Qualified Electronic Signature (QES)

Qualified Electronic Signature (QES) is the highest level of electronic signature as defined by the eIDAS regulation, which defines the framework for electronic signatures and eIDs within the European Union. Scrive currently offers QES services in partnership with Swisscom, a qualified trust service provider (QTSP) recognised by the EU, and Verimi, ensuring our customers are able to choose the type of e-signature that fits their needs.

What is QES?

From a technical perspective, according to eIDAS, “‘qualified electronic signature’ means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures”.

From a legal perspective, QES has the equivalent legal effect of a handwritten signature, i.e. a “special legal effect”. QES offers a high level of assurance that the named signatory is in fact the person who signed the document. What this means in practice:

If the validity of a Qualified Electronic Signature is legally challenged, the court may presume that signature is valid and that the signatory has been identified. Thus, the initial burden of proof rests on the challenger (who repudiates their signature) to show that the document was not signed by the named signatory. By contrast, in the case of a document/agreement signed using a (simple) Electronic Signature (ES) or an Advanced Electronic Signature (AES), the burden of proof may be reversed: the party defending the validity of the signature needs to demonstrate that the named signatory did sign it.

In effect, the special legal effect that QES enjoys offers some benefits to the party relying on the signature; mainly that the threshold for repudiation by the signatory can be perceived as higher than if a ES/AES was used. Nevertheless, a court must still weigh the evidence at hand and in e.g. a case of identity fraud even a QES can be deemed invalid – just as a contested ES/AES may still be deemed valid even though the initial presumption of validity didn’t apply. The quality of evidence related to the signature process is of course important in this context, not the least when ES/AES is used.

esigning process

When do you need QES?

The use cases where QES is required are currently few and generally subject to national laws. In Germany for example, fixed-term employment agreements, annual reports and B2B real estate rental agreements are among the types of agreements that require QES.

If you are unsure as to what documents/agreements your business may need to sign with QES, reach out to our team, and we’ll help guide you to the right solution for you.

What is the difference between Advanced Electronic Signature (AES) and Qualified Electronic Signature(QES)?

To understand the difference between these two levels of electronic signature, as defined by eIDAS, it helps to start out by showing the difference between AES and an electronic signature on the basic level. An AES has four requirements that set it apart from a basic ES, two of them are about the identity of the signatory, one about the sole control of the signatory, and the last about integrity protection.

According to the eIDAS regulation, an AES must be “uniquely linked to the signatory” and be “capable of identifying the signatory”. While eIDAS is technology neutral, the identity proofing and sole control criteria required for an AES is typically achieved with an eID means like Swedish BankID, iDIN (Netherlands) or MitID (Denmark). To learn more about eIDAS and electronic identity schemes in the EU, refer to the Scrive Trust Centre article Standardising Digital Identity in the EU.

In eIDAS, the requirements of each level are built on the requirements of the level below it. Thus, a QES is an AES which is additionally: (i) created by a qualified signature creation device (QSCD), and (ii) is based on a qualified certificate for electronic signatures. These technical requirements are typically the responsibility of the e-signature service provider and their partners, not the parties signing the document.

Simply put, these requirements mean that the technical solution used to sign with QES needs to be certified/approved. This implies that the methods of identification, sole control and integrity protection used are also approved. However, not all such methods that are available for the AES level do fulfill that criteria. In effect, the options for QES are more limited and the feasibility, user friendliness etc. thereof may also be affected due to stricter requirements. This may make AES, or even ES, a more attractive alternative for your business and your counterparts – provided this is sufficient to comply with your regulatory requirements and to manage your business risk.

General disclaimer: Scrive does not provide legal advisory services. The purpose of this information is only to give general information based on Scrive’s research and current understanding and knowledge of applicable regulations. The reader may use the information provided solely on own responsibility and risk. For legal advice, please refer to qualified legal expertise within your own jurisdiction and business area.

About Swisscom

As the leading provider of communication, IT and entertainment in Switzerland, Swisscom is uniquely positioned to offer their identification and signing capabilities to help businesses achieve a qualified electronic signature. With their history of technical innovation and sustainability, they’ve proven to be the perfect partner for Scrive to guide customers through the complexities of digital transformation and the regulations therein.

About Verimi

Verimi are hard at work developing the future of digital identity management. Being on the forefront of of the ever-evolving digital identity landscape, with partners such as Allianz, Deutsche Bank, Deutsche Telekom, Samsung and Volkswagen, Verimi are poised to play a major role in shaping the use of eIDs for years to come.

ItsMe

About itsme

itsme® (also known as Belgian Mobile ID) is a smartphone-based eID that provides a secure and convenient way to identify yourself, share your ID data, log in to apps and websites and sign documents. itsme® is ISO27001 certified and conforms with Belgian laws and EU laws regarding digital identity, e-signatures and data sharing, including eIDAS and GDPR. Data is always encrypted when stored or communicated with itsme® partners.

SmartID

About SmartID

Smart-ID is the most popular mobile authentication solution across the Baltics, with over 3 million users in Estonia, Latvia and Lithuania. Smart-ID is recognised as a Qualified Signature Creation Device (QSCD) according to the eIDAS Regulation. This means that Smart-ID users can electronically sign documents with a signature on the Qualified level, the highest level according to eIDAS. A Qualified Electronic Signature is the legal equivalent of a handwritten signature and is valid throughout the EU.