eIDAS Explained: SES vs AES vs QES

If you send or receive contracts inside the European Union, one regulation governs whether your electronic signatures hold up: the eIDAS Regulation (EU) No 910/2014. It does two things that matter to you. First, it forbids courts from rejecting a signature’s legal effect just because it’s electronic. Second, it defines three escalating tiers of e-signature — Simple (SES), Advanced (AES), and Qualified (QES) — each with stricter technical requirements and stronger legal weight. Pick the right tier and a routine agreement signs in seconds; pick wrong on a high-stakes document and you may have to prove its validity the hard way. This guide explains all three in plain language, with no legal jargon and no fluff.

What eIDAS actually is

eIDAS stands for “electronic IDentification, Authentication and trust Services.” It’s a single regulation that applies directly across every EU member state, so the rules for an electronic signature are broadly the same whether your counterparty is in Germany, Spain, or Ireland. It replaced an older patchwork of national laws and created a shared vocabulary for signatures, seals, timestamps, and the trust providers that issue them.

The most important principle for everyday signing is non-discrimination. eIDAS states that an electronic signature shall not be denied legal effect or admissibility as evidence in court solely on the grounds that it is electronic or that it doesn’t meet the requirements for the qualified tier. In plain terms: even the simplest electronic signature gets its day in court. The tier you choose doesn’t decide whether a signature counts — it decides how much extra proof you might need if someone disputes it. For a deeper walk-through of the regulation, see our eIDAS overview.

Tier 1: Simple Electronic Signature (SES)

The Simple Electronic Signature is the broadest category. eIDAS defines an electronic signature as data in electronic form attached to, or logically associated with, other data and used by the signer to sign. That’s deliberately wide. A typed name, a drawn signature on a touchscreen, a clicked “I agree” box, or a scanned image of your handwriting can all qualify as an SES.

Because the definition is so flexible, an SES carries no built-in guarantee about who actually signed or whether the document changed afterward. That doesn’t make it worthless — thanks to non-discrimination, an SES is admissible and can be perfectly enforceable. It simply means the strength of your evidence depends on what surrounds the signature: the email used, the device, the time, and the record of intent.

This is exactly where a solid audit trail earns its keep. A timestamped log capturing who opened the document, from which email and IP, when they signed, and what they saw transforms a bare click into a defensible record. For most low-risk documents — internal approvals, simple service agreements, routine consents — a well-evidenced SES is entirely appropriate.

Tier 2: Advanced Electronic Signature (AES)

The Advanced Electronic Signature raises the bar with four specific requirements. Under eIDAS, an AES must be:

• Uniquely linked to the signer — the signature is tied to one identifiable person, not a shared or anonymous credential.
• Capable of identifying the signer — there’s a meaningful way to establish who they are.
• Created using data the signer can keep under their sole control — typically a private cryptographic key only they can use.
• Linked to the signed data so any later change is detectable — if even one character of the document is altered after signing, the signature breaks or flags as invalid.

That last property — tamper-evidence — is what most people picture when they think of a “digital signature.” It usually relies on public-key cryptography that binds a unique fingerprint of the document to the signer’s key. The distinction between the broad legal concept of an electronic signature and the specific cryptographic technique is worth understanding; we cover it in electronic vs digital signatures.

An AES gives you stronger, more self-contained proof than an SES because identity and integrity are built into the signature itself rather than inferred from surrounding metadata. It’s a sensible default for agreements that carry real money or real obligations — commercial contracts, vendor agreements, and the like — without the added cost and friction of the qualified tier.

Tier 3: Qualified Electronic Signature (QES)

The Qualified Electronic Signature is the top tier and the only one with a special status under eIDAS. A QES is an AES that adds two more strict ingredients:

• A qualified electronic signature creation device (QSCD) — certified hardware or a certified secure service that protects the signer’s private key.
• A qualified certificate — a certificate issued by a qualified trust service provider that has been vetted and listed by an EU member state, after verifying the signer’s identity to a high standard.

Here is what makes QES unique: eIDAS states that a Qualified Electronic Signature has the equivalent legal effect of a handwritten signature, automatically and across the entire EU. A QES created in one member state must be recognized as a QES in all the others. For SES and AES, enforceability still depends on the facts and on national law; for QES, the equivalence is built into the regulation itself.

That power comes with cost and friction. Obtaining a qualified certificate means a formal identity verification through a qualified provider, and the signing experience is heavier than clicking a button. You generally reserve QES for the narrow set of documents where the law specifically demands handwritten-equivalent signatures, or where the stakes are high enough that automatic, pan-EU equivalence is worth the effort.

How to match the tier to the risk

The three tiers aren’t a quality ranking where higher is always better — they’re a spectrum of assurance, and your job is to match assurance to risk. A useful way to think about it:

• Low risk, low dispute likelihood — consents, internal sign-offs, routine low-value agreements. An SES backed by a strong audit trail is usually proportionate.
• Meaningful obligations or money — commercial contracts, supplier deals, employment paperwork. An AES gives built-in identity and tamper-evidence without heavy onboarding.
• Legally mandated or maximum stakes — documents where statute requires a handwritten-equivalent signature, or where cross-border, no-argument enforceability is essential. QES is the fit.

Ask three questions for each document: How likely is a dispute? How costly is it if the signature fails to hold? Does any law require a specific tier? The honest answer for the large majority of everyday business documents is that an SES or AES with a clear, complete audit trail is more than enough. Over-engineering every signature with QES adds cost and friction your counterparties will resent.

How eIDAS compares to US law

If you operate on both sides of the Atlantic, it helps to know the rough equivalents. In the United States, the federal ESIGN Act (2000) and the state-level UETA (1999) establish that electronic signatures are valid and enforceable. UETA is a model law adopted in 49 states plus the District of Columbia; New York is the lone holdout, relying instead on its own Electronic Signatures and Records Act (ESRA). Both frameworks take a more technology-neutral, outcome-focused approach and don’t define formal tiers the way eIDAS does. The shared thread across all of them is that an electronic signature can’t be rejected merely for being electronic — what differs is how each framework structures assurance. For a broader treatment of enforceability across jurisdictions, read is an electronic signature legally binding.

Where sign.pink fits

For the everyday SES-and-AES tier that covers most real-world signing, sign.pink keeps things simple and honest. It’s a mobile-first DocuSign alternative at $3 per month — no envelope caps, no per-seat fees, and no account required for the people you send documents to. Every completed document comes with a detailed, timestamped audit trail, which is precisely the evidence that turns a simple electronic signature into a defensible one. If your workflow genuinely requires the qualified tier, that’s a specialized need best served by a qualified trust service provider, and any honest tool should tell you so rather than overpromise.

The takeaway: eIDAS protects every electronic signature from being dismissed for being digital, and gives you three tiers to dial assurance up or down. Understand SES, AES, and QES, match the tier to the risk, and back it with a strong audit trail — that combination handles the overwhelming majority of EU signing needs.

This article is general information, not legal advice; consult a qualified attorney about your specific situation.