The RGS (Référentiel Général de Sécurité) is the French regulatory and technical framework created by ANSSI (the National Agency for the Security of Information Systems) that establishes security rules for the information systems of public administrations and their suppliers. It is based on a trust rating system structured around 1-, 2-, and 3-star RGS certificates, which determine the level of cryptographic strength and the support (software or hardware) required to perform procedures such as electronic signatures, authentication, and encryption.
\nFor Spanish companies, obtaining an RGS** certificate (2 stars) or its equivalent qualified under eIDAS is essential for participating in cross-border public tenders in France and operating in the European market with full legal guarantees.
","strapi_component":"blog.content-rich-text"},{"id":1104,"name":null,"description":"Don’t let the lack of an RGS certificate hold your business back in Europe
","button":"Adapt your compliance","url":"https://www.tecalis.com/request-demo","blank":true,"image":null,"strapi_component":"blog.cta"},{"id":4552,"text":"The RGS (General Security Framework) is a regulatory framework and a set of technical cybersecurity standards established in France, overseen and constantly updated by ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information).
\nThis legal framework was created under Ordinance No. 2005-1516 and the subsequent Decree 2010-112, with the fundamental objective of safeguarding the security of electronic exchanges between citizens, businesses, and the various entities of the French Public Administration.
\nThe RGS is not merely a recommendation for best practices; it is a binding legal obligation. It defines in exhaustive and meticulous detail the rules, audit procedures, cryptographic specifications, and infrastructure requirements that Certification Authorities must meet to issue so-called RGS certificates. These digital certificates are the only valid instruments for authenticating identities, signing documents electronically, and encrypting data in critical interactions with the French government.
\nFrom a technical perspective, the RGS establishes strict policies regarding:
\nAt first glance, it might seem that a French national regulation such as the RGS only affects French entities. However, in the context of the European Single Market, the reality is quite different. The RGS is of vital importance to companies in Spain due to the high level of economic interconnection and the existence of cross-border tenders.
\nFrance is one of Spain’s main trading partners. Any Spanish company in the construction, engineering, consulting, or technology sector wishing to bid on a public contract in France through platforms such as PLACE (Plateforme des achats de l’État) must submit its technical and financial proposal with a specific level of security. The terms of reference for these tenders routinely require the use of RGS certificates (generally 2-star level) or strictly equivalent certificates recognized on the European Trusted List (EUTL).
\nMajor French corporations in the aerospace, automotive, or defense sectors require their Spanish suppliers (Tier 1, Tier 2) to align with their own cybersecurity standards. On many of these supplier portals (EDI, electronic invoicing platforms), the use of an RGS certificate guarantees non-repudiation and the integrity of document exchange.
\nThe ANSSI RGS is considered one of the most mature and demanding security frameworks in the world. Spanish companies that adopt RGS-compatible processes are, by default, implementing information security policies that exceed the market average, which protects them against audits, cyberattacks, and future regulations, thereby boosting their global competitiveness.
","strapi_component":"blog.content-rich-text"},{"id":26,"text":"For Spanish companies, the RGS is a strategic barrier to entry, as France requires certificates that comply with this standard for signing invoices, contracts, and bids with its government agencies. Lacking a compatible solution not only increases cybersecurity risks but also results in immediate exclusion from public tenders in sectors such as engineering, technology, and construction.
","color":"default","strapi_component":"blog.callout"},{"id":4554,"text":"The innovation of the RGS compared to other security frameworks lies in its pragmatic approach to classifying risks using a visual and intuitive scale: the star system. Depending on the criticality of the operation, the financial impact, confidentiality requirements, and the nature of the data processed, ANSSI requires one level or another. This classification of RGS certificates is divided into three increasing levels of security: 1 star (*), 2 stars (**), and 3 stars (***).
\nThe 1-star RGS certificate is designed for low- or moderate-risk operations. Its main advantage is its agility and ease of deployment in corporate environments, as it does not require dedicated hardware on the end-user side.
