Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

AdES vs QES: what IAM and identity teams need to check


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: AdES and QES differ on identity assurance, device controls, and legal equivalence, with QES requiring a qualified trust service provider, a qualified signature creation device, and stronger identity verification under eIDAS, according to GlobalSign. The governance issue is not the signature label itself but whether the underlying identity proofing, issuance, and compliance controls actually meet the risk and jurisdictional requirements.

NHIMG editorial — based on content published by GlobalSign: AdES vs QES provider selection and signature assurance

Questions worth separating out

Q: When is AdES not enough for regulated signing workflows?

A: AdES is not enough when the transaction needs legally robust identity assurance, strong auditability, or formal recognition under a specific jurisdiction.

Q: How should organisations decide between AdES and QES?

A: Start with the business and legal requirement, then work backwards to the identity proofing and trust controls that can satisfy it.

Q: What do security teams get wrong about electronic signing workflows?

A: Teams often treat e-signature tools as document automation rather than identity and evidence systems.

Practitioner guidance

  • Audit signature assurance levels Map each electronic signature use case to the assurance level it actually needs, then separate low-risk business transactions from regulated or legally binding workflows.
  • Validate trust service qualification Check whether the provider is a qualified trust service provider and confirm that the certificate path is recognised in the jurisdiction where the signature will be used.
  • Test onboarding proofing depth Review whether identity verification includes secure remote checks or in-person validation where QES is required, and document the evidence captured at onboarding.

What's in the full article

GlobalSign's full article covers the operational detail this post intentionally leaves for the source:

  • The full QES supplier checklist, including the specific questions to ask a trust service provider before procurement
  • The practical differences in onboarding flow between AdES and QES, including how identity verification should be performed
  • The article's comparison of pricing signals and why very low-cost offerings may indicate lower assurance
  • The source's notes on choosing qualified digital seals when a seal is more appropriate than a signature

👉 Read GlobalSign's guide to AdES and QES provider selection →

AdES vs QES: what IAM and identity teams need to check?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

Signature assurance is an identity governance problem, not just a document workflow problem. The article shows that the real difference between AdES and QES sits in proofing, issuance, and device assurance, not in the user experience of signing. That places electronic signatures squarely inside IAM-adjacent governance, especially where legal enforceability or regulated transactions are involved. Organisations should evaluate signature controls the same way they evaluate high-assurance identity controls.

A question worth separating out:

Q: Who is accountable if a signature service claims QES but does not meet the standard?

A: Accountability usually spans the provider, the organisation that selected it, and the compliance function that accepted the control. Teams should validate trust service status, evidence of identity proofing, and jurisdictional fit before deployment, because assurance claims are only as strong as the governance behind them.

👉 Read our full editorial: AdES vs QES: what signature assurance means for identity governance



   
ReplyQuote
Share: