legal equivalence and regulated transactions.

The governance gap is usually not the signature itself. It is the identity proofing, device assurance, certificate issuance, and jurisdictional compliance behind it. For organisations treating signatures as part of IAM and lifecycle controls, the difference between AdES and QES affects evidentiary strength, onboarding friction, and whether the workflow can stand up in audit or dispute.

This is a human identity and compliance problem, not an NHI or autonomous-system issue. The article is about how to validate signer identity, how much trust the issuing chain deserves, and what controls are necessary before a signature can be treated as qualified rather than merely advanced.


Key questions

Q: How should organisations decide between AdES and QES?

A: Start with the business and legal requirement, then work backwards to the identity proofing and trust controls that can satisfy it. If the use case involves high-value contracts, regulated records, or cross-border legal enforceability, QES is often the safer choice because it carries a stronger assurance and legal basis.

Q: What should security and compliance teams verify before accepting a QES claim?

A: Teams should verify three things: the trust service provider is qualified, the signing device meets QES requirements, and the signer was identity-proofed using a rigorous process. If any one of those elements is weak or unclear, the workflow may be closer to AdES than true QES.

Q: How do organisations know whether a digital signature workflow is actually compliant?

A: They should test the full control chain, not just the certificate. That means checking issuer status, onboarding evidence, device assurance, jurisdictional fit, and record retention. A compliant workflow can be explained and audited end to end, not merely described as secure.

Q: Who should own digital signature governance in an identity programme?

A: Ownership should sit across IAM, legal, compliance, and the business team running the workflow. IAM defines identity assurance and issuance controls, compliance checks regulatory fit, and legal determines evidentiary requirements. Without shared ownership, organisations often overstate the strength of a signature process.


Technical breakdown

AdES and QES in the digital trust chain

AdES and QES both rely on cryptographic integrity, but they sit at different assurance levels. AdES ties a signature to an identifiable signer and protects document integrity, usually through PKI and digital certificates. QES adds regulated identity proofing, issuance by a qualified trust service provider, and creation through a qualified signature creation device. The technical distinction is not cosmetic. It changes what the signature proves, how the signer was bound to the credential, and whether the result meets the legal threshold for equivalence to handwriting.

Practical implication: Treat signature type as an assurance decision, not a UI label.

Why qualified certificates and QSCD controls matter

A qualified certificate proves more than possession of a private key. It depends on a trust service provider operating under regulatory requirements and on a qualified signature creation device that protects the signing process from tampering. In practice, this is a controlled trust chain, not just a certificate workflow. If either the issuer or the signing device is weak, the whole qualified-signature claim loses credibility. For identity teams, that means assurance must be validated at issuance and at signing, not assumed from the vendor label.

Practical implication: Verify the issuer and signing device before you accept a claim of qualified status.

Identity proofing and onboarding as control points

QES depends on stronger identity proofing than ordinary digital signing. The onboarding process has to establish who the signer is with a level of assurance appropriate to the legal context, often through face-to-face verification or secure remote methods. Fast onboarding is not automatically bad, but speed without rigorous proofing usually means the process is closer to AdES than QES. This is where IAM and compliance governance overlap: identity evidence, issuance, and recordkeeping all affect whether the signature can be defended later.

Practical implication: Review onboarding evidence as part of signature governance, not just user provisioning.


NHI Mgmt Group analysis

AdES and QES expose an identity assurance problem, not just a document-signing choice. The real governance question is whether the organisation needs a signature that is operationally useful or one that can stand up as legally equivalent to a handwritten signature. That distinction matters for identity teams because assurance level determines the quality of the trust chain behind the signer. Practitioners should map signature type to business criticality, not convenience.

Qualified-signature claims fail when the trust chain is only partially qualified. A vendor can describe a workflow as secure while still missing the regulatory, device, or proofing conditions that make QES distinct from AdES. That creates an evidentiary gap: the process may function, but the resulting signature may not carry the legal status the business expects. Practitioners should verify the entire control chain before accepting a qualified designation.

Identity proofing is the control that separates convenience from evidentiary strength. QES depends on stronger onboarding and verification than most standard signing flows, which means the identity lifecycle becomes part of signature validity. If the proofing step is weak, every downstream control inherits that weakness. The implication for IAM and compliance teams is that signature governance must include enrollment evidence, issuer status, and auditability.

