TL;DR: AdES and QES both support digital signing, but QES only carries full legal equivalence when qualified certificates, a QTSP, a QSCD, and strict identity verification are in place, according to GlobalSign. For IAM and compliance teams, the real issue is not signature branding but whether the trust chain, onboarding, and jurisdictional controls actually meet the intended assurance level.
NHIMG editorial — based on content published by GlobalSign: AdES vs QES and the key questions to ask when choosing a qualified signature provider
Questions worth separating out
Q: How should organisations decide between AdES and QES?
A: Start with the business and legal requirement, then work backwards to the identity proofing and trust controls that can satisfy it.
Q: What should security and compliance teams verify before accepting a QES claim?
A: Teams should verify three things: the trust service provider is qualified, the signing device meets QES requirements, and the signer was identity-proofed using a rigorous process.
Q: How do organisations know whether a digital signature workflow is actually compliant?
A: They should test the full control chain, not just the certificate.
Practitioner guidance
- Classify signature use cases by legal requirement Separate workflows that need basic document integrity from those that require legal equivalence, regulated evidentiary strength, or cross-border recognition.
- Verify the trust service provider status Confirm that the issuer is officially recognised as a qualified trust service provider in the relevant jurisdiction before accepting any QES claim.
- Review identity proofing evidence at onboarding Check how the signer was verified, what records were captured, and whether the method matches the assurance level the transaction requires.
What's in the full article
GlobalSign's full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step breakdown of the questions to ask a qualified signature provider before procurement.
- Specific guidance on how to assess QTSP status, QSCD use, and jurisdictional compliance claims.
- A practical checklist for identifying when an apparent QES offering is actually closer to AdES.
- Pricing and vendor selection pitfalls that can affect legal and security assurance.
👉 Read GlobalSign's guide to AdES vs QES and qualified signature checks →
AdES vs QES: are your identity checks strong enough for legal use?
Explore further
AdES and QES expose an identity assurance problem, not just a document-signing choice. The real governance question is whether the organisation needs a signature that is operationally useful or one that can stand up as legally equivalent to a handwritten signature. That distinction matters for identity teams because assurance level determines the quality of the trust chain behind the signer. Practitioners should map signature type to business criticality, not convenience.
A few things that frame the scale:
- 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface, according to the Ultimate Guide to NHIs.
- 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
A question worth separating out:
Q: Who should own digital signature governance in an identity programme?
A: Ownership should sit across IAM, legal, compliance, and the business team running the workflow. IAM defines identity assurance and issuance controls, compliance checks regulatory fit, and legal determines evidentiary requirements. Without shared ownership, organisations often overstate the strength of a signature process.
👉 Read our full editorial: AdES vs QES: what identity teams must verify before adoption