Index
Get the latest news right in your inbox
The RGS (Référentiel Général de Sécurité) is the French regulatory and technical framework created by ANSSI (the National Agency for the Security of Information Systems) that establishes security rules for the information systems of public administrations and their suppliers. It is based on a trust rating system structured around 1-, 2-, and 3-star RGS certificates, which determine the level of cryptographic strength and the support (software or hardware) required to perform procedures such as electronic signatures, authentication, and encryption.
For Spanish companies, obtaining an RGS** certificate (2 stars) or its equivalent qualified under eIDAS is essential for participating in cross-border public tenders in France and operating in the European market with full legal guarantees.
What is the RGS (Référentiel Général de Sécurité)?
The RGS (General Security Framework) is a regulatory framework and a set of technical cybersecurity standards established in France, overseen and constantly updated by ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information).
This legal framework was created under Ordinance No. 2005-1516 and the subsequent Decree 2010-112, with the fundamental objective of safeguarding the security of electronic exchanges between citizens, businesses, and the various entities of the French Public Administration.
The RGS is not merely a recommendation for best practices; it is a binding legal obligation. It defines in exhaustive and meticulous detail the rules, audit procedures, cryptographic specifications, and infrastructure requirements that Certification Authorities must meet to issue so-called RGS certificates. These digital certificates are the only valid instruments for authenticating identities, signing documents electronically, and encrypting data in critical interactions with the French government.
From a technical perspective, the RGS establishes strict policies regarding:
- Accepted cryptographic algorithms: RSA or ECC (Elliptic Curve) key lengths, and permitted hash functions (such as the SHA-2 or SHA-3 family).
- Storage support: Requirements regarding whether private keys may reside in local software, in the cloud, or whether they must be stored on a Secure Signature Creation Device (QSCD or hardware devices such as tokens and HSMs).
- Identity verification processes: In-person or advanced remote requirements (digital onboarding) to identify the natural or legal person before issuing the certificate.
Who it is aimed at and why it is relevant for companies in Spain
At first glance, it might seem that a French national regulation such as the RGS only affects French entities. However, in the context of the European Single Market, the reality is quite different. The RGS is of vital importance to companies in Spain due to the high level of economic interconnection and the existence of cross-border tenders.
Participation in French Public Tenders
France is one of Spain’s main trading partners. Any Spanish company in the construction, engineering, consulting, or technology sector wishing to bid on a public contract in France through platforms such as PLACE (Plateforme des achats de l’État) must submit its technical and financial proposal with a specific level of security. The terms of reference for these tenders routinely require the use of RGS certificates (generally 2-star level) or strictly equivalent certificates recognized on the European Trusted List (EUTL).
European Interconnection and Secure Supply Chains
Major French corporations in the aerospace, automotive, or defense sectors require their Spanish suppliers (Tier 1, Tier 2) to align with their own cybersecurity standards. On many of these supplier portals (EDI, electronic invoicing platforms), the use of an RGS certificate guarantees non-repudiation and the integrity of document exchange.
Regulatory Anticipation
The ANSSI RGS is considered one of the most mature and demanding security frameworks in the world. Spanish companies that adopt RGS-compatible processes are, by default, implementing information security policies that exceed the market average, which protects them against audits, cyberattacks, and future regulations, thereby boosting their global competitiveness.
For Spanish companies, the RGS is a strategic barrier to entry, as France requires certificates that comply with this standard for signing invoices, contracts, and bids with its government agencies. Lacking a compatible solution not only increases cybersecurity risks but also results in immediate exclusion from public tenders in sectors such as engineering, technology, and construction.
The three types of RGS certificates: The star rating system
The innovation of the RGS compared to other security frameworks lies in its pragmatic approach to classifying risks using a visual and intuitive scale: the star system. Depending on the criticality of the operation, the financial impact, confidentiality requirements, and the nature of the data processed, ANSSI requires one level or another. This classification of RGS certificates is divided into three increasing levels of security: 1 star (*), 2 stars (**), and 3 stars (***).
RGS 1-star (*): Basic and operational security
The 1-star RGS certificate is designed for low- or moderate-risk operations. Its main advantage is its agility and ease of deployment in corporate environments, as it does not require dedicated hardware on the end-user side.
- Technical features: This is a software-based certificate (typically delivered in a .p12 or .pfx file). The user’s private key is stored in the web browser, in the operating system’s certificate store (Windows/macOS), or on a centralized corporate server.
- Authentication and signing: It enables basic strong authentication and the generation of simple or low-profile advanced electronic signatures. However, since it resides in software, it is more vulnerable to unauthorized extraction if the user’s device is compromised by malware or Trojans.
This level is optimal for signing common electronic invoices that do not require the highest legal assurance and for streamlining internal Human Resources processes, such as signing vacation requests or pay stubs. Additionally, it is very useful for protecting encrypted communications and emails within the same corporate network, as well as for managing access to non-critical platforms or general information portals.
