There’s a question that inevitably comes up sooner or later in any serious document digitization project with legal implications: “What if this goes to court in five years—will the document hold up?” The answer doesn’t depend on the signing tool—it depends on the regulatory framework under which it was signed and preserved. And this is where the conversation becomes more nuanced than the marketing for many products suggests.
A simple electronic signature (upload a PDF, draw the signature, download) is not the same as an advanced electronic signature with a timestamp issued by a recognized authority and an auditable chain of custody. The former has reasonable contractual value between parties who do not dispute it. The latter has evidentiary value in court, against a hostile counterparty, years after it was signed. And the transition from one to the other is not a feature upgrade—it is a change in the legal framework.
The problem addressed by preservation for evidentiary purposes
Imagine a contract signed electronically in 2020. Today, in 2026, one of the parties alleges that the document’s content was altered after it was signed—or that the signature itself was forged. To defend the document in court, you must be able to prove:
- Who signed. Unambiguous identification of the signatory at the time of signing.
- What he signed. That the content of the document at issue in this case is exactly what he signed—word for word, without any alterations.
- When it was signed. A reliable timestamp that proves the signature was created on a specific date—neither before nor after.
- That the document has been preserved in its entirety. An auditable chain of custody proving that no one has altered the file between the date of signature and today.
A simple electronic signature meets requirements 1 and 2 with a certain degree of rigor. A record with formal evidentiary value meets all four requirements, backed by a recognized regulatory authority. And the three frameworks we are going to discuss differ in terms of who that authority is, what level of technical control it requires, and under which jurisdiction the result is accepted.
NOM-151-SCFI-2016 (Mexico)
NOM-151-SCFI-2016 is the official Mexican standard that regulates the “Retention of Data Messages and Digitization of Documents” within Mexican territory. It establishes the technical requirements for an electronic document to have probative value equivalent to that of an original, hand-signed paper document.
Its core requirements are:
- A timestamp issued by a Certification Service Provider (CSP) authorized by the Ministry of Economy. An internal timestamp from the document management system is not sufficient—it must be issued by an authority accredited under NOM-151 itself.
- A cryptographic hash of the document is preserved along with the timestamp. This permanently and immutably links the original document to the date it was timestamped.
- Retention under auditable controls that prove the file was not altered between the time it was sealed and the time it is presented as evidence.
- Traceability for Mexican tax and judicial authorities, using standardized formats and structures for verification.
The key point of NOM-151 is the first one: the timestamp is issued by an authorized external PSC, not by the document management system. This means that any ECM or document management platform that claims to “natively support NOM-151” without integrating with an authorized PSC is making a claim that is not technically valid.
NOM-151 applies to: commercial contracts with effects within Mexican territory, tax documentation (CFDI with the SAT seal), notarial records, and judicial and administrative proceedings in which evidence is to be presented before Mexican courts.
eIDAS — EU Regulation 910/2014
eIDAS (electronic IDentification, Authentication, and Trust Services) is the European Union regulation governing electronic identification and trust services for electronic transactions within the European Single Market. It defines three progressive levels of electronic signatures:
- Simple Electronic Signature (SES). Data in electronic format linked to other electronic data that the signer uses to sign. Low level of assurance.
- Advanced Electronic Signature (AES). Unambiguously linked to the signatory, it identifies the signatory, has been created in such a way that the signatory retains exclusive control over it, and is linked to the document in such a way that any subsequent modification is detectable.
- Qualified Electronic Signature (QES). An advanced signature created by a qualified creation device and based on a qualified certificate issued by an accredited Trust Service Provider (TSP) on the EU Trusted List. It has the same legal effect as a handwritten signature in any member state.
eIDAS is accepted in the 27 EU member states and the European Economic Area. Based on reciprocity and bilateral recognition, it is also accepted in many Latin American countries for international transactions with European counterparties—although, for purposes within Mexican territory, the document must also comply with NOM-151 if it is to be presented in Mexican courts.
The operational equivalent of NOM-151 within eIDAS is the qualified electronic archiving service and the qualified time stamp, which perform similar functions but under the European regulatory framework and trust chain.
A simple electronic signature is not the same as a record with evidentiary value. This distinction matters when the document needs to be relied upon in court years later.
Qualified Electronic Signature in the U.S. and Canada
The Anglo-Saxon legal framework is more fragmented. The United States operates primarily under the ESIGN Act (federal) and the UETA (Uniform Electronic Transactions Act, adopted by most states). Both grant electronic signatures the same validity as handwritten signatures for most commercial transactions—but they do not establish a hierarchical “qualified signature” regime like eIDAS or NOM-151.
For cases requiring greater evidentiary assurance—such as high-value contracts, documents to be filed with federal courts, or regulated transactions in specific sectors like banking, healthcare, or pharmaceuticals—the U.S. relies on commercial providers that offer what is, in practice, equivalent to a qualified digital signature: a time stamp from an authorized authority (typically a Certificate Authority that has undergone a WebTrust audit), a document hash, and a file held in escrow with an auditable chain of custody.
