eIDAS — qualified electronic signatures on Declarations of Conformity

The Declaration of Conformity (DoC) is the document by which a manufacturer takes legal responsibility for a product meeting all applicable EU requirements. Most New Legislative Framework directives — RED, EMC, LVD, the Machinery Regulation, RoHS, the Toy Safety Directive — require the DoC to be signed "on behalf of" the manufacturer, but they are silent on whether ink, scan, or qualified electronic signatures are required. The horizontal answer comes from the eIDAS Regulation (EU) No 910/2014, now substantially amended by Regulation (EU) 2024/1183 establishing the European Digital Identity Framework.

This article walks through what eIDAS actually says about signatures, which level a manufacturer realistically needs for a DoC, how to find a qualified trust service provider, and how the upcoming Digital Identity Wallet will change the day-to-day mechanics.

The three signature levels in Article 3

Article 3 of Regulation (EU) 910/2014 defines the three levels with progressive technical requirements:

The four cumulative requirements for an advanced electronic signature live in Article 26: the signature must be uniquely linked to the signatory, capable of identifying the signatory, created using electronic signature creation data that the signatory can use under sole control with a high level of confidence, and linked to the signed data such that any subsequent change is detectable.

A qualified electronic signature (QES) goes one step further: it requires both a qualified certificate issued by a qualified trust service provider (QTSP) and a qualified signature creation device (typically a smart card, USB token, or a remote QSCD operated by a QTSP).

Article 25 — the legal effects that matter to a DoC

Article 25 is the workhorse of eIDAS for compliance documents. It has three numbered paragraphs that every regulatory affairs lead should know by heart:

"An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures." — Article 25(1)

"A qualified electronic signature shall have the equivalent legal effect of a handwritten signature." — Article 25(2)

"A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States." — Article 25(3)

For DoCs the practical consequence is twofold. First, no Member State market surveillance authority can reject your DoC merely because it carries a typed signature, a scanned ink signature, or a digital seal — Article 25(1) blocks that argument. Second, only a QES gives you the strongest possible evidentiary footing: under Article 25(2) it is treated as a handwritten signature, and under Article 25(3) that treatment is automatic in every Member State.

What the sectoral directives actually require

This is where most internal debates inside manufacturers happen. The horizontal eIDAS framework does not tell you what a DoC requires; the sectoral directive does. A scan across the New Legislative Framework family shows a consistent pattern: the DoC must be signed on behalf of the manufacturer by a person identified by name and function, but no specific electronic-signature level is prescribed.

The typical formula — drawn from texts such as the model declaration of conformity templates in the relevant directive annexes — is some variant of: "Signed for and on behalf of: [manufacturer name], [place and date of issue], [name, function], [signature]". Where directives include a model DoC (for example RED Annex VI), the model leaves the signature field open without specifying a technical standard.

The European Commission's Blue Guide on the implementation of EU product rules treats the DoC as a formal declaration that triggers manufacturer liability, not as a notarial instrument. For more on the underlying obligation, see our Declaration of Conformity 101.

That leaves manufacturers with a practical decision matrix:

Finding a qualified trust service provider

Per Article 22 of Regulation (EU) 910/2014, every Member State must establish, maintain and publish a national Trusted List naming the qualified trust service providers under its supervision and the qualified services they provide. The Commission aggregates these into a single EU Trusted List Browser hosted at the Digital Building Blocks portal.

A few rules of thumb when choosing a QTSP:

• Only providers that appear on a national Trusted List may legitimately call their service "qualified" under eIDAS.
• The "Qualified Certificate for Electronic Signature" is the service you need to sign a DoC at QES level.
• Look for remote signing services (rQES) if you want signatories to use a mobile app rather than a smart card or USB token.
• Cross-border use is the entire point — Article 25(3) means a Dutch QTSP's certificate is fully valid for a DoC drafted in Slovakia.

The 2024/1183 amendment and the EU Digital Identity Wallet

Regulation (EU) 2024/1183 of 11 April 2024 — formally titled "amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework" — was published in the OJ L series on 30 April 2024 and is in force. It introduces the European Digital Identity Wallet ("EUDI Wallet").

The wallet's legal scope is broad. Article 3 of the amended regulation defines it as an electronic identification means that allows the user to securely store, manage and validate person identification data and electronic attestations of attributes, and importantly "to sign by means of qualified electronic signatures or to seal by means of qualified electronic seals". In other words, once your Member State issues you a wallet, your phone becomes a QSCD.

For DoC signing, the practical consequence over the rollout period is that authorised signatories will not have to buy a separate QES certificate or carry a USB token. Implementing acts and certification schemes for wallet providers are still being adopted via the Commission's eIDAS implementation work, and Member State rollout will be staggered. Until your local wallet is generally available, the traditional QTSP route remains the way to obtain a QES.

