eIDAS: a new era for eSignatures in Europe

Posted by media on September 12, 2017 at 9:00 AM

eIDAS_Regulation_by_Signaturit.jpg

On 1 July 2016 Regulation (EU) No. 910/2014, known as the eIDAS Regulation, entered into force establishing a common legal framework for electronic signatures in the European Union. In this post we review the bases of this new eIDAS Regulation, as well as the new developments regarding the definition and classification of electronic signatures.

In addition, in this post we also review the most relevant aspects that the eIDAS regulates. These include the legal effects of electronic signatures, electronic seals and certified electronic delivery services.

This post is also available in Spanish.

The History of electronic signatures in the EU: Directive 1999/93/CE

Directive 1999/93/EC was the first law regulating electronic signature services in the European Union. This law recognized electronic signatures as legally valid, equivalent to handwritten ones and admissible as electronic evidences in court.

But the base flaw of this first directive was that each EU state interpreted the ruling differently, thus complicating the process of validating and recognizing signatures made between EU countries and their respective judicial systems.

This in itself went against the very purpose of the electronic signature to speed up legal processes, and not slow them down or impede them altogether. One subsequently issue was with respect to electronic user identification, as each EU Member State had its own distinct system, leading to clashes between the various mechanisms established.

Thus, as was the case with many other rules governing the digital world (such as data protection laws or e-commerce laws) Directive 1999/93/EC became obsolete, prompting the issuing of a new regulation that came into force on July 1st 2016:  Regulation (UE) Nº 910 / 2014, also know as eIDAS Regulation. This regulates online identification processes and establishes guidelines for trust services regarding online transactions that are common to all EU Member States.

 

What is the basis of the new eIDAS Regulation?

The eIDAS Regulation defines a new legal framework in the following areas: electronic signatures, timestamping seals, electronic documents and services such as registered electronic delivery or mail certificates, as well as certificates for authentication purposes.

This new eIDAS Regulation is not a directive and therefore it is directly applied in every EU Member State, without needing transposition. It extends the provisions of the 1999 Directive that regulated the establishment of a common basis for secure electronic interactions between citizens, businesses and EU authorities, all with the idea of increasing the effectiveness of public and private online services, enhancing e-commerce endeavors and fostering trust in this particular type of transactions.

All in all, its main aim is to develop identification systems for citizens and valid electronic signatures to eliminate barriers between EU Member States and allow smoother business transactions, lower operating costs and greater overall efficiency.

The new ruling has been developed with both individuals and corporations in mind, allowing electronic identification documents (eIDs) to be used in any EU country and facilitating access to different countries’ e-gov services.

A unified electronic identification mechanism is also going to make the provision of cross-border healthcare a reality for Europeans, as well as vastly improving the efficiency of administrative procedures between companies, individuals and governments from differing EU states.

 

eSignatures-in-EU

 

How has the eIDAS Regulation affected electronic signatures?

Given the objective of the previous Directive 1999/93/ECto facilitate the use of electronic signatures and to contribute to their legal recognition” (Article 1), the electronic signatures had already been defined by the Directive in the following 3 ways:

  1. Electronic signatures defined as “data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication;”)

  2. Advanced electronic signatures which fulfil the following criteria:
    • are uniquely linked to the signatory;
    • are capable of identifying the signatory;
    • are created using means that the signatory can maintain under his sole control; and
    • are linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.
  3. Advanced electronic signatures based on a qualified certificates. This type of eSignatures were referred to in Directive 1999/93/CE despite not being explicitly defined. (See definitions of “certificate” and “qualified certificate” in Article 2 as well as in Annexes 1 and 2 for more information).

This classification of electronic signatures and the associated legal implications have been reiterated in the eIDAS regulation.

What has changed, however, is the wording. What was once referred to in the Directive as an advanced electronic signature solution based on a qualified certificate,  is now named qualified electronic signature, which is the same but defined in the following way: “an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures.

Aside from this, the overriding change that has occurred due to the new eIDAS Regulation is that the qualified electronic signature is now recognized in all EU Member States, irrespective of the member state in which the signature was made.

