What is the difference between Advanced Electronic Signature (AES) and Qualified Electronic Signature(QES)?
To understand the difference between these two levels of electronic signature, as defined by eIDAS, it helps to start out by showing the difference between AES and an electronic signature on the basic level. An AES has four requirements that set it apart from a basic ES, two of them are about the identity of the signatory, one about the sole control of the signatory, and the last about integrity protection.
According to the eIDAS regulation, an AES must be “uniquely linked to the signatory” and be “capable of identifying the signatory”. While eIDAS is technology neutral, the identity proofing and sole control criteria required for an AES is typically achieved with an eID means like Swedish BankID, iDIN (Netherlands) or NemID/MitID (Denmark). To learn more about eIDAS and electronic identity schemes in the EU, refer to the Scrive Trust Centre article Standardising Digital Identity in the EU.
In eIDAS, the requirements of each level are built on the requirements of the level below it. Thus, a QES is an AES which is additionally: (i) created by a qualified signature creation device (QSCD), and (ii) iis based on a qualified certificate for electronic signatures. These technical requirements are typically the responsibility of the e-signature service provider and their partners, not the parties signing the document.
Simply put, these requirements mean that the technical solution used to sign with QES needs to be certified/approved. This implies that the methods of identification, sole control and integrity protection used are also approved. However, not all such methods that are available for the AES level do fulfill that criteria. In effect, the options for QES are more limited and the feasibility, user friendliness etc. thereof may also be affected due to stricter requirements. This may make AES, or even ES, a more attractive alternative for your business and your counterparts – provided this is sufficient to comply with your regulatory requirements and to manage your business risk.
General disclaimer: Scrive does not provide legal advisory services. The purpose of this information is only to give general information based on Scrive’s research and current understanding and knowledge of applicable regulations. The reader may use the information provided solely on own responsibility and risk. For legal advice, please refer to qualified legal expertise within your own jurisdiction and business area.