On 1 July 2016 Regulation (EU) No. 910/2014, known as the eIDAS Regulation, entered into force establishing a common legal framework for electronic signatures in the European Union. In this post we review the bases of this new eIDAS Regulation, as well as the new developments regarding the definition and classification of electronic signatures.
In addition, in this post we also review the most relevant aspects that the eIDAS regulates. These include the legal effects of electronic signatures, electronic seals and certified electronic delivery services.
This post is also available in Spanish.
The History of electronic signatures in the EU: Directive 1999/93/CE
Directive 1999/93/EC was the first law regulating electronic signature services in the European Union. This law recognized electronic signatures as legally valid, equivalent to handwritten ones and admissible as electronic evidences in court.
But the base flaw of this first directive was that each EU state interpreted the ruling differently, thus complicating the process of validating and recognizing signatures made between EU countries and their respective judicial systems.
This in itself went against the very purpose of the electronic signature to speed up legal processes, and not slow them down or impede them altogether. One subsequently issue was with respect to electronic user identification, as each EU Member State had its own distinct system, leading to clashes between the various mechanisms established.
Thus, as was the case with many other rules governing the digital world (such as data protection laws or e-commerce laws) Directive 1999/93/EC became obsolete, prompting the issuing of a new regulation that came into force on July 1st 2016: Regulation (UE) Nº 910 / 2014, also know as eIDAS Regulation. This regulates online identification processes and establishes guidelines for trust services regarding online transactions that are common to all EU Member States.
What is the basis of the new eIDAS Regulation?
The eIDAS Regulation defines a new legal framework in the following areas: electronic signatures, timestamping seals, electronic documents and services such as registered electronic delivery or mail certificates, as well as certificates for authentication purposes.
This new eIDAS Regulation is not a directive and therefore it is directly applied in every EU Member State, without needing transposition. It extends the provisions of the 1999 Directive that regulated the establishment of a common basis for secure electronic interactions between citizens, businesses and EU authorities, all with the idea of increasing the effectiveness of public and private online services, enhancing e-commerce endeavors and fostering trust in this particular type of transactions.
All in all, its main aim is to develop identification systems for citizens and valid electronic signatures to eliminate barriers between EU Member States and allow smoother business transactions, lower operating costs and greater overall efficiency.
The new ruling has been developed with both individuals and corporations in mind, allowing electronic identification documents (eIDs) to be used in any EU country and facilitating access to different countries’ e-gov services.
A unified electronic identification mechanism is also going to make the provision of cross-border healthcare a reality for Europeans, as well as vastly improving the efficiency of administrative procedures between companies, individuals and governments from differing EU states.
How has the eIDAS Regulation affected electronic signatures?
Given the objective of the previous Directive 1999/93/EC “to facilitate the use of electronic signatures and to contribute to their legal recognition” (Article 1), the electronic signatures had already been defined by the Directive in the following 3 ways:
- Electronic signatures defined as “data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication;”)
- Advanced electronic signatures which fulfil the following criteria:
- are uniquely linked to the signatory;
- are capable of identifying the signatory;
- are created using means that the signatory can maintain under his sole control; and
- are linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.
- Advanced electronic signatures based on a qualified certificates. This type of eSignatures were referred to in Directive 1999/93/CE despite not being explicitly defined. (See definitions of “certificate” and “qualified certificate” in Article 2 as well as in Annexes 1 and 2 for more information).
This classification of electronic signatures and the associated legal implications have been reiterated in the eIDAS regulation.
What has changed, however, is the wording. What was once referred to in the Directive as an advanced electronic signature solution based on a qualified certificate, is now named qualified electronic signature, which is the same but defined in the following way: “an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures.”
Aside from this, the overriding change that has occurred due to the new eIDAS Regulation is that the qualified electronic signature is now recognized in all EU Member States, irrespective of the member state in which the signature was made.
>> Related post: What types of eSignatures are defined by the Regulation (EU) No 910/2014?
eIDAS: legal effects of electronic signatures
Advantages of the advanced electronic signature
The advanced electronic signature is extremely convenient for companies. Firstly, the level of security offered is virtually identical to that of the qualified signature, and it also allows each signer to be uniquely identified. And secondly, it is easier to use because it does not require the signer to be physically present.
The main advantages of the advanced electronic signatures compared with the simple and qualified eSignatures are:
>> Related post: Are eSignatures legal in Europe?
The 8 most important aspects of the eIDAS Regulation
Below are listed the aspects of the new eIDAS Regulation that we consider to be the most important to point out:
1. Mutual recognition systems of key enablers across borders (Article 6)
This article establishes that, when using the online services of a public sector body from an EU Member State, an electronic authentication process that adheres to the relevant country’s laws and administrative practices is necessary, and that the said means of identification will be recognized by any other EU Member State if the following requisites are met:
2. Cross-border use of electronic identification (Article 12)
This article stipulates that each Member State’s electronic identification process adhering to the rules set out in Article 9 will be considered interoperable, meaning that:
Minimum technical requirements for interoperability should be established, as well as common operational standards and a minimum set of personal identification data uniquely representing a natural or legal person available from electronic identification schemes. These measures will have the intention of guaranteeing that interoperability is carried out in a compliant manner.
3. Change in the provision of providers and that all necessary requirements are met
Providers of certification services are now simply known as the "trust service providers" thus expanding the concept to include other services such as electronic signatures, certification, electronic seals and timestamps, to name but a few.
In Article 12, trust service providers are also asked to meet the following requirements, regardless of whether they are qualified or not:
In addition, qualified trust service providers shall be audited at their own expense at least every 24 months by a conformity assessment body.
>> Related post: What is a trust service provider and how is it defined in the eIDAS?
4. Electronic signatures: legal effects and requirements (Article 25)
Article 25 stipulates that an electronic signature shall not be denied legal effect and admissibility in any EU Member State as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. A qualified electronic signature shall therefore have the equivalent legal effect of a handwritten signature. In addition, a qualified electronic signature based on a qualified certificate issued in one Member State shall be recognized as a qualified electronic signature in all other Member States.
The Articles that follow set out the requirements for advanced electronic signatures in greater detail, as well as listing: the features of electronic signatures for public services; qualified certificates for electronic signatures; and also the standards that should be met for devices used for the creation of the said electronic signatures or the validation of qualified electronic signatures.
8. EU trust mark for qualified trust services (Article 23)
The legislator intention is to allow trust services and transactions between EU Member States. Therefore, in Article 23 the possibility to acquire an EU trust mark for qualified providers is recognized. This trust mark will be needed to indicate the trust services they offer appear on the list in Article 22. All these are published in compliance with the provisions of Article 23.1, since July 1st, 2016.
To summarize, the new eIDAS Regulation is a significant step forward, not only in terms of regulating the requirements that an electronic signature and new concepts or services such as timestamps, recorded delivery certificates, authentication websites, etc. should meet, but that in establishing guidelines for each of these mechanisms that streamline the transactions between the countries of the European Union, thereby reinforcing the existence of the Digital Single Market.
This post is also available in Spanish.
This post has been written by the data protection legal experts at Avatic Abogados.