In European countries, electronic and digital signatures are used for the exchange of electronic documents. What are the differences, what are the conditions for their application? This article outlines:
The EU law on electronic signatures
The three types of electronic signature recognised by EU law and their characteristics.
Electronic signature in Europe, the Law
In Europe, legislative work with electronic signatures has been carried out for a long time. In 2011, the European Commission presented the Single Market Act. It set out 12 strategic initiatives designed to boost growth and strengthen the economy of Europe. They also included an overhauled Directive on Electronic Signatures (the Directive on Electronic Signatures (1999/93/EC)). This Directive gave the participating countries free rein to apply the provisions, but this only resulted in fragmented and inconsistent laws that failed to achieve the cross-border application of electronic signatures. Moreover, the Directive did not keep up with the development of technology at the time of its drafting; there were no mobile and cloud-based signature tools that changed our understanding of electronic document management.
The law* regulating Electronic Identification and Trust Services came into force on 1 July 2016. *(The EU Regulation on Electronic Identification and Trust Services in the Internal Market (910/2014/EU), hereafter referred to as the Regulation, or eIDAS in short)
At the moment, this is the main regulatory document regulating the use of electronic signatures and their verification. It also covers some other trust services, including electronic seals and timestamps in the European domestic market. The aim is to help businesses, consumers, and public sector bodies to carry out convenient and secure electronic transactions across the EU. The Regulation involves not only the electronic signature but also other trust services:
electronic stamps (similar to electronic signatures, but used by legal entities);
timestamps;
rules for conducting transactions and authentication.
Besides, in many countries, previously created acts concerning electronic signatures retain their influence. When deciding to interact in the legislative field with the Europeans, it will always be necessary to specify which electronic signature will be valid for a particular document. For example, in Germany, where the law requires a contract to be in the written form, Article 126 of the German Civil Code provides that this requirement can be fulfilled electronically, but only a qualified electronic signature. And in the UK, there is no such requirement for contracts, and in general, the QES is less used when conducting business.
Nevertheless, the Regulation applies equally all over the European Union. It ensures relative cross-border compatibility simplifying international transactions conduct and the conclusion of various types of contracts in the domestic market of Europe.
Therefore, the use of a particular type of signature in industries will differ depending on the country. The Regulation provides information in the field of categorization of electronic signatures.
Types of signatures according to eIDAS.
The Regulation defines three types of electronic signature: electronic, advanced and qualified. Let's take a closer look at each of the signature types.
Electronic signature
'Any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.'(Article 3(10), the Regulation) Standard electronic signature means 'any data in electronic form attached to or logically associated with other data in the electronic form used by the signatory.' In other words, this type of signature is the electronic equivalent of a handwritten signature. This signature can range from a printed name in an email to confirmation of consent by providing your biometric data.
An electronic signature platform typically allows the signatory to write his signature directly on the document (with a stylus or mouse). Also, one can select a computer-generated signature from a variety of fonts and styles.
These types of signatures usually do not involve any independent third party to verify the signatory's identity. At the same time, they meet the requirements for an electronic signature of the eIDAS regulation.
Possible applications of standard electronic signatures include standard forms of hospitals, schools, insurance companies, some bank forms, documents submitted to the public sector, contracts for the provision of services to small businesses, contracts with freelancers and consultants.
Advanced electronic signature
An advanced electronic signature is a more sophisticated and secure form of signature. It is a digital signature created with public key cryptography (PKI) and inserted into the code of an electronic document. The legal requirements for an AES are laid out in Article 26 of the Regulation (see box 'Requirements for an advanced electronic signature').
The Regulation itself is technology-neutral and does not prescribe how these requirements should be met. However, even before the repeal of the Directive, a working paper of the Forum of European Supervisory Authorities for Trust Service Providers (FESA) prescribed that the advanced electronic signature is the result of PKI technology.
The trust provider issues and signs a digital certificate that confirms the signatory's identity and contains its public key. A digital certificate is associated with an electronic document as a result of signing with a digital signature.
The recipient of the document may be sure that the signer is the one who was supposed to sign the file, and he uses the public key of the signer to verify the digital signature.
Requirements for an advanced electronic signature
Article 26 of the Regulation on Electronic Identification and Trust Services in the Internal Market (910/2014/EU) states that an advanced electronic signature must be:
• Uniquely linked to the signatory.
• Capable of identifying the signatory.
• Created using electronic signature creation data (that is, a private encryption key) that the signatory can, with a high level of confidence, use under his sole control.
• Linked to the signed data in such a way that any subsequent change in the data is detectable.
Qualified electronic signature
The third type is the qualified electronic signature. It is also a digital signature created by a qualified electronic signature creation device. It provides the highest level of admissibility in the EU courts and has the equivalent legal effect of a handwritten signature (Article 25(2), the Regulation).
In addition to meeting the requirements for the AES, the European QES must be supported by a qualified certificate issued by a qualified trust service provider (QTSP), whose credentials have been recorded in a trusted list published by a member state (Article 22, eIDAS Regulation). This list includes information related to a qualified trust service provider supervised by the EU member state. It also contains a scope of the trusted services it provides. The qualified trust service provider will only be qualified if it appears on a trusted list.
An interactive mapshowing the current status of the trusted list of qualified trusted service providers in Europe.
the "Signature Generation & Sealing Service" (SigS) - signature and seal generation services, the " Validation Service "(ValS) - verification services, the " Preservation Service "(PresS) - storage services, the " Electronic Delivery Service "(EDS) - electronic delivery services, the " Time Stamp Authority” (TSA) - centres authorized to issue timestamps, the ”Certification Authority " (CA) - the certification authority.