SES, AES, or QES for preoperative counseling—which eIDAS level is legally compliant? An objective assessment for hospitals in the DACH region.

Anyone evaluating the digitization of Patient Education forms in a hospital today cannot avoid one question: Which level of electronic signature ( e-signature) is legally sufficient—and which represents an unnecessary burden? The answer determines whether a QES rollout with qualified identification of each patient is necessary, or whether an advanced electronic signature meets the legal requirements.

This article is intended for administrative directors, data protection officers, and senior physicians who want to make an informed decision—without being pressured by vendors into an unnecessarily complex solution, but also without underestimating the legal risks. The fundamentals of the legal requirements for Patient Education in the DACH region serve as the essential starting point.

What the eIDAS Regulation Requires: The Three Levels of Electronic Signatures

The European Regulation on Electronic Identification and Trust Services (eIDAS, EU No. 910/2014) defines three levels of electronic signatures. These apply uniformly throughout the EU single market—including for hospitals in the DACH region.

Simple Electronic Signature (EES): The lowest level. This includes anything that digitally represents an expression of intent: a typed name at the end of an email, a scanned image of a signature, or a click on “I agree.” Its evidentiary value is limited—EES merely proves that an action took place, but not necessarily by whom or under what circumstances.

Advanced Electronic Signature (AES): This level is uniquely associated with the signatory and is tamper-proof and linked to the signed document. Any subsequent alteration to the document is detectable. No qualified certificates or government-approved trust service providers are required to create an AES—but technical procedures that ensure identification and binding are necessary.

Qualified Electronic Signature (QES): The highest level. It is based on a qualified certificate issued by a recognized Trust Service Provider (TSP) and requires reliable identification of the signatory. According to Article 25(2) of eIDAS, the QES is legally equivalent to a handwritten signature—which, in some areas of law, constitutes the only legally secure basis.

These three levels are often used interchangeably in product descriptions within the industry. What exactly each one means—and what implications this has for preoperative counseling—is therefore a question that every hospital must address specifically.

What Medical Law Requires: The Duty to Inform and Informed Consent Are Not the Same Thing

This is a critical flaw in many evaluation processes. The requirements regarding the duty to provide information and the requirements regarding the format of the information document are two separate issues.

In Germany, Sections 630c–630e of the German Civil Code (BGB) govern the physician’s duty to provide informed consent. Section 630e(1) of the BGB requires comprehensive, understandable, and timely disclosure—verbally, in a face-to-face conversation. Section 630e(2) requires that documents be provided in a timely manner. However, the law does not explicitly prescribe the specific level of electronic signature that must be applied to the informed consent form.

The information sheet—known in the digital world as the Informed Consent Sheet (IC Sheet)—serves primarily as a supporting document: In the event of a dispute, it is intended to prove that an informed consent process took place, that the patient had the opportunity to ask questions, and that consent was given voluntarily and in an informed manner. This evidentiary function is crucial: The goal is not the signature itself, but rather the legally admissible documentation of the informed consent process.

In Austria, the situation is structurally similar: Section 173 of the ABGB and Section 51 of the ÄrzteG 1998 establish the duty to provide informed consent, but likewise do not require explicit signatures on informed consent forms. Those who wish to examine the Austrian legal situation in detail will find a comprehensive overview in the article on the legal framework for informed consent in Austria.

Where QES Is Truly Mandatory — and Where FES Is Sufficient

The question, therefore, is not a simple yes-or-no decision, but rather depends on the context. An honest assessment looks like this:

FES is generally sufficient for standard preoperative consent if it is embedded in a consistent, traceable documentation system. An FES uniquely identifies the signatory, protects the document from tampering, and generates a verifiable timestamp for the signature. German and Austrian courts have accepted digitally signed documents at the FES level as evidence in medical malpractice proceedings. The decisive factor here is not the signature level in isolation, but the overall quality of the documentation—more on that in a moment.

QES is the right tool in specific contexts, namely:

  • For clinical trials subject to the German Medicines Act (AMG) or the Medical Devices Act Implementation Act (MPDG). In these cases, ethics committees are increasingly recommending QES for consent documentation because the legal framework is more stringent and subsequent international recognition (e.g., FDA requirements) may be a factor.
  • If the company’s internal compliance policy or the liability insurer explicitly requires QES. Some insurance policies specify minimum documentation requirements—this should be verified before selecting a system.
  • If a clinic seeks maximum legal protection beyond what is required by law and is able to accept the additional operational costs (identification procedures, TSP integration, patient experience).

EES alone is generally not sufficient in medical-legal contexts. A single click or a scanned image does not provide reliable personal identification or protection against tampering. Anyone who uses EES exposes themselves to a significant risk regarding evidence in the event of a dispute.

The article “Informed Consent 2026: Current Legal Situation” provides an up-to-date overview of legal developments for 2026.

Fingerprint authentication on the iPad: often underestimated

In many hospitals, this has become standard practice: Patients sign the informed consent form by placing their finger on a tablet. This seems more digital and modern than paper—yet in most implementations, it legally amounts to nothing more than a simple electronic signature (EES). The result is a bitmap image of the signature that is neither cryptographically bound to the document nor reliably verifies who created it. Any person could have signed on that device at that moment—which is precisely the legal definition of an EES under Article 3(10) of eIDAS.