Electronic signature governance belongs in the same conversation as IAM and lifecycle control. Signature assurance is ultimately about who was bound to the credential, how that identity was verified, and whether the resulting record can survive regulatory scrutiny. That makes QES relevant not only to legal teams but also to IAM architects, IGA leads, and compliance owners. The practical conclusion is to treat signature workflows as governed identity events, not isolated transaction tools.

From our research:

  • 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
  • the Ultimate Guide to NHIs also reports that only 20% of organisations have formal processes for offboarding and revoking API keys, underscoring how weak lifecycle control persists.

What this signals

Qualified-signature governance is likely to become more tightly linked to identity proofing evidence and audit readiness. As organisations move more high-value workflows into digital channels, the assurance question shifts from whether a signature exists to whether the identity behind it was verified at the right standard. Teams that already document enrollment, issuer status, and device assurance will be better placed to defend those workflows in audit and dispute.

The broader signal is that digital trust controls are converging with IAM governance. Signature validation, certificate issuance, and lifecycle evidence are no longer separate concerns when the transaction carries legal weight. Practitioners should expect tighter scrutiny of proofing records, supplier status, and jurisdictional fit across the signing stack.


For practitioners

  • Classify signature use cases by legal requirement Separate workflows that need basic document integrity from those that require legal equivalence, regulated evidentiary strength, or cross-border recognition. Use that classification to decide whether AdES is sufficient or QES is mandatory.
  • Verify the trust service provider status Confirm that the issuer is officially recognised as a qualified trust service provider in the relevant jurisdiction before accepting any QES claim. Do not rely on marketing language or product descriptions alone.
  • Review identity proofing evidence at onboarding Check how the signer was verified, what records were captured, and whether the method matches the assurance level the transaction requires. Fast onboarding without strong proofing is a warning sign, especially for regulated use cases.
  • Assess the signing device controls Require evidence that a qualified signature creation device or equivalent regulated control protects the signing process. If the device assurance is unclear, treat the result as lower assurance until proven otherwise.

Key takeaways

  • AdES and QES are not interchangeable, because only QES is built for regulated identity assurance and legal equivalence.
  • The trust service provider, signing device, and identity proofing path determine whether a signature claim is defensible.
  • Identity teams should govern digital signatures as part of lifecycle, audit, and compliance control, not as isolated document tooling.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63, NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while GDPR define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing is central to QES onboarding and signer verification.
NIST CSF 2.0PR.AA-01Digital signature assurance depends on identity proofing and access governance.
NIST SP 800-53 Rev 5IA-5Qualified certificates and signing credentials map to authenticator management.
GDPRArt.32Signature workflows may process personal data and require appropriate protection.

Ensure identity verification and signing records are protected with appropriate safeguards.


Key terms

  • Advanced Electronic Signature: An Advanced Electronic Signature is a digital signature that binds a signer to a document with stronger assurance than a basic e-signature. It typically relies on PKI, signer identification, and integrity protection so the document cannot be altered without invalidating the signature.
  • Qualified Electronic Signature: A Qualified Electronic Signature is a signature created under regulated conditions that give it the highest legal assurance in the EU. It requires a qualified certificate, a recognised trust service provider, and a qualified signature creation device, making the identity proofing chain part of the signature’s validity.
  • Qualified Trust Service Provider: A Qualified Trust Service Provider is an entity authorised to issue qualified certificates and operate within a regulated trust framework. In practice, its status matters because QES depends on formal recognition, not just technical capability or marketing claims.
  • Qualified Signature Creation Device: A Qualified Signature Creation Device is a controlled device or secure environment used to create a QES. It protects the signing process and the private key material so the signature can retain the assurance required for legal and regulatory use.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • A step-by-step breakdown of the questions to ask a qualified signature provider before procurement.
  • Specific guidance on how to assess QTSP status, QSCD use, and jurisdictional compliance claims.
  • A practical checklist for identifying when an apparent QES offering is actually closer to AdES.
  • Pricing and vendor selection pitfalls that can affect legal and security assurance.

👉 GlobalSign's full post covers provider evaluation questions, compliance checks, and common QES selection pitfalls.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org