The eIDAS regulation (EU 910/2014) defines three tiers of electronic signature. Picking the right one is mostly about evidentiary weight and downstream verification: the higher tiers carry more legal presumption at the cost of additional setup. tawqi3 presents all three through a single, consistent envelope experience.
The three tiers in one table
| Tier | What it is | How signer identity is established | Typical legal effect |
|---|---|---|---|
| SES: Simple Electronic Signature | Recorded intent to sign, with a tamper-evident hash of the document | Email or SMS one-time code | Admissible; weight depends on the surrounding evidence |
| AES: Advanced Electronic Signature | A signature uniquely linked to the signer and the document | Identity verified at enrolment using identity documents or video verification | Strong presumption of authorship within the EU |
| QES: Qualified Electronic Signature | An advanced signature backed by a Qualified Trust Service Provider | A qualified certificate issued by a provider on the EU Trusted List | Equivalent to a handwritten signature under eIDAS |
How tawqi3 presents the choice
When you create an envelope, you choose the tier you want. If your tenant has not yet been provisioned for a particular tier (typically QES, which requires a Qualified Trust Service Provider integration), the request is rejected with a clear message explaining what you need to enable.
Signed PDFs and long-term validity
For tiers that produce a signed PDF, tawqi3 produces a PAdES-baseline signature. The validity ladder is:
- B-B: a basic signature, sufficient at the time of signing.
- B-T: adds a trusted timestamp so the signing time is independently anchored.
- B-LT: adds revocation information into the document so the signature stays verifiable offline.
- B-LTA: adds long-term anchoring so the signature remains verifiable years later.
The right rung of this ladder depends on how long you need the signed PDF to remain verifiable without re-contacting tawqi3.
The evidence bundle
Regardless of tier, every completed envelope produces a single archive containing the signed documents, the signed audit log, inclusion proofs for every signing event, signed metadata, and any timestamp tokens. This archive is court-presentable on its own; a third party can validate it without needing tawqi3 in the loop.
Which tier should you start with?
Most internal use cases (offer letters, internal NDAs, vendor renewals) are well served by SES. Public-facing agreements with regulated counterparties usually want AES. QES becomes necessary when you need the strongest possible presumption in an EU court, for example, in real-estate transfers or notarial-equivalent acts. The envelope schema is the same across all three tiers, so you can upgrade later without rebuilding your workflow.
title: SES, AES, QES, the signing-tier ladder description: What each signature tier provides, when to use it, and how tawqi3 represents the upgrade path in our APIs. category: Products updated: 2026-05-15 readMinutes: 7 order: 2
eIDAS Regulation (EU) 910/2014 defines three signature tiers. Picking the right one is mostly about evidentiary weight and downstream verification, the higher tiers carry more legal presumption at the cost of operator setup. tawqi3 surfaces all three behind a single envelope API.
The three tiers in one table
| Tier | Cryptographic mechanism | Identity-assurance source | Typical legal effect |
|---|---|---|---|
| SES: Simple Electronic Signature | Recorded intent (click-to-sign) + integrity hash of the artifact | Email or SMS one-time code | Admissible; weight depends on supporting evidence |
| AES: Advanced Electronic Signature | Per-signer asymmetric keypair; signature uniquely linked to the signer | Identity verified at enrollment (KYC documents, video-id) | Strong presumption of authorship within the EU |
| QES: Qualified Electronic Signature | Same as AES, with the keypair held in a Qualified Signature Creation Device (QSCD) at a Qualified Trust Service Provider (QTSP) listed on the EU Trusted List (EUTL) | QTSP-issued qualified certificate | Equivalent to a handwritten signature under eIDAS Article 25(2) |
How tawqi3 represents the choice
An envelope’s signature_tier is a typed enum: ses, aes, qes. The API rejects unknown values at request time. When you request a tier the deployment does not have a configured backend for, typically qes before a real QTSP integration is wired, the agreement service returns a structured tier_not_supported error with an EUTL-QTSP advisory string so your client can render the right call-to-action.
PAdES baseline
For tiers that emit a signed PDF (AES and QES), tawqi3 produces a PAdES-baseline signature using EU DSS 6.4. The roadmap upgrade path is:
- PAdES B-B: basic signature, currently shipping.
- PAdES B-T: adds an RFC 3161 timestamp from a configured TSA; lights up once the operator wires a real TSA endpoint.
- PAdES B-LT: adds OCSP/CRL information embedded in the document so signatures stay verifiable offline.
- PAdES B-LTA: adds a timestamp-of-timestamp so the LT data itself remains anchored to an EUTL trust point years later.
The signing engine is the same Kotlin process for every tier; each step lights up as the dependent infrastructure (TSA, OCSP source, EUTL-listed QTSP) is configured.
Evidence bundle
Regardless of tier, every completed envelope produces an ASiC-E ZIP carrying the signed PDFs, the signed audit log (XAdES), per-event Merkle inclusion proofs, signed metadata JSON, and (where applicable) TSA tokens. This is the artefact you would hand to a court or an external validator like EU DSS standalone. It is court-presentable without tawqi3’s involvement.
Which tier should you start with?
Most internal-use cases (offer letters, internal NDAs, vendor renewals) are well served by SES. Public-facing agreements with regulated counterparties tend to want AES. QES is necessary only when you need the strongest possible presumption in an EU court, for example, real-estate transfers or notarial-equivalent acts. You can always upgrade later: the same envelope schema carries every tier.