>> Related post: What types of eSignatures are defined by the Regulation (EU) No 910/2014?

eIDAS: legal effects of electronic signatures
Article 25

  1. An electronic signature shall not be denied legal effect and admissibility as evidence in court solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.

  2. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.

  3. A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States.

Signaturit-eSignatures-EU

Advantages of the advanced electronic signature

The advanced electronic signature is extremely convenient for companies. Firstly, the level of security offered is virtually identical to that of the qualified signature, and it also allows each signer to be uniquely identified. And secondly, it is easier to use because it does not require the signer to be physically present.

The main advantages of the advanced electronic signatures compared with the simple and qualified eSignatures are:

  • Unlike the simple electronic signature, the advanced electronic signature offers legal certainty, since the latter can identify the signer while the simple one cannot.
    For example, a simple electronic signature is the equivalent of a checkbox or a PIN code. In these two cases, there is no means of guaranteeing the identity of the the person who checked the box or entered the PIN code.

  • Unlike the qualified electronic signature, the advanced electronic signature does not have to be made using a qualified device, as stipulated in Annex II of Regulation (EU) No. 910/2014.

    Therefore, the advanced electronic signature is much easier to use, since it does not require any specific device, nor in-person verification prior to making the signature.
>> Related post: Are eSignatures legal in Europe?

What do you need to do in Spain to sign with your eID?

The electronic signature that you can make with your eID is a qualified electronic signature.

To use it, you need to have the following.

  • A personal computer, in which you must install some cryptographic modules which are necessary to read your ID.
      • If you are using Windows, you must install a service called "Cryptographic Service Provider" (CSP).
      • If you use MAC, Linux or UNIX, you can sign with your DNI thanks to a cryptographic module called PKCS # 11.

  • A smart card reader, which can be internal or external.
    • An internal smart card reader comes integrated with your keyboard.
    • External smart card readers can be connected to your computer either via USB or through a PCMCIA card.

eID-Regulation-eIDAS

 

The 8 most important aspects of the eIDAS Regulation

Below are  listed the aspects of the new eIDAS Regulation that we consider to be the most important to point out:

 

1. Mutual recognition systems of key enablers across borders (Article 6)

This article establishes that, when using the online services of a public sector body from an EU Member State, an electronic authentication process that adheres to the relevant country’s laws and administrative practices is necessary, and that the said means of identification will be recognized by any other EU Member State if the following requisites are met:

  • If the identification process has been issued by a system that has been publicly listed by the European Commission and is in accordance with Article 9 of the eIDAS Regulation;
  • If its security features are equal to or above those required by the public sector body in order to use the aforementioned service, with exceptions in cases where such recognition is permitted with lower levels of security;
  • that the entity in question already has a substantial level of security in place.

 

2. Cross-border use of electronic identification (Article 12)

This article stipulates that each Member State’s electronic identification process adhering to the rules set out in Article 9 will be considered interoperable, meaning that:

  • they will be technology neutral and will not discriminate between different technical solutions for electronic identification within a Member State;
  • they will follow international and European standards, where possible;
  • they will facilitate the implementation of the principle of privacy by design and guarantee that personal data is processed in accordance with Directive 95/46/CE.

Minimum technical requirements for interoperability should be established, as well as common operational standards and a minimum set of personal identification data uniquely representing a natural or legal person available from electronic identification schemes. These measures will have the intention of guaranteeing that interoperability is carried out in a compliant manner.

 

3. Change in the provision of providers and that all necessary requirements are met

Providers of certification services are now simply known as the "trust service providers" thus expanding the concept to include other services such as electronic signatures, certification, electronic seals and timestamps, to name but a few.

In Article 12, trust service providers are also asked to meet the following requirements, regardless of whether they are qualified or not:

  • providers must take the appropriate measures to avoid and minimize the impact of any breach of security and to inform the affected parties of any negative impact of such incidents
  • they must also notify the supervisory body and where applicable, other relevant bodies, such as the competent national body for information security or the data protection authority, i.e. if any breach of security or loss of integrity has occurred and if it implies a significant impact on the trust service provided, or on the personal data maintained therein within 24 hours after having become aware of it.

In addition, qualified trust service providers shall be audited at their own expense at least every 24 months by a conformity assessment body.