\nThis level is optimal for signing common electronic invoices that do not require the highest legal assurance and for streamlining internal Human Resources processes, such as signing vacation requests or pay stubs. Additionally, it is very useful for protecting encrypted communications and emails within the same corporate network, as well as for managing access to non-critical platforms or general information portals.
","strapi_component":"blog.content-rich-text"},{"id":4555,"text":"The RGS 2-star certificate is the true cornerstone of the B2B and B2G business ecosystem and the one sought by the vast majority of Spanish companies. It represents a massive qualitative leap in terms of cybersecurity and legal guarantees.
\nThis level is mandatory in public tenders for submitting bids to the French Public Administration. It is also ideal for signing high-value commercial contracts and non-disclosure agreements (NDAs), as well as for signing annual accounts, financial statements, and corporate documentation with full legal effect, and is indispensable for conducting highly sensitive procedures with tax agencies and commercial registries.
","strapi_component":"blog.content-rich-text"},{"id":981,"title":null,"alt":"A woman verifying digital documents using RGS standards.","figcaption":null,"link":null,"blank":null,"image":{"id":5171,"name":"RGS-interior-1.png","hash":"e_CMR_interior_1_7_79b0353a00","sha256":null,"ext":".png","mime":"image/png","size":743.25,"url":"/uploads/e_CMR_interior_1_7_79b0353a00.png","provider":"local","provider_metadata":null,"created_at":"2026-05-08T11:35:36.000Z","updated_at":"2026-05-08T11:35:52.000Z","alternativeText":"","caption":"","width":954,"height":525,"formats":{"thumbnail":{"name":"thumbnail_eCMR_interior_1 (7).png","hash":"thumbnail_e_CMR_interior_1_7_79b0353a00","ext":".png","mime":"image/png","width":245,"height":135,"size":91.91,"path":null,"url":"/uploads/thumbnail_e_CMR_interior_1_7_79b0353a00.png"},"medium":{"name":"medium_eCMR_interior_1 (7).png","hash":"medium_e_CMR_interior_1_7_79b0353a00","ext":".png","mime":"image/png","width":750,"height":413,"size":773.31,"path":null,"url":"/uploads/medium_e_CMR_interior_1_7_79b0353a00.png"},"small":{"name":"small_eCMR_interior_1 (7).png","hash":"small_e_CMR_interior_1_7_79b0353a00","ext":".png","mime":"image/png","width":500,"height":275,"size":353.82,"path":null,"url":"/uploads/small_e_CMR_interior_1_7_79b0353a00.png"}},"previewUrl":null,"localFile___NODE":"2be5466d-24ab-58d4-8aab-d37ed78ec48c"},"strapi_component":"blog.image"},{"id":4556,"text":"The RGS 3-star level represents the pinnacle of civil and government cryptographic security. Obtaining, maintaining, and using it involves extremely rigorous, slow, and costly processes.
\nThis level is not intended for general business use, as its application is restricted to Operators of Vital Importance (OVI) as defined by the French government. It is specifically applied to military communications, defense systems, intelligence networks, and the management of critical infrastructure (nuclear energy, air traffic control, strategic telecommunications), as well as to the protection of documents classified as \"Restricted\" or higher.
