By NHI Mgmt Group Editorial TeamDomain: Identity Beyond IAMSource: GlobalSignPublished October 3, 2025

TL;DR: AdES and QES differ on identity assurance, device controls, and legal equivalence, with QES requiring a qualified trust service provider, a qualified signature creation device, and stronger identity verification under eIDAS, according to GlobalSign. The governance issue is not the signature label itself but whether the underlying identity proofing, issuance, and compliance controls actually meet the risk and jurisdictional requirements.


At a glance

What this is: This is a comparison of AdES and QES that shows QES adds qualified identity proofing, QSCD use, and eIDAS legal equivalence.

Why it matters: It matters because signature workflows are identity workflows, and IAM, compliance, and trust teams need to know when assurance, auditability, and legal standing must be stronger than standard electronic signing.

👉 Read GlobalSign's guide to AdES and QES provider selection


Context

Electronic signatures only work as a control when the organisation understands how identity proofing, certificate issuance, and signing device assurance fit together. In this article, the core issue is not whether a document can be signed, but whether the signing process produces evidence strong enough for the transaction, the regulator, and the jurisdiction involved.

That distinction matters for identity programmes because AdES and QES sit at the boundary between digital identity, certificate lifecycle management, and trust service governance. Where signed documents carry legal or regulated weight, identity teams need to understand whether they are dealing with a simple attestation layer or a qualified trust mechanism with stronger verification requirements.


Key questions

Q: When is AdES not enough for regulated signing workflows?

A: AdES is not enough when the transaction needs legally robust identity assurance, strong auditability, or formal recognition under a specific jurisdiction. In those cases, teams should assess whether the signing process needs QES, because the qualified model adds stricter proofing, qualified trust services, and a qualified signature device.

Q: How should organisations decide between AdES and QES?

A: Start with the business and legal requirement, then work backwards to the identity proofing and trust controls that can satisfy it. If the use case involves high-value contracts, regulated records, or cross-border legal enforceability, QES is often the safer choice because it carries a stronger assurance and legal basis.

Q: What do security teams get wrong about electronic signing workflows?

A: Teams often treat e-signature tools as document automation rather than identity and evidence systems. That mistake leads to weak authentication, poor role control, and incomplete audit records, which can leave organisations unable to prove approval legitimacy when it matters most.

Q: Who is accountable if a signature service claims QES but does not meet the standard?

A: Accountability usually spans the provider, the organisation that selected it, and the compliance function that accepted the control. Teams should validate trust service status, evidence of identity proofing, and jurisdictional fit before deployment, because assurance claims are only as strong as the governance behind them.


Technical breakdown

How AdES establishes signer identity and document integrity

Advanced electronic signatures are designed to bind a signature to a specific signer and make tampering detectable after signing. In practice, that assurance usually depends on PKI, digital certificates, and a trust chain that can show who signed and whether the content changed. AdES is stronger than a basic click-to-sign model, but its legal and operational strength still depends on how the identity proofing and certificate issuance were performed. Practical implication: treat AdES as a controlled identity assertion, not as automatic legal equivalence.

Practical implication: verify the identity proofing and certificate issuance process before treating AdES as sufficient for regulated workflows.

Why QES depends on a qualified trust service provider and QSCD

Qualified electronic signatures are built on two additional trust conditions: issuance by a qualified trust service provider and creation through a qualified signature creation device. The provider side matters because the certificate must come from an accredited trust path, while the device side matters because the signature material must be protected in a qualified environment. This is what moves QES from a stronger signature to a legally recognised one under eIDAS. Practical implication: confirm both the provider status and the signing device model before approving QES use in production.

Practical implication: check provider qualification and QSCD support as separate control questions, not as one procurement checkbox.

Where identity verification and onboarding become the control gate

The article makes clear that QES onboarding is not supposed to be frictionless. Strong identity verification, including in-person or secure remote checks, is part of what makes the signature qualified rather than merely advanced. That means onboarding is itself a governance control, because weak verification creates a false sense of legal assurance downstream. In identity terms, the quality of the initial proofing step shapes the trustworthiness of every later signed transaction. Practical implication: review onboarding flow, not just certificate output, when assessing signature assurance.

Practical implication: treat onboarding controls as part of signature governance and test them like any other identity-proofing process.


NHI Mgmt Group analysis

Signature assurance is an identity governance problem, not just a document workflow problem. The article shows that the real difference between AdES and QES sits in proofing, issuance, and device assurance, not in the user experience of signing. That places electronic signatures squarely inside IAM-adjacent governance, especially where legal enforceability or regulated transactions are involved. Organisations should evaluate signature controls the same way they evaluate high-assurance identity controls.