RGS 2-star (**): Medium-high security and the cross-border standard
The RGS 2-star certificate is the true cornerstone of the B2B and B2G business ecosystem and the one sought by the vast majority of Spanish companies. It represents a massive qualitative leap in terms of cybersecurity and legal guarantees.
- Technical characteristics: The key feature of this level is that it mandates cryptographic hardware support. The certificate cannot be exported or copied. It is delivered and stored on a physical device, typically a cryptographic USB token or a smart card that complies with international security standards (such as Common Criteria EAL4+ or FIPS 140-2 Level 3).
- Legal equivalence: Depending on how identity verification was performed (which usually requires physical presence or a highly qualified video identification onboarding process), an RGS** is the direct equivalent of a reinforced advanced electronic signature or, in many cases, a qualified electronic signature.
- Usage process: To sign a document, the user must connect the physical token to their computer and enter a personal PIN. This ensures authenticity through two factors (something you possess: the token; and something you know: the PIN), guaranteeing absolute non-repudiation.
This level is mandatory in public tenders for submitting bids to the French Public Administration. It is also ideal for signing high-value commercial contracts and non-disclosure agreements (NDAs), as well as for signing annual accounts, financial statements, and corporate documentation with full legal effect, and is indispensable for conducting highly sensitive procedures with tax agencies and commercial registries.
RGS 3-star (***): Maximum government and defense security
The RGS 3-star level represents the pinnacle of civil and government cryptographic security. Obtaining, maintaining, and using it involves extremely rigorous, slow, and costly processes.
- Technical characteristics: It uses state-of-the-art cryptographic algorithms recommended for the protection of state secrets. The requirements for the Certification Authority issuing them are draconian, including constant audits, bunkered physical facilities, and redundant infrastructure resistant to nation-state attacks. Hardware support is even more restrictive than at Level 2.
- Identity verification: Scrutiny of the applicant’s identity and background is absolute, requiring exhaustive in-person validations by personnel specifically authorized by the State.
This level is not intended for general business use, as its application is restricted to Operators of Vital Importance (OVI) as defined by the French government. It is specifically applied to military communications, defense systems, intelligence networks, and the management of critical infrastructure (nuclear energy, air traffic control, strategic telecommunications), as well as to the protection of documents classified as "Restricted" or higher.
| Feature | RGS 1 Star (*) | RGS 2 Stars (**) | RGS 3 Stars (***) |
|---|---|---|---|
| Risk Level | Low / Moderate | High / Critical | Maximum / National Security |
| Storage Media | Software (Browser, .p12, Server) | Hardware (Cryptographic USB Token, Card) | High-Security Cryptographic Hardware |
| Key Extraction | Possible (if configured) | Impossible (hardware protection) | Not possible |
| Use in Bidding | Not valid or very limited | The default required standard | Required only for Defense/OIV |
| Cost and Complexity | Low | Medium-High | Very High |
RGS and the European eIDAS Regulation
It is impossible to discuss RGS certificates today without placing them within the context of the eIDAS Regulation (EU Regulation 910/2014, and its upcoming iteration, eIDAS 2.0). While RGS is an older French national framework, the European regulation is the Union’s supreme legislation aimed at creating an interoperable Digital Single Market. This legal text classifies electronic signatures into three levels: Simple, Advanced, and Qualified. The question that inevitably arises for legal experts and CTOs is: How do RGS stars map to the EU categories? The answer lies in interoperability and mutual recognition, as ANSSI has worked intensively to align its RGS repository with eIDAS requirements. In general terms, the functional and legal equivalence is as follows:
- RGS Convergence:** A 2-star RGS certificate, issued by a Qualified Trust Service Provider (QTSP) that meets RGS requirements and uses a Qualified Signature Creation Device (QSCD), is equivalent in practice to a Qualified Electronic Signature under eIDAS.
- European Trust List (EUTL): Thanks to European standardization, a Spanish company is not strictly required to purchase a certificate from a French CA to bid on contracts in France. It may use a certificate issued by a Spanish CA (such as FNMT, Camerfirma, or qualified private providers), provided that this certificate meets the "Qualified" (QES) level and complies with technical specifications comparable to the requirements of an RGS**. The French procurement platform will verify that the certificate is listed in the European EUTL.
- The Future with eIDAS 2.0 and the EUDI Wallet: The evolution toward the European Digital Identity Wallet (EUDI Wallet) will require local frameworks such as the RGS to continue adapting. However, the security principles upon which RGS certificates are based (such as robust encryption and unambiguous binding to the signatory) will remain at the core of any trust architecture. The French "star-based" approach will continue to serve as a benchmark for conducting risk assessments within the EU.
Understanding this eIDAS/RGS duality is key for Spanish companies to avoid duplicating operational costs by acquiring multiple certificates for different countries, and instead opt for electronic signature solutions that ensure simultaneous pan-European compliance.