","strapi_component":"blog.content-rich-text"},{"id":7,"table":"| Feature | \nRGS 1 Star (*) | \nRGS 2 Stars (**) | \nRGS 3 Stars (***) | \n
|---|---|---|---|
| Risk Level | \nLow / Moderate | \nHigh / Critical | \nMaximum / National Security | \n
| Storage Media | \nSoftware (Browser, .p12, Server) | \nHardware (Cryptographic USB Token, Card) | \nHigh-Security Cryptographic Hardware | \n
| Key Extraction | \nPossible (if configured) | \nImpossible (hardware protection) | \nNot possible | \n
| Use in Bidding | \nNot valid or very limited | \nThe default required standard | \nRequired only for Defense/OIV | \n
| Cost and Complexity | \nLow | \nMedium-High | \nVery High | \n
Integrate RGS**-equivalent certificates into your ERP with centralized signatures
\n","button":"Discover Tecalis Sign","url":"https://www.tecalis.com/products/electronic-signature","blank":true,"image":null,"strapi_component":"blog.cta"},{"id":4557,"text":"
It is impossible to discuss RGS certificates today without placing them within the context of the eIDAS Regulation (EU Regulation 910/2014, and its upcoming iteration, eIDAS 2.0). While RGS is an older French national framework, the European regulation is the Union’s supreme legislation aimed at creating an interoperable Digital Single Market. This legal text classifies electronic signatures into three levels: Simple, Advanced, and Qualified. The question that inevitably arises for legal experts and CTOs is: How do RGS stars map to the EU categories? The answer lies in interoperability and mutual recognition, as ANSSI has worked intensively to align its RGS repository with eIDAS requirements. In general terms, the functional and legal equivalence is as follows:
\nUnderstanding this eIDAS/RGS duality is key for Spanish companies to avoid duplicating operational costs by acquiring multiple certificates for different countries, and instead opt for electronic signature solutions that ensure simultaneous pan-European compliance.
","strapi_component":"blog.content-rich-text"},{"id":4558,"text":"Selecting the wrong RGS certification level for your company’s operations can lead to two serious strategic problems that will directly impact the bottom line. On the one hand, you could face severe operational and legal roadblocks by using a signature level lower than that required by official specifications, invalidating your documents in public tenders or critical contracts. On the other hand, overdoing it and implementing a maximum-security cryptographic infrastructure for mundane corporate procedures will generate immediate financial overcosts and unnecessary technological friction in your employees’ day-to-day work.
\nTo avoid both scenarios and make the correct technological and legal decision, IT directors (CIOs), security officers (CISOs), and legal directors (CLOs) must jointly implement a strictly risk-based approach. This preliminary corporate analysis requires a detailed mapping of the company’s document flows, an assessment of the legal impact of each cross-border process, and a balancing of the sensitivity of the information handled against the system’s usability. By rigorously auditing these factors, senior management can ensure compliance with ANSSI regulations without compromising the business’s operational agility or overburdening their departments’ budgets.