>> Related post: What is a trust service provider and how is it defined in the eIDAS?

  4. Electronic signatures: legal effects and requirements (Article 25)

Article 25 stipulates that an electronic signature shall not be denied legal effect and admissibility in any EU Member State as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. A qualified electronic signature shall therefore have the equivalent legal effect of a handwritten signature. In addition, a qualified electronic signature based on a qualified certificate issued in one Member State shall be recognized as a qualified electronic signature in all other Member States.

The Articles that follow set out the requirements for advanced electronic signatures in greater detail, as well as listing: the features of electronic signatures for public services; qualified certificates for electronic signatures; and also the standards that should be met for devices used for the creation of the said electronic signatures or the validation of qualified electronic signatures.


Requirements for advanced electronic signatures

An advanced electronic signature shall meet the following requirements:

  • it is uniquely linked to the signatory;
  • it is capable of identifying the signatory;
  • it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
  • it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.

 

5. Legal effects of electronic seals (Articles 35 – 40)

In these Articles, the legal existence of both standard and advanced electronic seals is regulated, as well as the qualified certificate for electronic seals, and each of their requirements.

As with the electronic signature, it is stipulated that legal effect and admissibility will not be denied as proof in legal proceedings solely on the grounds that it is in electronic form or that it does not meet the requirements for qualified electronic seals. However, the qualified electronic seals shall enjoy the presumption of the accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound. The validation and preservation of qualified electronic seals between Member States is also established.

>> Related post: The Time Stamp Authority, a seal to provide greater security to electronic signatures.

 
6. Legal effect of an electronic registered delivery service (Articles 43 – 44)

“Data sent and received using an electronic registered delivery service shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic registered delivery service”.

Furthermore, qualified delivery services enjoy the presumption of data integrity, since there will be an identified sender, receipt by the recipient and a record of the date and time of sending and receiving data indicating the qualified service of electronic registered delivery certificate.

The aforementioned service shall meet the following requirements:

  • it should be provided by one or more qualified trust service provider(s);
  • it should ensure with a high level of confidence the identification of the sender;
  • it should ensure the identification of the addressee before the delivery of the data;
  • the sending and receiving of data should be secured by an advanced electronic signature
  • it should clearly identify the sender and addressee of the data;
  • it should include the date and time of sending, receiving and any change of data are indicated by a qualified electronic time stamp.

 

7. Website authentication services (Article 45 and Annex IV)

Article 45 refers directly to the provisions of Annex IV of the eIDAS Regulation which list the standards to be met by qualified authentication websites, among which are the following:

  • an indication, at least in a form suitable for automated processing, that the certificate has been issued as a qualified certificate for website authentication;
  • a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including at least the Member State in which that provider is established and: for a natural person, the person’s name
  • elements of the address, including at least city and State, of the natural or legal person to whom the certificate is issued and, where applicable, as stated in the official records;
  • details of the beginning and end of the certificate’s period of validity;
  • the certificate identity code, which must be unique for the qualified trust service provider;
  • the location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (h) of this article is available free of charge;
  • the location of the certificate validity status services that can be used to enquire as to the validity status of the qualified certificate.

8. EU trust mark for qualified trust services (Article 23)

The legislator  intention is to allow trust services and transactions between EU Member States. Therefore, in  Article 23 the possibility to acquire an EU trust mark for qualified providers is recognized. This trust mark will be needed to indicate the trust services they offer appear on  the list in Article 22. All these are published in compliance with the provisions of Article 23.1, since July 1st, 2016.

To summarize, the new eIDAS Regulation is a significant step forward, not only in terms of regulating the requirements that an electronic signature and new concepts or services such as timestamps, recorded delivery certificates, authentication websites, etc. should meet, but that in establishing guidelines for each of these mechanisms that streamline the transactions between the countries of the European Union, thereby reinforcing the existence of the Digital Single Market.

This post is also available in Spanish.

download-whitepaper-eSignatures-legality

This post has been written by the data protection legal experts at Avatic Abogados.

@AvaticAbogados

 

Topics: Electronic Signature

Blog Subscription

Recent Posts

Posts by Topic

see all