Electronic signatures and eIDAS

Harmonising e-signing in the EU

eIDAS overview

eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation on electronic identification and trust services for electronic transactions that applies as law within the whole of the EU.

The goal of the eIDAS regulation, which began to take effect in 2016, is to facilitate the smooth flow of commerce in the EU through transparency, security, technical neutrality, cooperation, and interoperability. In pursuit of these values, eIDAS:

  • Standardises the use of electronic identification (eID)
  • Defines a new class of “electronic trust services” (eTS)
  • Clarifies and ensures the legal validity of electronic signatures
  • Creates a European internal market within the EU for electronic trust services:

These standards apply across borders as well as within individual member countries.

Electronic signatures

The eIDAS regulation defines three types of electronic signatures: (Basic) Electronic Signature, Advanced Electronic Signature and Qualified Electronic Signature.

According to eIDAS, “electronic signature” is defined as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”.

Basic Electronic Signature

In practice, a basic electronic signature can be any kind of signature made in an electronic environment where the signatory has manifested their intent (e.g., by clicking a button or checking a box) to become bound by the contents of the document thus signed.

Advanced Electronic Signature

According to eIDAS, “An advanced electronic signature shall meet the following requirements:

  1. it is uniquely linked to the signatory;
  2. it is capable of identifying the signatory;
  3. it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
  4. it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable”.

In practice, these elements of unique identity, sole control and integrity of the signed document can be achieved through different means regardless of what technology is used. It should be noted that identification for signing purposes may or may not be “electronic” to reach the advanced electronic signature level. A recognized eID assures secure authentication of the signatory’s identity in the online environment.

Qualified Electronic Signature

According to eIDAS, “‘qualified electronic signature’ means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures”.

In practice, the use of Qualified Electronic Signatures invokes an extra layer of assurance (or trust) that results in a special legal effect that shall be recognized by the courts in the EU.

A legal framework for electronic signatures

The basic legal principles that support the use of electronic signatures are not defined by eIDAS. Rather, they are found in contract law, where an offer to enter into an agreement followed by the acceptance thereof constitutes a binding agreement. Thus, in the absence of legal requirements specifying the form of a contract, level of signature or method of authentication, a contract can be entered into by any means, including on paper, orally, or with a basic electronic signature.

The eIDAS regulation is a legal framework governing the use of electronic signatures, but it doesn’t mandate their use per se, nor does it have any impact on contract law. The regulation states:

This Regulation does not affect national or Union law related to the conclusion and validity of contracts or other legal or procedural obligations relating to form.

In fact, a basic electronic signature is sufficient and indeed legally valid for the vast majority of private transactions, B2B, B2C, and between private persons. To dispel any doubts in this respect, eIDAS explicitly states this fundamental principle:

“An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.”

Note that in some cases, national laws may require more than a basic electronic signature, e.g., when specific KYC (know your customer) requirements apply. Or, although it is not a legal requirement for a valid signature, a party might want to authenticate the counterpart with a certain level of security when the transaction entails a high business risk.

SCRIVE'S SOLUTION

Scrive’s electronic signature solution

eIDAS recognizes that putting your name to a simple email may qualify as an electronic signature. This could even be useful and sufficient as evidence in court, but email is primarily a communication tool, not a qualitative solution for electronic signatures.

A good quality basic electronic signature solution, such as Scrive offers, provides at least:

  • evidence of the intent to sign
  • identity information including IP address, email address and audit trail (transaction log)
  • association of the signature with the document
  • integrity protection of the document

In fact, Scrive’s solution exceeds these basic criteria: our advanced evidence package ensures that documents you sign with Scrive, even on the basic electronic signature level, incorporate all available evidence from the signature process. Furthermore, each document is an integrity-protected evidence container that is virtually independent from Scrive, i.e., you don’t need to rely on Scrive and our records to have access to the evidence. All the evidence is in the digitally-sealed document.

In other words, Scrive’s solution conforms to and far exceeds eIDAS requirements for basic electronic signatures.

SCRIVE'S SOLUTION

Scrive’s Advanced Electronic Signatures

Scrive integrates local versions of eID means in our e-sign service as a means to securely authenticate a signatory’s identity upon signing. This satisfies the first three eIDAS requirements for an advanced electronic signature, namely that it is “uniquely linked to the signatory; capable of identifying the signatory; (and) created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control”.

To protect document integrity, Scrive, in partnership with our supplier Guardtime, applies a digital signature (meaning “sealing”, not a signature in the legal sense) using Keyless Signature Infrastructure (KSI) technology. This fulfils the last of the four eIDAS requirements for an advanced electronic signature, namely that “it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable”.

Since eIDAS is technology-neutral, there can be multiple methods to satisfy the requirements for an advanced electronic signature. You may be familiar with PAdES (PDF Advanced Electronic Signature), a well-known eIDAS-compliant standard. Scrive does not offer PAdES, as KSI digital signature technology is even more secure and durable.

SCRIVE'S SOLUTION

Scrive’s Qualified Electronic Signature

Scrive currently offers QES services in partnership with Swisscom, a qualified trust service provider (QTSP) recognised by the EU, as well as Verimi, recognised by the EU as a trust service provider, ensuring our customers are able to choose the type of e-signature that fits their needs.  To get more information, please contact us and read more about our QES solution.

GET STARTED WITH ELECTRONIC SIGNATURES!

Try it out or learn more

Sign up for a free Scrive eSign account or contact sales.

Contact Sales Free Trial