QES becomes trustworthy only when the trust chain is explicit. A qualified label is not enough if the provider status, certificate path, and signing device are not independently checked. This maps to the same control logic that identity teams use for certificate lifecycle and strong authentication, where assurance comes from verifiable issuance and managed trust boundaries. Practitioners should treat supplier validation as a control requirement, not a procurement formality.

Qualified onboarding is the named control gap that most weak signature programmes overlook. If identity proofing is lightweight, the organisation may end up with an AdES-like process presented as QES, which creates legal and audit exposure. The governance failure is not only technical but procedural, because onboarding quality determines whether the signature can support compliance claims later. Teams should make proofing depth auditable before they rely on the result.

eIDAS-style signature governance will increasingly intersect with broader identity assurance and privacy controls. The article’s reference to jurisdictional compliance and GDPR shows that signing cannot be separated from personal data handling, consent evidence, and regional legal requirements. For identity leaders, that means electronic signature programmes belong in the same governance conversation as digital identity verification and regulated onboarding. Practitioners should align signature policy with legal, privacy, and assurance reviews together.

What this signals

Signature programmes will increasingly be judged as part of identity assurance rather than as isolated legal tooling. Where regulated transactions are involved, the question is not whether the workflow is digital, but whether the proofing and trust chain can stand up to legal and audit scrutiny.

For identity teams, the practical shift is toward treating onboarding, certificate issuance, and device assurance as one control plane. That makes vendor selection, evidence retention, and jurisdictional mapping part of the identity programme, not a downstream procurement detail.


For practitioners

  • Audit signature assurance levels Map each electronic signature use case to the assurance level it actually needs, then separate low-risk business transactions from regulated or legally binding workflows. Use that map to decide where AdES is enough and where QES controls are mandatory.
  • Validate trust service qualification Check whether the provider is a qualified trust service provider and confirm that the certificate path is recognised in the jurisdiction where the signature will be used. Do not treat marketing language as evidence of qualification.
  • Test onboarding proofing depth Review whether identity verification includes secure remote checks or in-person validation where QES is required, and document the evidence captured at onboarding. If proofing is lightweight, do not classify the resulting signature as qualified.
  • Separate device assurance from certificate issuance Confirm that the qualified signature creation device is managed as a distinct control from the certificate itself, with clear responsibility for protection and lifecycle management. This reduces the risk of treating a strong certificate as proof of end-to-end assurance.

Key takeaways

  • AdES and QES are different not because of branding, but because they rely on different assurance and trust controls.
  • The strongest risk in signature governance is weak identity proofing that produces a qualified-looking process without qualified evidence.
  • Identity, compliance, and legal teams should assess electronic signatures as part of the broader identity assurance model, not as a standalone document feature.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST SP 800-63 and NIST CSF 2.0 set the technical controls, while GDPR and ISO/IEC 27001:2022 define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST SP 800-63SP 800-63AIdentity proofing is central to QES onboarding and assurance.
GDPRArt.32The article links signature services to privacy and security of personal data.
NIST CSF 2.0PR.AC-1Access and identity assurance underpin trusted electronic signing.
ISO/IEC 27001:2022A.5.15Access control governance is relevant to trusted signing and provider validation.

Assess whether signature onboarding and record handling satisfy security of processing obligations.


Key terms

  • Advanced Electronic Signature: An advanced electronic signature is a signature method that links a signer to a document and detects later tampering. It provides stronger assurance than a simple electronic signature because it depends on identifiable signer binding and integrity protection, usually through PKI and digital certificates.
  • Qualified Electronic Signature: A higher-assurance signature backed by certificate-based identity and trust service provider controls. It is used where legal recognition and stronger evidentiary value are required, especially in cross-border or regulated workflows where the identity chain must remain defensible.
  • Qualified Trust Service Provider: A qualified trust service provider is an organisation authorised to deliver trust services such as digital signatures, seals, timestamps, or certificates under EU trust rules. In practice, it must prove strong governance, resilience, and accountability because its services underpin digital trust for regulated transactions.
  • Qualified Signature Creation Device: A qualified signature creation device is the controlled hardware or software environment used to create a qualified electronic signature. Its purpose is to keep signing credentials under exclusive signer control and to reduce the chance that a signature can be forged, replayed, or altered after use.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • The full QES supplier checklist, including the specific questions to ask a trust service provider before procurement
  • The practical differences in onboarding flow between AdES and QES, including how identity verification should be performed
  • The article's comparison of pricing signals and why very low-cost offerings may indicate lower assurance
  • The source's notes on choosing qualified digital seals when a seal is more appropriate than a signature

👉 GlobalSign's full article includes the provider checklist, onboarding questions, and common misclassification pitfalls.

Deepen your knowledge

The NHI Foundation Level course, the industry's only accredited NHI security programme, covers NHI governance, IAM, and identity lifecycle concepts that help teams build stronger assurance models. It is useful for practitioners who need to connect identity controls to wider security and compliance programmes.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 11, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org