Canada operates under the federal PIPEDA and provincial laws (Quebec has its own civil regime). The analogous concept is that of a “secure electronic signature” as defined in the Personal Information Protection and Electronic Documents Act, which does establish technical criteria similar to those of eIDAS Advanced.
The operational reality for an organization with a multi-jurisdictional presence is that there is no single timestamp that is valid everywhere at the same time. What does exist, however, are architectures that allow for the issuance of multiple timestamps when a document needs to be validated in different jurisdictions.
What Does the DOQSOFT Stack Actually Support?
It's important to approach this section with honesty—because there are claims made in this field that don't hold up to even a cursory technical analysis. The actual situation:
What Docuo does natively
Docuo features a native eIDAS electronic signature, registered with Spain’s Ministry of Economic Affairs and Digital Transformation and compliant with Spanish Law 34/2002. This means it can generate advanced electronic signatures (AES) that are valid in the European Union and in countries that accept eIDAS on the basis of reciprocity.
Docuo also provides the components necessary to support a robust retention chain: AES-256 encryption + TLS 1.3, an immutable audit log, document versioning, granular RBAC, configurable retention by document type, and a cryptographic hash of the document at the time of archiving. These are the operational controls that any retention policy with evidentiary value requires of a document management system.
What it does NOT do natively — and requires external integration
Here's the honest part that marketing tends to leave out:
- Docuo does not issue NOM-151 time stamps. For a document managed in Docuo to comply with NOM-151 in Mexico, it must be integrated with a Certification Service Provider authorized by the Ministry of Economy. The time stamp is issued by the CSP; Docuo retains the document, the time stamp, and the auditable evidence of the chain of custody.
- Docuo is not a qualified Trust Service Provider on the EU Trusted List. To issue a qualified electronic signature (QES) under eIDAS, you must integrate with an accredited TSP.
- Docuo does not issue timestamps under specific Anglo-Saxon regulations, such as those required in regulated sectors in the U.S. (21 CFR Part 11 for the pharmaceutical industry, FedRAMP for the government). These require specialized providers in each sector.
The pattern is the same in all cases: the B2B document management system provides the operational controls—encryption, integrity, auditing, retention, RBAC—; the qualified authority issues the timestamp and the legally binding signature. To claim otherwise would be false.
The Chronoscan component in the chain
For legacy paper-based records—old notarized deeds, signed physical contracts, historical files— Chronoscan provides digitization with OCR + AI and the necessary indexing before the document enters the preservation system. The digitization of pre-existing physical documents for evidentiary purposes has its own regulatory framework (in Mexico, NOM-151 itself covers digitization; in the EU, the standards for qualified e-archiving), and always requires a PSC/TSP timestamp on the resulting digital image.
Practical Recommendations for Notaries and Law Firms
If your institution creates, retains, or submits documents with legal effect as evidence, here are five specific operational recommendations:
- Define the target jurisdiction before choosing a technology. If your document is to be filed in Mexican courts, NOM-151 is not optional—it is the required framework. If it’s for the EU, follow eIDAS. If it’s cross-border, plan for multiple digital seals from the start.
- Distinguish between "electronic signature" and "preservation with evidentiary value." These are two distinct issues with two distinct solutions—even though they are often marketed together.
- Ask the conservation provider to name the PSC/TSP it is affiliated with. If the answer is vague, that’s a red flag.
- Verify the operational controls of the document management system. Encryption, immutable audit log, audited retention, cryptographic hash upon archiving. Without these, no external seal will save you.
- Design the chain with the audit in mind. The day a court requests the evidence, you must be able to reconstruct: who signed it, what was signed, when, and how it has been preserved intact to this day. If your architecture cannot answer those four questions within an hour, it is not well designed.
The B2B document management system provides operational controls. The qualified authority issues the timestamp and the legally binding signature. To claim otherwise would be false.
Conclusion
NOM-151, eIDAS, and their equivalent Anglo-Saxon frameworks are the answer to the question, “Will this document hold up in court five years from now?” Each one establishes who the qualified authority is, what level of technical control it requires, and under which jurisdiction the result is accepted. And none of them can be “purchased as a single package”—they all require integration between a robust document management system (which provides the operational controls) and an external qualified authority (which provides the timestamp and legal signature).
Any provider that claims “full coverage” of all three systems natively is either deceiving itself or deceiving the customer. The honest answer is: this is how compliance is achieved—with each part doing what it does best and not attempting to do what falls under another authority’s jurisdiction.
At DOQSOFT, we work with notary offices, law firms, and regulatory agencies in the U.S., Mexico, the EU, and Latin America. The Notary and Legal pages outline specific use cases by sector, and the Docuo page details what it does natively and where it requires integration with external qualified authorities.