Common mistakes

• Confusing a DocuSign click-to-sign with a QES. Most off-the-shelf e-signature platforms produce advanced electronic signatures, not qualified ones. They are still fully valid for DoCs in most Member States, but they do not have the Article 25(2) "equivalent of handwritten" effect unless the provider routes the transaction through a qualified workflow.
• Believing a national authority can reject a typed signature. They cannot, per Article 25(1). What they can reject is a DoC that lacks a clear signatory identification, or one signed by someone who cannot bind the manufacturer.
• Using a QES certificate that is not on any Trusted List. Many providers describe themselves as "eIDAS compliant" without being qualified. Verify the company name on the EU Trusted List Browser before paying.
• Signing a stale DoC after an amendment. A QES does not save a DoC whose underlying technical file is out of date. See updating a DoC after amendment.
• Not retaining the signature evidence. Whether you used a scanned ink signature or a QES, the manufacturer must keep the technical file (including the DoC) for the retention period set in each applicable directive. See technical file retention requirements.

How Cenitia helps

Cenitia generates Declarations of Conformity that are structured for signature workflows. Each generated DoC ships as a PDF/A with embedded metadata identifying the manufacturer, the applicable directives and harmonised standards, and a dedicated signature field, so it can be routed through any AdES or QES provider — including remote signing services operated by qualified trust service providers on the EU Trusted List — without re-keying or re-formatting.

When the European Digital Identity Wallet becomes widely available in your Member State, the same DoCs will be wallet-ready: the signature placeholder follows PAdES Baseline so a QES applied via wallet, smart card, or QSCD lands in the correct location with the correct PDF/A long-term validation profile.

Frequently asked questions

Does a Declaration of Conformity legally require a qualified electronic signature?

Generally no. Most New Legislative Framework directives — RED, EMC, LVD, RoHS, Machinery — require the DoC to be signed on behalf of the manufacturer but do not prescribe a specific eIDAS signature level. Per Article 25(1) of Regulation (EU) 910/2014, a non-qualified electronic signature cannot be denied legal effect merely because it is electronic. A scanned ink signature, a typed signatory name and date, or any advanced electronic signature are all commonly accepted in practice. A QES is the safest choice when one is reasonably available.

What is the legal difference between simple, advanced, and qualified electronic signatures?

Article 3 of Regulation (EU) 910/2014 defines all three. A simple electronic signature is any data in electronic form attached to other data and used to sign. An advanced electronic signature additionally meets the four criteria in Article 26 (uniquely linked to and identifying the signatory, under sole control, tamper-evident). A qualified electronic signature is an advanced signature created with a qualified signature creation device based on a qualified certificate — and per Article 25(2) has the equivalent legal effect of a handwritten signature.

Where can I find a list of qualified trust service providers in the EU?

The European Commission publishes the EU Trusted List Browser, which aggregates each Member State's national Trusted List of qualified trust service providers and the qualified services they provide. Each Member State is required to establish, maintain and publish a Trusted List under Article 22 of Regulation (EU) 910/2014. Only providers appearing on a national Trusted List may legitimately advertise themselves as "qualified" under eIDAS.

Will the European Digital Identity Wallet change how DoCs are signed?

Regulation (EU) 2024/1183 of 11 April 2024 amends the eIDAS Regulation to establish the European Digital Identity Wallet framework. Per Article 3 of the amended regulation, every wallet must allow the user "to sign by means of qualified electronic signatures". Once wallets are widely available, manufacturers' authorised signatories should be able to apply a QES to a DoC from a mobile device without buying a separate signature certificate. The Commission has set out a phased rollout via implementing acts.

Does a qualified electronic signature issued in one Member State work in another?

Yes. Article 25(3) of Regulation (EU) 910/2014 provides that a qualified electronic signature based on a qualified certificate issued in one Member State "shall be recognised as a qualified electronic signature in all other Member States". This is the cross-border recognition that makes QES attractive for manufacturers placing one DoC into circulation across the entire single market.

If I sign a DoC with a simple PDF e-signature, is it valid?

Likely yes, for most New Legislative Framework directives. The signature requirement on a DoC is fundamentally about identifying the natural person within the manufacturer's organisation who takes responsibility for the declaration — most directives do not specify a technical signature level. Article 25(1) of eIDAS prevents national courts and authorities from rejecting an electronic signature "solely on the grounds that it is in an electronic form". The practical risk lies in disputes or surveillance actions where the manufacturer needs to prove who signed; a QES, or at minimum an advanced signature with a robust audit trail, materially reduces that risk.

Related from the Library

• Declaration of Conformity 101 — the underlying DoC obligation that the signature attaches to
• Updating a DoC after amendment — when to re-issue and re-sign
• DoC translation requirements — language obligations that travel with the signed DoC
• Sample DoC walkthrough — an annotated example
• Technical file retention requirements — how long the signed DoC and supporting file must be kept

Further reading

• Regulation (EU) No 910/2014 — eIDAS — the foundational text on EUR-Lex
• Regulation (EU) 2024/1183 — European Digital Identity Framework — the 2024 amendment
• European Commission eIDAS policy page — Commission overview and implementing acts
• EU Trusted List Browser — the canonical list of qualified trust service providers
• Blue Guide on EU product rules — Commission guidance on DoCs and manufacturer obligations
• ETSI EN 319 142 — PAdES baseline — the PDF signature profile typically used for DoC signing

Last reviewed: 5 July 2026. Cited regulations watched continuously by Cenitia — when one amends, this article is flagged for update.