English 
French 
FAQ: Qualified Electronic Archiving and Preservation (QeA / QPres)
Qualified Electronic Archiving (QeA) is the eIDAS-defined trust service approach for preserving electronic records defensibly over long retention periods, with verifiable controls, evidence mechanisms, and clear governance.
This FAQ is for regulated organisations (and their auditors, inspectors and procurement teams) that need evidence-ready preservation for records such as signed contracts, eTMF files, financial records, and regulated business archives. Answers reference Docbyte Vault capabilities where relevant.
For the commercial solution overview, see Docbyte qualified electronic archiving. For signed or sealed records, also see preservation of digital signatures and seals.
Foundational Questions
What is Qualified Electronic Archiving (QeA) under eIDAS?
QeA is a trust service concept under Regulation (EU) No 910/2014 (eIDAS), specifically addressed in Article 34 on qualified preservation services for qualified electronic signatures. In practice, QeA is a standards-based approach to preserve electronic records with verifiable integrity, authenticity, governance and long-term usability. Records remain defensible in audits, disputes and regulatory inspections over decades.
What is the difference between QeA and regular electronic archiving?
Regular archiving typically focuses on storage and retrieval. QeA adds controlled ingest and provenance, evidence mechanisms (integrity checks, evidence records, timestamps), governance (retention, legal hold, defensible deletion), audit trails, and preservation planning for long-term usability. QeA aligns with eIDAS, ETSI TS 119 511/512, CEN TS 18170, and OAIS (ISO 14721). Regular archiving typically does not.
What is CEN TS 18170 and why does it matter?
CEN TS 18170 is the European technical specification providing requirements and guidance for electronic archiving systems. It addresses the functional, technical and organisational requirements for systems designed to preserve electronic records with evidential and compliance value. For European organisations procuring or assessing archiving solutions, CEN TS 18170 provides a common baseline alongside the eIDAS trust services framework.
Which ETSI standards apply to qualified archiving?
The core ETSI standards are: ETSI TS 119 511 (policy and security requirements for TSPs providing long-term preservation of digital signatures or general data) and ETSI TS 119 512 (protocols for long-term data preservation services). ETSI also defines long-term archive signature formats (CAdES-LTA (ETSI EN 319 122), XAdES-LTA (ETSI EN 319 132), PAdES-LTA, and ASiC-LTA (ETSI EN 319 162)). These are electronic signature container formats that can embed validation data inside the signed file itself, and they form part of the broader standards ecosystem alongside Docbyte’s evidence record approach.
What is OAIS (ISO 14721) and how does it relate to QeA?
OAIS (Open Archival Information System, ISO 14721) is the reference model for digital preservation systems. It defines SIP/AIP/DIP packaging, preservation planning, the designated community concept, and the functional responsibilities of an archive. QeA builds on OAIS concepts. A QeA-capable archive is essentially an OAIS-compliant system with additional trust service controls for evidence, timestamps, and governance required by eIDAS.
Technical Questions
What is Qualified Preservation (QPres) and when is it needed?
QPres is the evidence and renewal layer needed when records carry electronic signatures or electronic seals and long-term verifiability is required. QeA provides the archiving framework; QPres specifically addresses how to extend the validity of the evidence and the validation report. At ingest, QPres captures the validation state of the signature or seal: the certificate chain, revocation status (OCSP), and a qualified timestamp. This evidence record is stored alongside the archived record. Before algorithms or certificates risk expiry, QPres renews the evidence chain proactively, extending its validity without altering the original signed record.
What happens when certificates expire?
Without evidence records, a signed record may become unverifiable after its certificate expires. A QPres approach captures validation evidence (certificate chains, OCSP responses, qualified timestamps) at a point when everything is still valid, stores this evidence alongside the archived record as a validation report and evidence record, and renews the evidence chain before it risks expiry. This maintains an unbroken chain of trust across the full retention period.
Are electronic signatures and seals "safe" if I just store the PDF?
Storing the PDF safely is necessary but not sufficient. Over time: certificates expire, cryptographic algorithms are deprecated, missing context or incomplete evidence weakens what you can prove. QPres addresses all of these by preserving the evidence needed for future validation, not just the file bytes. The distinction is critical for regulated records with long retention periods.
What are evidence records and why are they important?