","strapi_component":"blog.content-rich-text"},{"id":982,"title":null,"alt":"A businessman handling paperwork using an RGS electronic signature.","figcaption":null,"link":null,"blank":null,"image":{"id":5172,"name":"RGS-interior-2.png","hash":"e_CMR_interior_2_6_89b4b38adf","sha256":null,"ext":".png","mime":"image/png","size":828.85,"url":"/uploads/e_CMR_interior_2_6_89b4b38adf.png","provider":"local","provider_metadata":null,"created_at":"2026-05-08T11:36:20.000Z","updated_at":"2026-05-08T11:36:32.000Z","alternativeText":"","caption":"","width":1272,"height":700,"formats":{"thumbnail":{"name":"thumbnail_eCMR_interior_2 (6).png","hash":"thumbnail_e_CMR_interior_2_6_89b4b38adf","ext":".png","mime":"image/png","width":245,"height":135,"size":80.1,"path":null,"url":"/uploads/thumbnail_e_CMR_interior_2_6_89b4b38adf.png"},"large":{"name":"large_eCMR_interior_2 (6).png","hash":"large_e_CMR_interior_2_6_89b4b38adf","ext":".png","mime":"image/png","width":1000,"height":550,"size":1086.57,"path":null,"url":"/uploads/large_e_CMR_interior_2_6_89b4b38adf.png"},"medium":{"name":"medium_eCMR_interior_2 (6).png","hash":"medium_e_CMR_interior_2_6_89b4b38adf","ext":".png","mime":"image/png","width":750,"height":413,"size":645.52,"path":null,"url":"/uploads/medium_e_CMR_interior_2_6_89b4b38adf.png"},"small":{"name":"small_eCMR_interior_2 (6).png","hash":"small_e_CMR_interior_2_6_89b4b38adf","ext":".png","mime":"image/png","width":500,"height":275,"size":303.18,"path":null,"url":"/uploads/small_e_CMR_interior_2_6_89b4b38adf.png"}},"previewUrl":null,"localFile___NODE":"8597bfeb-523e-5c05-bcbd-fb7fc4e6aa2a"},"strapi_component":"blog.image"},{"id":4559,"text":"The first step before acquiring any type of digital identity is to conduct a comprehensive and strategic mapping of all the company’s document and transaction processes. Organizations must classify each process based on its legal criticality, the volume of signatures required daily, and the type of counterpart involved (public entities versus private partners). This internal risk audit will allow for a precise distinction between which workflows require absolute legal protection against third parties and which demand, above all, technological speed and automation to avoid stifling daily corporate productivity. To achieve this balance, the analysis must focus on the following key scenarios:
\nIf the company’s primary objective is to expand its market share in France by participating in the public sector ecosystem, the decision is automatic. French public procurement regulations leave no room for maneuver. You must, without exception, have processes compatible with RGS 2-star (or equivalent Qualified eIDAS with a qualified token/cloud).
\nIf the company operates in France but its activity is limited to issuing electronic invoices to private customers via EDI (Electronic Data Interchange) platforms, or cross-border HR processes (expatriate employment contracts), an RGS** level may create too much friction. Requiring every billing employee to insert a USB drive and enter a PIN 200 times a day is unfeasible.
