Updated juli 7, 2026
Summary: Classical RSA and ECDSA signatures on long-retention documents will lose legal evidential weight once a cryptographically relevant quantum computer exists. Organisations must layer quantum-safe timestamps and evidence records over those archives now, using ETSI EN 319 102-2, ML-DSA or SLH-DSA, and sovereign archival infrastructure under their own operational control.

Long-term signature validity re-signing is the process of applying fresh, algorithm-agile cryptographic timestamps to previously signed documents before their original signature algorithms become cryptographically weak, ensuring that the legal evidential weight of those documents survives into a post-quantum world. For regulated organisations holding archives that span decades, this is not a theoretical concern: it is an active compliance obligation whose clock is already running.

The scope of the problem: which document categories are at risk

The classical RSA and ECDSA signatures that protect most long-retention archives today rely on mathematical problems that a cryptographically relevant quantum computer running Shor’s algorithm can solve efficiently. The categories most exposed are precisely those where retention periods are longest and legal weight is most consequential.

Court filings and notarial records often carry retention periods of 30 to 75 years under national procedural law. A qualified electronic signature applied in 2020 using RSA-2048 may be indistinguishable from a forgery by 2035 if quantum hardware develops on current trajectories. Land registry records and property deeds are indefinitely retained in most EU member states. Financial audit trails under Directive 2014/65/EU (MiFID II) require preservation for at least five to seven years, but many institutions retain them for longer. Medical records in Germany must be kept for ten years under the Musterberufsordnung für Ärzte, and up to thirty years for certain surgical records. Pharmaceutical batch release certificates under EU GMP Annex 11 must be retained for at least one year beyond the batch expiry date, with many products carrying shelf lives and post-market obligations that extend well past a decade.

Key deadline pressure: NIST estimates that a cryptographically relevant quantum computer capable of breaking RSA-2048 could exist within 10 to 15 years (NIST IR 8547, 2024). Any document with a retention period that extends into that window is at risk if its classical signature is not renewed beforehand.

The legal framework: eIDAS 2.0, ETSI EN 319 162 and GDPR Article 5(1)(e)

The regulatory obligation to act is concrete, not aspirational. eIDAS 2.0, Regulation (EU) 2024/1183, introduces qualified preservation services in Articles 34 and 35 and explicitly requires that the trust service provider apply renewal procedures before the cryptographic algorithms protecting a signature become weak. ETSI EN 319 162, the technical specification for long-term preservation of qualified signatures and seals, operationalises this requirement by mandating algorithm monitoring and triggered re-timestamping workflows.

GDPR Article 5(1)(e) adds a second compliance dimension: the storage limitation principle requires that personal data be kept in a form that permits identification no longer than necessary. Where a document’s integrity cannot be demonstrated because its signature is cryptographically broken, the data controller’s ability to demonstrate accountability under Article 5(2) collapses. A broken signature on a medical record is not simply a technical defect: it becomes a provability gap in the controller’s compliance posture.

The average cost of a data breach reached USD 4.88 million in 2024, with healthcare and finance consistently reporting the highest per-record costs (IBM Cost of a Data Breach Report, 2024). Regulatory fines and litigation costs arising from the inability to produce legally valid records compound that figure significantly.

How evidence records make archival validity perpetual

The mechanism that enables perpetual archival validity without altering original documents is the Evidence Record Syntax (ERS), defined in RFC 4998 and extended for XML environments in RFC 6283. ETSI EN 319 102-2 adopts ERS as the basis for its evidence-record standard and integrates it into the AdES (Advanced Electronic Signature) long-term validation profile.

The core principle is a renewable archive timestamp chain. The original document and its classical signature are hashed into a Merkle hash tree. An RFC 3161 trusted timestamp is applied to the root of that tree, establishing a point-in-time proof of existence. Before the hash algorithm or the timestamp’s signature algorithm is deprecated, a new archive timestamp is layered over the entire previous structure, including the earlier timestamp. This creates a chain in which each link vouches for the integrity of everything beneath it. The original document bytes are never modified.

Technical distinction: Re-signing replaces or augments the document’s own signature. Re-timestamping via an ERS archive timestamp chain is different: it preserves the original signature as historical evidence and adds quantum-safe proof of integrity on top. For legal purposes, the original signature remains admissible; the evidence record extends the period during which that admissibility can be demonstrated.

RFC 3161 and post-quantum migration

RFC 3161 timestamps are themselves signed by the issuing Timestamp Authority using whatever algorithm that authority supports. A classical RFC 3161 timestamp issued today using RSA-2048 is therefore itself quantum-vulnerable. The transition path is to issue new archive timestamps using a Timestamp Authority that signs with FIPS 204 ML-DSA (formerly CRYSTALS-Dilithium) or FIPS 205 SLH-DSA (formerly SPHINCS+). IETF work in the LAMPS working group is actively addressing hybrid timestamping, where a counter-signature using a post-quantum algorithm accompanies the classical timestamp during the transition window, providing assurance under both the classical and quantum threat models simultaneously.

As NIST’s Computer Security Division has stated: “The transition to post-quantum algorithms is not just a future problem. Harvest-now-decrypt-later attacks mean that long-lived data signed or encrypted today is already at risk.” (NIST Post-Quantum Cryptography project)

Choosing the right post-quantum algorithm for re-timestamping

Algorithm Standard Security basis Signature size Best use case in archival
ML-DSA FIPS 204 Module lattice (MLWE/MSIS) ~2.4 to 4.6 KB depending on security level High-volume bulk re-timestamping; primary algorithm for TSA signing
SLH-DSA FIPS 205 Hash functions only ~8 to 50 KB depending on parameter set Secondary or diversity hedge; critical records requiring security assumption independence

For operational deployments, ML-DSA is the practical default: its verification is fast, and its signature sizes are manageable in archive systems that may hold millions of documents. SLH-DSA is valuable precisely because its security rests entirely on the collision resistance of hash functions, which quantum computers do not break in the same way as lattice or factoring problems. ENISA has noted that “organisations should assume that any data encrypted or signed today using RSA or ECDSA could be exposed once a sufficiently powerful quantum computer becomes available. The time to act is before retention periods outlast algorithm security.”

Designing sovereign on-premises re-timestamping infrastructure

Automation is non-negotiable at scale. A hospital holding ten million signed records cannot re-timestamp manually. The architecture should separate the policy engine from the cryptographic execution layer. A policy engine monitors each document’s archive timestamp chain, calculates the remaining validity margin based on the algorithm’s projected deprecation date, and triggers re-timestamping jobs at configurable intervals well before that margin expires, typically with a safety buffer of two to three years.

The cryptographic execution layer should call ML-DSA or SLH-DSA signing operations through a Hardware Security Module (HSM) that has been validated for post-quantum algorithm support. The HSM enforces that private keys are never exposed to the application layer and provides a tamper-evident audit log of every signing operation. This is critical for demonstrating to auditors that re-timestamping was performed under controlled conditions.

The infrastructure must operate without production downtime. The correct pattern is to run re-timestamping as an asynchronous background process against a read-only snapshot or replica of the archive, then write the updated evidence records back to the primary store during a low-traffic window. The original documents are never locked or modified during this process.

Procurement criteria for LTA-qualified archival systems

When evaluating long-term archival platforms that must execute a PQC re-signing programme under the organisation’s own operational control, the following criteria separate capable systems from inadequate ones.

Algorithm agility: The system must allow the signing algorithm used for archive timestamps to be changed without rebuilding the archive. This is non-negotiable given that algorithm recommendations will evolve. Sovereign HSM integration: The system must support on-premises HSMs rather than cloud-hosted key management services under foreign jurisdiction. US-controlled key management services remain subject to CLOUD Act compulsion even when the archived data itself is stored locally. ERS compliance: The system must generate archive timestamp chains conforming to RFC 4998, RFC 6283 and ETSI EN 319 102-2, not proprietary structures that cannot be validated by independent parties. Qualified preservation alignment: For EU regulated organisations, the system or its integration layer must support the workflows required to qualify under eIDAS 2.0 Articles 34 and 35 and ETSI EN 319 162. Audit log integrity: Every re-timestamping operation must be recorded in a tamper-evident, independently verifiable log, supporting NIS-2 incident documentation and DORA operational resilience reporting. Jurisdiction of trust services: Any external Timestamp Authority used must operate under a jurisdiction whose legal framework does not permit extraterritorial compulsion by foreign intelligence agencies. Swiss-hosted TSAs operating under the revised Swiss Federal Act on Data Protection offer one such alternative for European organisations.

The IBM Cost of a Data Breach Report 2024 recorded an average breach cost of USD 4.88 million. For organisations that cannot produce legally valid archive records because their re-signing programme failed, the litigation and regulatory exposure on top of that figure can be substantially larger, particularly where medical or financial records are at stake.

FAQ

Why do existing RSA and ECDSA signatures on archived documents face a specific quantum threat, even if the documents are not currently in active use?

A cryptographically relevant quantum computer running Shor’s algorithm can factor the large integers and solve the elliptic-curve discrete logarithm problems that underpin RSA and ECDSA. Once that threshold is crossed, any archived signature can be retroactively forged or invalidated, stripping court filings, audit trails and medical records of their legal evidential weight regardless of when they were originally signed.

