Three levels of electronic signature
eIDAS framework for e-signing in the EU
Three levels of electronic signature
The eIDAS Regulation defines three types of electronic signatures: (Basic or Simple) Electronic Signature (ES), Advanced Electronic Signature (AdES) and Qualified Electronic Signature (QES).
According to eIDAS, “electronic signature” is defined as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”.
Each level of e-signature builds on the previous level, where the basic requirement is that the electronic signature should capture the signatory’s intent to be bound by the agreement. The enhanced security measures and legal safeguards applicable to the AdES and QES levels are based on two further principles underpinning contract law: identity and integrity.
- Identity refers to the technical methods used to determine that the named signatory is in fact the person who signed the document.
- Integrity refers to the technical methods used to determine that the document has not been tampered with or altered in any way since it was signed.
QES, which has the highest security standards and legal recognition, is considered to have the same legal standing as a handwritten signature on paper.
A legal framework for electronic signatures
The basic legal principles that support the use of electronic signatures are not defined by eIDAS. Rather, they are found in contract law, where an offer to enter into an agreement followed by the acceptance thereof constitutes a binding agreement. Thus, in the absence of legal requirements specifying the form of a contract, level of signature or method of authentication, a contract can be entered into by any means, including on paper, orally, or with a basic electronic signature.
The eIDAS regulation is a legal framework governing the use of electronic signatures, but it doesn’t mandate their use per se, nor does it have any impact on contract law. The regulation states:
“This Regulation does not affect national or Union law related to the conclusion and validity of contracts or other legal or procedural obligations relating to form”
In fact, a basic electronic signature is sufficient and indeed legally valid for the vast majority of private transactions, B2B, B2C, and between private persons. To dispel any doubts in this respect, eIDAS explicitly states this fundamental principle:
“An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.”
Note that in some cases, national laws may require more than a basic electronic signature, e.g., when specific KYC (know your customer) requirements apply. Or, although it is not a legal requirement for a valid signature, a party might want to authenticate the counterpart with a certain level of security when the transaction entails a high business risk.
The European Digital Identity Regulation (also known as eIDAS 2.0), which came into effect in 2024, builds upon eIDAS. A primary feature of eIDAS 2.0 is that it expands and strengthens the use of digital identities, which has a direct bearing on electronic signatures, including enabling any EU citizen to use QES.
Read more about eIDAS here.
What is the difference between Advanced Electronic Signature (AdES) and Qualified Electronic Signature (QES)?
An AdES has four requirements that set it apart from a basic ES. Two concern the identity of the signatory, one is about the sole control of the signatory, and the last addresses integrity: how to demonstrate that the document has not been tampered with since it was signed.
While eIDAS is technology neutral, the identity proofing and sole control criteria required for an AdES is typically achieved with an electronic identification (eID) like Swedish BankID, iDIN (Netherlands) or MitID (Denmark).
In eIDAS, the requirements of each level are built on the requirements of the level below it. Thus, a QES is an AdES which is additionally: (i) created by a qualified signature creation device (QSCD), and (ii) iis based on a qualified certificate for electronic signatures. These technical requirements are typically the responsibility of the e-signature service provider and their partners, not the parties signing the document.
Simply put, these requirements mean that the technical solution used to sign with QES needs to be certified/approved. This implies that the methods of identification, sole control and integrity protection used are also approved.
General disclaimer: Scrive does not provide legal advisory services. The purpose of this information is only to give general information based on Scrive’s research and current understanding and knowledge of applicable regulations. The reader may use the information provided solely on own responsibility and risk. For legal advice, please refer to qualified legal expertise within your own jurisdiction and business area.
Scrive’s electronic signature solution
eIDAS recognizes that putting your name to a simple email may qualify as an electronic signature. This could even be useful and sufficient as evidence in court, but email is primarily a communication tool, not a qualitative solution for electronic signatures.
A good quality basic electronic signature solution, such as Scrive offers, provides at least:
- evidence of the intent to sign
- identity information including IP address, email address and audit trail (transaction log)
- association of the signature with the document
- integrity protection of the document
In fact, Scrive’s solution exceeds these basic criteria: our advanced evidence package ensures that documents you sign with Scrive, even on the basic electronic signature level, incorporate all available evidence from the signature process. Furthermore, each document is an integrity-protected evidence container that is virtually independent from Scrive, i.e., you don’t need to rely on Scrive and our records to have access to the evidence. All the evidence is in the digitally-sealed document.
In other words, Scrive’s solution conforms to and far exceeds eIDAS requirements for basic electronic signatures.
Scrive’s Advanced Electronic Signatures
Scrive integrates local versions of eID means in our e-sign service as a means to securely authenticate a signatory’s identity upon signing. This satisfies the first three eIDAS requirements for an advanced electronic signature, namely that it is “uniquely linked to the signatory; capable of identifying the signatory; (and) created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control”.
To protect document integrity, Scrive, in partnership with our supplier Guardtime, applies a digital signature (meaning “sealing”, not a signature in the legal sense) using Keyless Signature Infrastructure (KSI) technology. This fulfils the last of the four eIDAS requirements for an advanced electronic signature, namely that “it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable”.
Since eIDAS is technology-neutral, there can be multiple methods to satisfy the requirements for an advanced electronic signature. Scrive offers solutions for both KSI based advanced electronic signatures, as well as advanced electronic signatures compliant with the PAdES standard (PDF Advanced Electronic Signature).
Scrive’s Qualified Electronic Signature
According to eIDAS, “‘qualified electronic signature’ means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures”. While these technical requirements may sound complicated (which they are), implementing support for QES in your business typically only requires the integration of Scrive’s eSign service into your system or service.
Scrive QES is a seamless solution that makes it easy and affordable to sign with QES from Scrive’s eSign platform. Signatories can sign in seconds using BankID or other methods that comply with eIDAS standards. Scrive also partners with various qualified trust service providers (QTSP), giving customers the flexibility to choose the solution that best meets their needs. For more information, please contact us or read more about Scrive QES.
