Anyone in 2026 still printing contracts, signing them, scanning them, and mailing them back has turned a 90-second process into a 20-minute one – and lost the original evidence (the paper). eIDAS-compliant digital signatures fix that. SecTepe.Core integrates them along with PGP/GPG for a complete workflow solution.
Three Signature Levels Under eIDAS
- SES (simple electronic signature): any electronic confirmation. Low evidentiary value but sufficient for many internal workflows.
- AdES (advanced electronic signature): uniquely attributable to the signer, technically tamper-resistant. Suitable for risk acceptance, internal approvals, supplier T&Cs.
- QES (qualified electronic signature): equivalent to a handwritten signature, issued by a qualified trust service provider with a qualified signature certificate. Mandatory for special contracts (e.g. written-form requirement).
SecTepe.Core supports all three levels, with clear UI indication of which level is being used for which document.
Where PGP/GPG Plays an Additional Role
eIDAS regulates legally; PGP/GPG is the established crypto world for email signatures, code signing, and backup encryption. SecTepe.Core integrates both so that double key management is avoided:
- Key hub: every user has a central keyring (eIDAS certificate, PGP key, S/MIME), stored in OpenBao.
- Use context determines key: risk acceptance in the ISMS → eIDAS AdES; confidential mail to auditor → PGP; code commit signing → PGP.
- Lifecycle management: key renewal, revocation, and trust chain updates run centrally.
Workflow Example: Residual Risk Acceptance
- Risk manager creates an acceptance request in the risk module with documented residual risk.
- Top management gets notification with a link to the request.
- Top management opens the document in the portal, reviews content, clicks "Sign with AdES".
- Platform requests multi-factor confirmation (FIDO2 key or TOTP).
- Signature is applied; audit log with identity + timestamp + document hash is written.
- Signed document is stored in a WORM archive (object lock COMPLIANCE) – long-term validation possible even after 10 years.
Long-Term Validation: The Forgotten Detail
A signature valid today may be invalid in 10 years – when the signature certificate has expired in the meantime and the original trust chain can no longer be verified. eIDAS addresses this with AdES-LTV (long-term validation): the signed document additionally contains certificate status (OCSP/CRL) and a trustworthy timestamp at signature time. Even when the certificate later expires, the signature remains provably valid.
SecTepe.Core applies LTV automatically for all signatures used in risk acceptance, supplier contracts, or audit evidence.
Integration with OnlyOffice for Collaborative Documents
Contracts are created collaboratively in OnlyOffice. SecTepe.Core enables signature workflows directly from OnlyOffice: finalize document, place signature fields, send recipient signature requests. Audit trail contains all editing sessions, signature timestamps, and final hash anchoring.
Compliance Mapping
- eIDAS Regulation 910/2014: legal basis in the EU.
- BSI TR-03114: technical guideline for trustworthy applications.
- ISO 27001 A.5.34: requirements for data protection and protection of PII – electronic signatures are part of authenticity measures.
- ISO 14533: long-term preservation of electronic signatures (LTV).
Realistic Trust Service Provider Choice
For QES, a qualified trust service provider (QTSP) is needed. In Germany, established options include: D-Trust, T-Systems Trust Center, Bundesdruckerei, Telesec. For AdES an internal CA setup often suffices, backed by OpenBao as CA manager. The choice hangs on the desired evidence level and the recipient's expectation.
Conclusion
Digital signatures in 2026 are mandatory infrastructure, not a premium feature. A platform offering eIDAS and PGP/GPG together with central key management, OnlyOffice integration, and long-term validation completely eliminates the print-sign-scan workflow – and at the same time delivers an audit trail that satisfies any auditor's wish.