Does adding an evidence record alter or invalidate the original signed document?

No. The Evidence Record Syntax defined in RFC 4998 and RFC 6283, and referenced in ETSI EN 319 102-2, appends a separate cryptographic structure containing archive timestamp chains. The original document and its classical signature remain byte-for-byte intact; the evidence record sits alongside them and provides the renewable proof of integrity.

What is the difference between ML-DSA and SLH-DSA, and which should an organisation use for re-timestamping?

ML-DSA (FIPS 204) is a lattice-based scheme with compact signatures and fast verification, making it practical for high-volume re-timestamping workflows. SLH-DSA (FIPS 205) is hash-based, meaning its security rests on different mathematical assumptions and provides a useful diversity hedge. ETSI and NIST guidance suggests organisations implement at least ML-DSA for primary use and consider SLH-DSA as a secondary or hybrid layer where long-term assurance requirements are highest.

When must an organisation start a re-signing programme to remain compliant under eIDAS 2.0?

eIDAS 2.0 (Regulation (EU) 2024/1183) Articles 34 and 35, elaborated by ETSI EN 319 162, require qualified preservation services to renew signatures and timestamps before the underlying algorithms are considered cryptographically weak. Because algorithm deprecation recommendations from ENISA and NIST are expected within this decade, organisations with retention periods extending beyond five to ten years should begin planning and piloting re-timestamping infrastructure now rather than waiting for a formal sunset date.

Can an organisation use a foreign-jurisdiction trust service provider for its PQC re-signing programme and still meet sovereignty requirements?

Not without accepting significant legal exposure. If the trust service provider operates under US jurisdiction, the CLOUD Act and FISA 702 allow US authorities to compel access to metadata, keys and audit logs associated with the re-signing operations. For public sector, healthcare and financial organisations that must demonstrate archival integrity under GDPR Article 5(1)(e) and NIS-2, the re-signing infrastructure should be operated on-premises or under a jurisdiction, such as Switzerland under the revised Federal Act on Data Protection, that is not subject to such extraterritorial compulsion.

Frequently asked questions

Why do existing RSA and ECDSA signatures on archived documents face a specific quantum threat, even if the documents are not currently in active use?
A cryptographically relevant quantum computer running Shor's algorithm can factor the large integers and solve the elliptic-curve discrete logarithm problems that underpin RSA and ECDSA. Once that threshold is crossed, any archived signature can be retroactively forged or invalidated, stripping court filings, audit trails and medical records of their legal evidential weight regardless of when they were originally signed.
Does adding an evidence record alter or invalidate the original signed document?
No. The Evidence Record Syntax defined in RFC 4998 and RFC 6283, and referenced in ETSI EN 319 102-2, appends a separate cryptographic structure containing archive timestamp chains. The original document and its classical signature remain byte-for-byte intact; the evidence record sits alongside them and provides the renewable proof of integrity.
What is the difference between ML-DSA and SLH-DSA, and which should an organisation use for re-timestamping?
ML-DSA (FIPS 204, formerly CRYSTALS-Dilithium) is a lattice-based scheme with compact signatures and fast verification, making it practical for high-volume re-timestamping workflows. SLH-DSA (FIPS 205, formerly SPHINCS+) is hash-based, meaning its security rests on different mathematical assumptions and provides a useful diversity hedge. ETSI and NIST guidance suggests organisations implement at least ML-DSA for primary use and consider SLH-DSA as a secondary or hybrid layer where long-term assurance requirements are highest.
When must an organisation start a re-signing programme to remain compliant under eIDAS 2.0?
eIDAS 2.0 (Regulation (EU) 2024/1183) Articles 34 and 35, elaborated by ETSI EN 319 162, require qualified preservation services to renew signatures and timestamps before the underlying algorithms are considered cryptographically weak. Because algorithm deprecation recommendations from ENISA and NIST are expected within this decade, organisations with retention periods extending beyond five to ten years should begin planning and piloting re-timestamping infrastructure now rather than waiting for a formal sunset date.
Can an organisation use a foreign-jurisdiction trust service provider for its PQC re-signing programme and still meet sovereignty requirements?
No, not without accepting significant legal exposure. If the trust service provider operates under US jurisdiction, the CLOUD Act and FISA 702 allow US authorities to compel access to metadata, keys and audit logs associated with the re-signing operations. For public sector, healthcare and financial organisations that must demonstrate archival integrity under GDPR Article 5(1)(e) and NIS-2, the re-signing infrastructure should be operated on-premises or under a jurisdiction, such as Switzerland under the revised FADP, that is not subject to such extraterritorial compulsion.