How to Choose the Right RGS Level for Your Business
Selecting the wrong RGS certification level for your company’s operations can lead to two serious strategic problems that will directly impact the bottom line. On the one hand, you could face severe operational and legal roadblocks by using a signature level lower than that required by official specifications, invalidating your documents in public tenders or critical contracts. On the other hand, overdoing it and implementing a maximum-security cryptographic infrastructure for mundane corporate procedures will generate immediate financial overcosts and unnecessary technological friction in your employees’ day-to-day work.
To avoid both scenarios and make the correct technological and legal decision, IT directors (CIOs), security officers (CISOs), and legal directors (CLOs) must jointly implement a strictly risk-based approach. This preliminary corporate analysis requires a detailed mapping of the company’s document flows, an assessment of the legal impact of each cross-border process, and a balancing of the sensitivity of the information handled against the system’s usability. By rigorously auditing these factors, senior management can ensure compliance with ANSSI regulations without compromising the business’s operational agility or overburdening their departments’ budgets.
Risk Analysis by Process: Public Bidding vs. Internal Billing
The first step before acquiring any type of digital identity is to conduct a comprehensive and strategic mapping of all the company’s document and transaction processes. Organizations must classify each process based on its legal criticality, the volume of signatures required daily, and the type of counterpart involved (public entities versus private partners). This internal risk audit will allow for a precise distinction between which workflows require absolute legal protection against third parties and which demand, above all, technological speed and automation to avoid stifling daily corporate productivity. To achieve this balance, the analysis must focus on the following key scenarios:
1. Impact Assessment (Tenders and External Contracts):
If the company’s primary objective is to expand its market share in France by participating in the public sector ecosystem, the decision is automatic. French public procurement regulations leave no room for maneuver. You must, without exception, have processes compatible with RGS 2-star (or equivalent Qualified eIDAS with a qualified token/cloud).
- Associated risk: Rejection of the bid for procedural irregularities, loss of millions of euros in contracts, legal nullity of the agreement.
- Action: Acquisition of hardware certificates or eIDAS/RGS**-qualified centralized signatures.
2. Assessment of volume and agility (Internal operations and invoicing):
If the company operates in France but its activity is limited to issuing electronic invoices to private customers via EDI (Electronic Data Interchange) platforms, or cross-border HR processes (expatriate employment contracts), an RGS** level may create too much friction. Requiring every billing employee to insert a USB drive and enter a PIN 200 times a day is unfeasible.
- Associated risk: Operational friction, slow processes, loss of productivity, even if the legal risk of dispute is low.
- Action: Implementation of 1-star RGS certificates in software, integrated into the corporate ERP (SAP, Navision) for the automated signing of invoices or bulk documents.
Signature and onboarding solutions that integrate RGS and eIDAS standards
The major challenge facing organizations is how to implement high-level cryptographic requirements without compromising the user experience. Historically, using physical RGS**-type certificates was synonymous with complex driver installations, browser incompatibilities, and frustration for the end user.
Today, leading RegTech and LegalTech platforms resolve this dichotomy. It is essential to rely on cutting-edge solutions that hide technical complexity (the underlying cryptography, CRL or OCSP checks) and offer an intuitive interface.
Tools like Tecalis Sign and Tecalis Identity facilitate compliance
Comprehensive digital identity platforms like Tecalis have been specifically designed to navigate these complex regulatory frameworks transparently, enabling corporate clients to comply with regulations without sacrificing operational efficiency. To achieve this simplification of regulatory compliance, Tecalis’ technology is built on the following key pillars:
- Digital onboarding and identity verification: Before issuing or using a high-assurance certificate, identity must be rigorously validated. Solutions like Tecalis Identity use artificial intelligence, facial biometrics, and advanced document scanning via NFC or OCR. These tools enable compliance with the prior identification requirements mandated by eIDAS and the CAs that issue RGS. Thanks to this system, physical visits are eliminated, and weeks of bureaucracy are reduced to just a few minutes.
- Multi-channel and multi-standard electronic signature: Using Tecalis Sign, companies configure signature workflows based on the document’s risk level. The system allows for requesting a simple biometric signature for delivery notes or requiring qualified certificates for high-value contracts. This flexibility ensures compliance with the rigor demanded by the RGS** standard in critical operations.
- API integration and user experience: The key to success is seamless technical integration. Using RESTful APIs, Spanish companies embed RGS- and eIDAS-compliant signatures into their own CRMs or portals. Users can sign with full legal validity from any device without needing to be experts in ANSSI regulations.
In short, understanding what RGS is, mastering its star rating system, and relying on reputable technology providers that align these French requirements with the robustness of the eIDAS regulation is the definitive strategic move for any Spanish company that wants to succeed and operate with complete security in the European and international markets.
