Three levels of electronic signature
eIDAS framework for e-signing in the EU
Three levels of electronic signature
The eIDAS Regulation defines three types of electronic signatures: (Basic) Electronic Signature, Advanced Electronic Signature and Qualified Electronic Signature.
According to eIDAS, “electronic signature” is defined as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”.
Basic Electronic Signature
In practice, a basic electronic signature can be any kind of signature made in an electronic environment where the signatory has manifested their intent (e.g., by clicking a button or checking a box) to become bound by the contents of the document thus signed.
Advanced Electronic Signature
According to eIDAS, “An advanced electronic signature shall meet the following requirements:
- it is uniquely linked to the signatory;
- it is capable of identifying the signatory;
- it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
- it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable”.
In practice, these elements of unique identity, sole control and integrity of the signed document can be achieved through different means regardless of what technology is used. It should be noted that identification for signing purposes may or may not be “electronic” to reach the advanced electronic signature level. A recognized eID assures secure authentication of the signatory’s identity in the online environment. In practice, the use of Qualified Electronic Signatures invokes an extra layer of assurance (or trust) that results in a special legal effect that shall be recognized by the courts in the EU.
Qualified Electronic Signature
According to eIDAS, “‘qualified electronic signature’ means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures”.
A legal framework for electronic signatures
The basic legal principles that support the use of electronic signatures are not defined by eIDAS. Rather, they are found in contract law, where an offer to enter into an agreement followed by the acceptance thereof constitutes a binding agreement. Thus, in the absence of legal requirements specifying the form of a contract, level of signature or method of authentication, a contract can be entered into by any means, including on paper, orally, or with a basic electronic signature.
The eIDAS regulation is a legal framework governing the use of electronic signatures, but it doesn’t mandate their use per se, nor does it have any impact on contract law. The regulation states:
This Regulation does not affect national or Union law related to the conclusion and validity of contracts or other legal or procedural obligations relating to form.
In fact, a basic electronic signature is sufficient and indeed legally valid for the vast majority of private transactions, B2B, B2C, and between private persons. To dispel any doubts in this respect, eIDAS explicitly states this fundamental principle:
“An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.”
Note that in some cases, national laws may require more than a basic electronic signature, e.g., when specific KYC (know your customer) requirements apply. Or, although it is not a legal requirement for a valid signature, a party might want to authenticate the counterpart with a certain level of security when the transaction entails a high business risk.
Scrive’s electronic signature solution
eIDAS recognizes that putting your name to a simple email may qualify as an electronic signature. This could even be useful and sufficient as evidence in court, but email is primarily a communication tool, not a qualitative solution for electronic signatures.
A good quality basic electronic signature solution, such as Scrive offers, provides at least:
- evidence of the intent to sign
- identity information including IP address, email address and audit trail (transaction log)
- association of the signature with the document
- integrity protection of the document
In fact, Scrive’s solution exceeds these basic criteria: our advanced evidence package ensures that documents you sign with Scrive, even on the basic electronic signature level, incorporate all available evidence from the signature process. Furthermore, each document is an integrity-protected evidence container that is virtually independent from Scrive, i.e., you don’t need to rely on Scrive and our records to have access to the evidence. All the evidence is in the digitally-sealed document.
In other words, Scrive’s solution conforms to and far exceeds eIDAS requirements for basic electronic signatures.
Scrive’s Advanced Electronic Signatures
Scrive integrates local versions of eID means in our e-sign service as a means to securely authenticate a signatory’s identity upon signing. This satisfies the first three eIDAS requirements for an advanced electronic signature, namely that it is “uniquely linked to the signatory; capable of identifying the signatory; (and) created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control”.
To protect document integrity, Scrive, in partnership with our supplier Guardtime, applies a digital signature (meaning “sealing”, not a signature in the legal sense) using Keyless Signature Infrastructure (KSI) technology. This fulfils the last of the four eIDAS requirements for an advanced electronic signature, namely that “it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable”.
Since eIDAS is technology-neutral, there can be multiple methods to satisfy the requirements for an advanced electronic signature. Scrive offers solutions for both KSI based advanced electronic signatures, as well as advanced electronic signatures compliant with the PAdES standard (PDF Advanced Electronic Signature).
Scrive’s Qualified Electronic Signature
Scrive offers QES services in partnership with various qualified trust service providers (QTSP) recognised by the EU, ensuring our customers are able to choose the type of e-signature that fits their needs. To get more information, please contact us and read more about our QES solution.