Implement a Qualified Electronic Signature (QES) remote signing flow using a QTSP's signing API under eIDAS

Verified steps

1. Select a Qualified Trust Service Provider (QTSP) from the EU Trust List (accessible via ec.europa.eu/tools/lotl/eu-lotl.xml) — only QTSPs on the Trust List may issue qualified certificates for QES; commercial examples include Atos, Namirial, and others
2. Complete the QTSP's identity vetting process (face-to-face or video identification as required by eIDAS); the QTSP issues a qualified certificate stored on a Qualified Signature Creation Device (QSCD) on behalf of the signer
3. Integrate with the QTSP's remote signing API (each QTSP exposes its own API — consult your chosen QTSP's developer documentation); compute a hash of the document to be signed and submit it along with the signature activation data
4. The QTSP returns a signed hash (the signature value); embed this value into the document using a standards-compliant container format such as PAdES for PDFs, XAdES for XML, or CAdES for arbitrary data
5. Timestamp the signature using a Qualified Timestamp Authority (also from the EU Trust List) by submitting a timestamp request to the TSA; embed the timestamp token in the signature container to enable long-term validation
6. Validate the final signed document against the ETSI signature validation standards using a validation service; confirm that the certificate chain traces to a trust anchor on the EU Trust List and that no revocation events have occurred