An important distinction: Some solutions also capture biometric signature data—pressure, speed, pen stroke, and timestamp—during the signing process and embed this data in the document in encrypted form. If, at the same time, the identity of the person signing has been verified—for example, through patient identification at registration—this may fall under the FES category. However, this is a technical implementation issue, not a given—and many of the tablet solutions used in German and Austrian hospitals do not meet these requirements, or only partially so.

For clinics that have already made the switch to tablets, it is therefore worth taking a critical look: What does the solution they are using actually offer from a technical standpoint? In the event of a dispute, an electronic electronic signature (EES) on a digital document without a complete consent trail is not necessarily better than a signature on paper.

The key factor that is often overlooked: the consent trail

Hospitals that focus exclusively on signature levels are addressing only a small part of the legal risk. Far more critical to the reliability of evidence in the event of a liability claim is the question: Can the hospital provide complete documentation of what patients received, saw, and understood, and when?

This is precisely where the structural disadvantage of paper-based processes lies—and a key advantage of fully digital consent processes. A consent trail—the complete, audit-proof documentation of the entire consent process—captures not only the final signature, but also:

  • what information was provided to the patient and at what point in time,
  • whether and to what extent educational videos were played,
  • which passages were revisited in the review sheet,
  • what questions were asked,
  • when and under what technical conditions consent was given.

This comprehensive documentation significantly shifts the burden of proof in the event of a dispute. The “he-said, she-said” problem—a common starting point for liability lawsuits in the era of analog informed consent forms—is structurally addressed by a seamless consent trail. Clinics that still use analog informed consent forms today simply cannot provide this evidence.

For more information on what this documentation looks like in everyday clinical practice, read the article “Digital Informed Consent in Practice: Greater Legal Certainty, Less Time Pressure.”

How medudoc supports all three levels—without pushing clinics in one direction

medudoc does not make decisions regarding eIDAS levels for hospitals—because this decision belongs in the hands of legal and compliance departments, not those of a software provider. What medudoc does is provide technical support for all three eIDAS levels and make it possible to configure the appropriate level for each clinic, department, or procedure category.

Specifically, this means:

The digitally generated Informed Consent Sheet (IC Sheet)—the patient-specific consent document generated based on medical history and procedure data—can be signed using EES, FES, or QES, depending on the configuration. Implementing a QES requires integration with a recognized trust service provider and corresponding identification steps; medudoc provides the technical interface for this without acting as a TSP itself.

Regardless of the selected signature level, medudoc documents the complete consent trail: viewing history, timestamps, questions asked, and the final signature are archived in an audit-proof manner. The IC Sheet itself is saved as a PDF/A document—a long-term archiving format that will still be readable and legally admissible 15 years from now.

Doctors can also digitally annotate the IC Sheet before signing it—for example, to document case-specific details or deviations from standard informed consent content. This combination of signature, consent trail, and digital annotation captures what actually matters in court and during reviews by data protection officers.

You can find technical details about the platform and the supported integration options on the Patient Education Platform and in the overview of digital information forms.

Practical Guidance: What Hospitals Should Be Reviewing Now

Based on the legal situation outlined above, four specific steps can be identified for hospitals to follow—although this article cannot and is not intended to replace individual legal advice:

1. Determine which procedure categories in your hospital result in which requirements. Clinical trials (AMG/MPDG), high-risk procedures, and routine surgeries have different compliance profiles. A one-size-fits-all decision for the entire hospital can rarely meet these varied requirements.

2. Clarify the requirements of your liability insurance provider. Whether it’s HDI, Allianz, or another provider—insurance policies may contain minimum documentation requirements that effectively mandate a specific signature level.

3. Involve your legal department or a lawyer specializing in medical law early in the evaluation process. The decision on the signature level is not an IT decision—it is a legal and corporate policy decision.

4. Prioritize the quality of the overall documentation over the choice of signature level. An FES in a fully documented, seamless consent trail is more legally secure than a QES in a fragmented process with no evidence of what patients actually received and saw.

Conclusion

The question of EES, FES, or QES is legitimate and important—but it is not the only question, nor is it the most critical one, when evaluating digital consent systems. Medical law does not explicitly prescribe a signature level for standard preoperative informed consent. FES is legally defensible for most routine clinical processes if it is embedded in a consistent, traceable documentation system. QES is the right tool in specific regulatory contexts and offers the highest legal equivalence to a handwritten signature.

What has the greatest impact on legal certainty in practice is the quality of the overall process: Was the matter clarified? How? When? Can this be documented—regardless of the signature procedure?

Digital informed consent platforms that maintain a complete record of this process address the liability risk at its source. Hospitals that still rely on paper-based informed consent processes should be less concerned with signature levels and more concerned with the fundamental legal certainty of their current practices.

If you’d like to learn more about how the fully digital consent process works in practice and which configuration would be best for your clinic, you can request a demo.


Note: This article does not constitute legal advice and is not a substitute for consulting lawyers specializing in medical law or your institution’s designated data protection officer. The legal analysis was prepared to the best of our knowledge as of the date of publication (June 2026); legislation and case law are subject to change.

Similar Posts