\nThe major challenge facing organizations is how to implement high-level cryptographic requirements without compromising the user experience. Historically, using physical RGS**-type certificates was synonymous with complex driver installations, browser incompatibilities, and frustration for the end user.
\nToday, leading RegTech and LegalTech platforms resolve this dichotomy. It is essential to rely on cutting-edge solutions that hide technical complexity (the underlying cryptography, CRL or OCSP checks) and offer an intuitive interface.
\nComprehensive digital identity platforms like Tecalis have been specifically designed to navigate these complex regulatory frameworks transparently, enabling corporate clients to comply with regulations without sacrificing operational efficiency. To achieve this simplification of regulatory compliance, Tecalis’ technology is built on the following key pillars:
\nIn short, understanding what RGS is, mastering its star rating system, and relying on reputable technology providers that align these French requirements with the robustness of the eIDAS regulation is the definitive strategic move for any Spanish company that wants to succeed and operate with complete security in the European and international markets.
","strapi_component":"blog.content-rich-text"},{"id":1106,"name":null,"description":"Automate your B2B processes with onboarding and European e-signatures
","button":"Request a demo from our experts","url":"https://www.tecalis.com/request-demo","blank":true,"image":null,"strapi_component":"blog.cta"}],"blog_categories":[{"id":13,"name":"Electronic Signature","url":"electronic-signature"},{"id":14,"name":"Risk Management","url":"risk-management"},{"id":24,"name":"Identity Verification","url":"identity-verification"}],"reading_time":"Reading time: 5 minutes."},"site":{"siteMetadata":{"title":"Tecalis","twitterHandle":"Tecalis"}}},"pageContext":{"id":"Blog-posts_425","title":"RGS: What It Is, Levels, Stars, and Its Impact on Electronic Signatures","langKey":"en","location":"https://tecalis.com/blog/rgs-guide-levels-stars-electronic-signature-eidas","dateFormat":"MMMM D, YYYY","translates":{"en":"/blog/rgs-guide-levels-stars-electronic-signature-eidas","es":"/es/blog/guia-rgs-niveles-estrellas-firma-electronica-eidas"},"images":{"2be5466d-24ab-58d4-8aab-d37ed78ec48c":{"data":{"image":{"childImageSharp":{"gatsbyImageData":{"layout":"constrained","placeholder":{"fallback":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABCcAAAQnAEmzTo0AAADSUlEQVQozxXM/U/UdQDA8e9v/SKbTUkIMbsoe3CEO0RiNUCacJPUe0DgdiCe3AGHHtx5HOGdIPGU4UQe1ACnGOED8WSQ8qCwAcfDdN0CFuAQwwdiEmKW1lp83q3XH/CSkkyZ/YaMLLLyilasuYXCUXKS/BNVmO0OzPbPMVkOU1Nbw+LcJANXarh7Z5CyshPs1cYRr9MRq9UKtSZW7DdZMGV/MS8dOGTDaM0RZkcBtvzjOL+qoOBUNWk2J6mHj5DtPMr42B0Wx0aZ6+1iuu8ao/2dJBhS2amKIVodi0oVS2JKpkixHUNKNGasJKZaSEq3i+RMh8hwfkl2UTm6tCwOmHOxZOUx/dMQ7ivfMN78PZPf1THeU0+cNgl5UBgRUUoRFaUWal0aBmuekOL1B0V6dgFXf+gTlzt6ae1x0TnwI9WX2rHllnK2sgxXcwW3vy5i+UY3zwa6uHjyGPLgcOTbwvhUoUazW41GayDBlIOkjNeTU1jJ/PJf3J1f4v7CMgvP/uZ63ygmWx4mq4Mscxr25ESGa8/xc9sldijiWL1uM+vf+gh/+XZUu/agiUtGlWhGUultWApraB+aonN0mj73LGP3FmnqHMJadJpPFHpe9ZLjtSmCM6XlDLa0Io/Q4+UbiPfGYF5/M5CgcDXKJDsxhiNIn+kyST9aRUO3m4YeN+2uKVwT8zS095PhPM6HIRre8VfgFxDNuZZRXFPP2RKWgI8sBK83gli15l22Re4j1lSIJtmJFLpDKUz2YsZmn4jhiV+YmP2V6Ye/0dE7TKRyPx6vBeEli8BzQzinvh3k2uBjNgWo8JaFsW7DVjzWvoffB6EodemEKmKQgsN3/6tOOEjl+UZRcb5RtN4a4dHSS5q6XIRFmkjWV2E01mA01OJwtFBS3E5JcSPl5U1sfDvk/1B4+m4VwdvVhCr2rkj24tM4S8+KkjN1lNU1Ud3cw9XuYaK1mejirTxfesHy0z/5/ekfLD1ZZuHxIi9f/ENnRx/evltY4+PPKx4yPNcHiMCPdyLlV1xoK7vYzIW2m6L+er+ovzFIjNHBrj0pPHCN8GjEzez4PWamHjIz+YCZifvM3R5j5uYtavML0O07JHz8QsSq1TL83g+e+g8vNSVl2h0fpQAAAABJRU5ErkJggg=="},"images":{"fallback":{"src":"/static/9b75b0673d4f39373d28b7f3aaa0f2c8/59ffd/e_CMR_interior_1_7_79b0353a00.webp","srcSet":"/static/9b75b0673d4f39373d28b7f3aaa0f2c8/7b6bd/e_CMR_interior_1_7_79b0353a00.webp 350w,\n/static/9b75b0673d4f39373d28b7f3aaa0f2c8/aa5f2/e_CMR_interior_1_7_79b0353a00.webp 512w,\n/static/9b75b0673d4f39373d28b7f3aaa0f2c8/806ca/e_CMR_interior_1_7_79b0353a00.webp 520w,\n/static/9b75b0673d4f39373d28b7f3aaa0f2c8/59ffd/e_CMR_interior_1_7_79b0353a00.webp 572w","sizes":"(min-width: 572px) 572px, 100vw"},"sources":[]},"width":572,"height":315}}}}},"8597bfeb-523e-5c05-bcbd-fb7fc4e6aa2a":{"data":{"image":{"childImageSharp":{"gatsbyImageData":{"layout":"constrained","placeholder":{"fallback":"data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABQAAAALCAYAAAB/Ca1DAAAACXBIWXMAABYlAAAWJQFJUiTwAAADJ0lEQVQoz1XOfUzUdQDH8e9qtnKitdSJT0wm4STXrLRkyw08Wcv+qJzNFXMqNfijra18YK2o1qLNISEa8XCX040AOQTpTnwAOTzueLrjftwdcHDcHcdxICn+fr/LVVvyfTfor/54/fv+fMTQxJTXG52j0nxzIRCJyd/1PwnPafinHtA+Ok+DolGvaNR5/tPg0biiqDR4VOoHVcweVV7zqgt1bpVa18Nh4QzEcIzFZbXFgTs8hycQos0VpDXwiBa/xlWfRtMSfYnZqy1pHFoMa1xya1Q45zH1zctGRUO4Iw8WOgL3qXJE5RnjFXlgv4H8Q+/ybZkJ68RfWEY0rCMav41otA7/3+LgJ7U+ebjCKYuvB7EGEgsiNjsr/XGdn21j8seizyk8/iH2qlLMpWfxuryMRma5M5Gga0LDFtToGNe5PaZzY1TnVkBjfDJMz2CfHItGsQ6rUoxOTjI0rVN1exCb6RzTjk6cxvPcLCtG890lHg3RPZmgL6LSHV6MPqQrpGMLJbCHdCIzMboUhfFYjM6gjlBmEijzkl9uDeA1X2LG2c6A6Sc6q89zz2tjemaWvmiC3oiKL67jvf/PUnxRT0QjHI9hVwZZPGYPqYjimmpOnjWx91ABfc3NuKqLaTeW4eqwMO2+g7PHyY3OboZGxikvKeGbCxdR5v7GHX+EK/4H8XsxbAO9hGJhBqY0xPqMTPn0mjTEE6vklyUXqa+sYY8hi8vGM4S6LDQ0mblq/hXfsMLmlBSee34dLQ4P1/v9tNr7sTh6qe3sl5aBYdq801Kk7TQ8Xv3C61I8s4aXMnPk4ZMmhFjGkaO5WBwOytv68YeCfPFDMUIItu18mbK6ZkpqWyi53Ered+Vyx8F8UnI+YN+nRY/FlhczWbFuKyIpWSatXs/GrM8Qz6azIT2DAx8dI/dUITXGCyRv2sDazVt453geRwryeP9oLieKTnG6sIBMwz5WbUyWWXkfI3a8tr8pdftunlyxVoqnkuTyrdmszHgLsWwl6a9k01h5DmtFKV+fOM33XxWR/97bbHt1F6mpKbzxpoHd2TlyU9p2uWvPXuqtd6/9C0EseyIT9UbvAAAAAElFTkSuQmCC"},"images":{"fallback":{"src":"/static/b871a7aec5b399ad7db33829ca23e51b/59ffd/e_CMR_interior_2_6_89b4b38adf.webp","srcSet":"/static/b871a7aec5b399ad7db33829ca23e51b/7b6bd/e_CMR_interior_2_6_89b4b38adf.webp 350w,\n/static/b871a7aec5b399ad7db33829ca23e51b/aa5f2/e_CMR_interior_2_6_89b4b38adf.webp 512w,\n/static/b871a7aec5b399ad7db33829ca23e51b/806ca/e_CMR_interior_2_6_89b4b38adf.webp 520w,\n/static/b871a7aec5b399ad7db33829ca23e51b/59ffd/e_CMR_interior_2_6_89b4b38adf.webp 572w","sizes":"(min-width: 572px) 572px, 100vw"},"sources":[]},"width":572,"height":315}}}}}},"advertisements":{},"advertisementsForms":{},"ctas":{},"videos":{},"cookies":true}}, "staticQueryHashes": ["1208480927","235538228","2927780632","3803179178","536423426","63159454"]}