eIDAS: what makes a Clozo signature legally binding in the EU

The three eIDAS signature levels (all from Regulation (EU) No 910/2014):

Why Clozo issues SES, not AES. [A-007] in our DECISIONS.md is explicit: "e-Signature: eIDAS SES (Simple Electronic Signature) — click-to-sign + email confirmation. Store IP + timestamp + email chain for 10 years." The running code matches: the SignatureAudit model in apps/proposals/models.py records signed_at, ip_address, user_agent, signer_name, signer_email, consent, and raw_event (full request headers as JSONB) — but does not compute or store a SHA-256 hash of the rendered PDF, and the signing path does not bind a cryptographic seal to the document content in a way that satisfies Art. 26(d). RFC 3161 trusted timestamping is on the [D-111] roadmap (Phase 4) but is not part of the v1 signing path. Calling the v1 product an Advanced Electronic Signature would be inaccurate and would expose freelancers to a citation challenge if they ever needed to defend the signature.

*What Clozo does capture, atomically at signing.*

1. Identity assertion — the typed signer name plus the email address that received the proposal must match the client record on file (signer_name, signer_email in SignatureAudit). 2. Possession proof — a 4-digit access code (PIN) was correctly entered before the signing surface unlocked, demonstrating access to the email inbox where it was delivered. Per the running code (HIGH-BE-002 hardening, audit 2026-04-28): on the public proposal endpoint, 5 incorrect PIN attempts within a sliding 1-hour window lock the proposal slug for 24 hours (per-slug lockout, distinct from the per-IP rate limit of 10 requests/minute on the same endpoint). Successful PIN entry resets the failure counter. The amendment-PIN gate uses the same 5-fails-→-24h-block pattern on its own slug key. 3. Technical context — ip_address (GenericIPAddressField), user_agent string, and the full request headers in raw_event (JSONB), all written in one database transaction with signed_at. 4. Consent record — the consent field captures the signer's affirmative confirmation that they are authorised to bind the named party.

Notice what is not in this list: there is no pdf_hash field, no hashlib.sha256 call in the signing code path, no qualified-trust-service-provider integration, no smart-card or hardware-token flow. These are the elements that would distinguish AES (Art. 26(d) tamper-evidence) and QES (Art. 28 qualified certificate) from SES, and Clozo deliberately does not ship them in v1. The Service Agreement PDF is rendered immutably to Cloudflare R2 (EU region) with a legal_hold flag, which provides storage-level integrity (the file cannot be overwritten or deleted within the retention window) — but that is not the same as a cryptographic signature-to-document binding under Art. 26(d).

What this means in practice. Under Art. 25(1), a Clozo SES has the same legal-effect non-discrimination floor as any electronic signature: a court cannot reject it solely because it is electronic. Whether a court will treat it as sufficient evidence of contractual acceptance for a specific dispute depends on the underlying audit trail and on national civil law. For everyday freelance commercial work in DE / FR / ES / NL / PL / IT, courts routinely treat a SES backed by a robust audit trail (typed name, email-possession PIN, IP, User-Agent, timestamp, consent record, retained 10 years) as sufficient evidence that a contract was accepted. The strict equivalence under eIDAS Art. 25(2) ("shall have the equivalent legal effect of a handwritten signature") applies only to QES, not to SES or AES on their own.