Evidence records are structured packages capturing the validation state of a signed/sealed record at a specific point in time: the certificate chain, revocation status (OCSP/CRL), qualified timestamps, and signature validation outcome. They are embedded in long-term archive formats or stored alongside the record. Without evidence records, future validation depends on whether the original infrastructure (certificate authorities, OCSP services) is still accessible. This may not be the case after 10 to 25 years.
What is the difference between digital preservation and QeA?
Digital preservation (OAIS) focuses on long-term usability and integrity: keeping records readable, authentic and accessible over time, including format migration and fixity monitoring. QeA adds the trust service layer: evidence records, qualified timestamps, eIDAS-aligned controls, and CEN TS 18170-compliant governance. For records without electronic signatures, digital preservation alone may be sufficient. For records with signatures/seals, QeA/QPres adds the legally defensible evidence layer.
Governance and Compliance Questions
How does QeA relate to GDPR?
GDPR and QeA address complementary obligations. GDPR requires lawful basis for retention, data minimisation, purpose limitation, and the right to erasure. QeA provides the controls for defensible retention and defensible deletion: demonstrating that records were kept for the right duration, under the right policy, with the right approvals, and deleted when no longer required. A qualified archive must support both obligations.
How do retention and legal holds work in a qualified archive?
Retention rules are policy-based and enforced consistently across record types. Legal holds allow suspension of deletion when records are subject to investigation, dispute or litigation, with full traceability of hold decisions, who applied them, and when they were lifted. Defensible deletion means you can prove what was deleted, when, by whom, under which policy, and with which approvals.
Which sector-specific regulations require QeA or equivalent archiving?
Key regulations include: MiFID II / MiFIR (financial records up to 7 years), DORA (ICT record management), ICH E6 R2/R3 and FDA 21 CFR Part 11 (clinical records up to 25 years, ALCOA+ requirements), EU Annex 11 / GxP (electronic records in regulated manufacturing), GDPR (lawful retention and erasure), and national archiving legislation (including the Belgian e-Archive Act). The exact controls required depend on the regulation, jurisdiction and use case.
How does QeA apply to life sciences records (eTMF, GxP)?
Life sciences records (Trial Master Files, batch records, validation documentation, lab notebooks) must meet ALCOA+ principles (Attributable, Legible, Contemporaneous, Original, Accurate) and remain retrievable and verifiable for 25 years or more. QeA provides the framework for archiving these records with complete context, integrity evidence, and audit trails. QPres is relevant where records carry electronic signatures or seals under FDA 21 CFR Part 11 or EU Annex 11.
Practical Questions
Does QeA guarantee legal admissibility in court?
QeA supports the strongest achievable legal defensibility position by providing verifiable controls, evidence records, chain-of-custody documentation, and audit trails aligned with eIDAS, ETSI, CEN TS 18170 and applicable standards. Exact legal effects depend on jurisdiction, use case, and how evidence is assessed in the relevant legal context. Docbyte designs for defensibility, not absolute admissibility guarantees. No provider can guarantee those.
Which record types benefit most from QeA?
Records with long retention periods, evidential requirements, or electronic signatures/seals: contracts and addenda, invoices and financial records, HR and employment files, insurance claims and underwriting files, public sector decisions and permits, clinical trial records (eTMF), heritage collections, application retirement archives, and any record used to demonstrate regulatory compliance.
Can we export data for audits, migrations or vendor transitions?
Yes. Standards-based packaging (E-ARK SIP/AIP/DIP) and export capabilities allow controlled retrieval of records with their full context, metadata and evidence packages. This supports audit response, eDiscovery, and reduces vendor lock-in risk. A qualified archive should not create data hostage situations.
How do auditors and regulators access archived records?
Through controlled, read-only access with role-based permissions, purpose limitation, time-bound credentials where needed, and full audit logs. External-facing access models allow regulators, inspectors and external auditors to review records without accessing operational systems or internal infrastructure.
Is QeA relevant outside the EU?
The eIDAS framing is EU-specific, but the underlying controls (integrity, authenticity, auditability, long-term usability) are globally recognised. OAIS (ISO 14721), ISO 14641, PREMIS and E-ARK are internationally used standards. For organisations with global operations, QeA provides the EU compliance layer while the OAIS-based architecture serves broader international preservation requirements.
Next step
If you want to map QeA and QPres controls to your specific record types, retention obligations and regulatory context, request a short session with a Docbyte specialist. Docbyte Vault is designed as an OAIS-aligned, eIDAS-capable preservation lifecycle, not a storage layer.