National pinpoint citations for the SES + audit trail evidentiary path: - Germany — BGB §126 (handwritten form), §126a (qualified electronic form, equivalent to handwritten), §126b (text form). For contracts not subject to a statutory form requirement, the principle of Formfreiheit (BGB §125 e contrario) applies; SES + audit trail is generally accepted as evidence of consensus. Sureties (BGB §766) and notarised acts (BGB §128, BGB §311b for real-estate transfers) require the formal channels and Clozo's SES does not substitute. - France — Code civil Art. 1366 (electronic writing has the same probative force as paper provided the author can be duly identified and the document is established and preserved in conditions ensuring its integrity); Art. 1367 (electronic signature consists of a reliable identification process guaranteeing its link to the act it accompanies; reliability is presumed for QES). Signature électronique simple is recognised but the burden of proving reliability falls on the party invoking it — which is exactly where Clozo's audit trail does the work. - Spain — Ley 6/2020 de servicios electrónicos de confianza (transposing eIDAS); Código Civil Art. 1261 (essential requirements of a contract: consent, object, cause). For consumer contracts, see also Real Decreto Legislativo 1/2007 Art. 102 (right of withdrawal in distance contracts), which sits alongside eIDAS rather than substituting for it. - Netherlands — BW Art. 6:227a (electronic equivalence — the substantive form anchor for electronic-form contract conclusion under the Dutch implementation of eIDAS); Wetboek van Burgerlijke Rechtsvordering Art. 156 / 156a (evidentiary admissibility of digital documents). The substantive form anchor and the evidentiary anchor are separate provisions; Clozo's SES + audit trail relies on both. - Poland — Kodeks cywilny Art. 78¹ (qualified electronic-form equivalence to written form, applies only to QES); Art. 60 KC (declarations of will may be made by any conduct sufficient to express the will). SES is not statutorily equivalent to written form in Poland; in practice, courts admit SES + audit trail as evidence of consensus under Art. 60. Procedural admissibility is governed by KPC Art. 308 (electronic documents). - Italy — CAD D.Lgs. 82/2005 Art. 20 (general principle that electronic documents have probative value freely assessed by the court, with stronger presumptions for higher signature levels) and Art. 21 (signature-level-specific evidentiary weight).

What QES is and when you actually need it. QES requires a qualified certificate issued by a Trust Service Provider on the EU Trust List (Bundesdruckerei in Germany, FNMT in Spain, Certinomis or Universign in France, ARSS in Italy, similar national TSPs elsewhere). Practically, you obtain a USB token or a smart card from the TSP, install their middleware, and the signing happens through that hardware. Cost is typically €50–200/year per signatory plus the cost of the device. Real-world QES use cases in member-state law: - Notarised real-estate transfers (DE BGB §311b — these require notarial deed, not just QES, but QES is part of the surrounding flow) - Corporate-formation documents in DE/AT/FR (specific subset of acts) - Certain regulated financial-services products and life-insurance contracts - Court submissions in IT/ES/PT (where the digital court systems require QES) - Public-sector contracts under Art. 27 eIDAS, where the receiving body explicitly requires AES or QES

Clozo does not issue QES. If your specific contract genuinely requires QES — a notary, an enterprise procurement office, or your legal counsel will tell you — the recommended pattern is: use Clozo as the commercial scoping layer (line items, payment terms, deposit invoice, audit trail of negotiation), and have the formal act executed via your national TSP using their qualified-signature device. The Clozo Service Agreement and SignatureAudit row sit alongside the QES-signed deed as supporting evidence of the commercial terms. (See Migrating a Clozo SES contract to a QES provider, planned for a future help-wiki article — the operational handoff is currently a counsel/notary conversation, not a Clozo feature.)

Cross-border recognition. Under Art. 25(3), a QES based on a qualified certificate issued in one Member State is recognised as a QES in all other Member States. SES does not benefit from automatic cross-border recognition under Art. 25(3); it relies on the Art. 25(1) non-discrimination floor plus the local civil-law treatment of evidence. For cross-border B2B freelance work, this is generally workable because parties can choose their governing law and forum (Rome I, Rome II, Brussels I bis), and the audit trail travels with the SignatureAudit row regardless of which national court is hearing the dispute.

Right to erasure and 10-year retention. Right-to-erasure requests under GDPR Art. 17 are honoured within the bounds of Art. 17(3)(b) — retention is required for compliance with a legal obligation (eIDAS audit retention guidance, GoBD §147 AO Germany, Wet OB Art. 52 Netherlands, CGI Art. L102 B France, Codice Civile Art. 2220 Italy, plus tax-document retention rules across the EU). The signed Service Agreement, the SignatureAudit row, and the original PDF render are stored on Cloudflare R2 (EU region) with the legal_hold flag, which prevents deletion within the retention window even by Clozo administrators. After 10 years, retention expires and the data becomes deletable on request — see article 11.4 for the country-by-country retention table.