The European Union has long hedged its bets on the use of electronic signatures. Back in 1999 when the Internet barely had 248 million users*, the EU Parliament had already approved its first directive to establish a common legal framework for eSignatures and encouraged their use among the then 15 member states.
The success of EC Directive 1999/93 could not have prevented that in August 2014 - when Internet users exceeded 3,000 million* and Europe had become a union of 28 countries - the EU Parliament adopted a new regulatory framework for electronic identification and trust services in the internal market - EU Regulation 910/2014 - which came into force on July 1 2016, repealing the previous directive.In this post, we explain the different categories of eSignatures according to the new EU regulation.
This post is also available in Spanish.
Regulation (EU) No 910/2014 of the European Parliament and the Council of 23 July 2014
on electronic identification and trust services for electronic transactions in the internal market.
The goal of the new EU Regulation No 910/2014, known as eIDAS, is to create a climate of trust that makes it possible to strengthen e-commerce and other digital transactions within the EU. In other words, the Regulation aims to remove all barriers between member states by providing standardized identification systems and valid electronic signatures for citizens, that allow operation to take place in greater security and flexibility with lower costs and at greater rates of efficiency.
Unlike the previous Directive, the new Regulation will be enforced in every EU member state, making a transposition of the law unnecessary and eliminating the previous Directive’s error of leaving each member state to interpret the document as they saw fit. It was an unfortunate move that had greatly complicated the process of recognizing the validity of eSignatures in different European countries and judicial systems.
How are simple, advanced and qualified eSignatures defined in the new Regulation (EU) No 910/2014?
The new regulation maintains three types of electronic signatures established in the previous policy, and reiterates that electronic signatures are legally binding and admissible as valid evidence in any court of law.
As stated in Article 25.1: " An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.”
We review briefly how the three types of electronic signatures have been defined in the Regulation (EU) No 910/2014:
- Electronic Signature: “means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.”
- Advanced Electronic Signature: “means an electronic signature which meets the requirements set out in Article 26.”
An advanced electronic signature shall meet the following requirements:
a) it is uniquely linked to the signatory;
b) it is capable of identifying the signatory;
c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
- Qualified Electronic Signature: “means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures.” (See table at the end of this post).
In practical terms, how can you tell these three types of signatures apart according to definitions provided by Regulation (EU) No 910/2014?
If someone responds to a signature request by attaching the original printed, signed and scanned document in an email, there is a logical association between the message’s source account (the email address) and the signature, but there is also a wide margin of interpretation and no real evidence as to who the signer really was. Therefore, this digital signature, commonly referred to as the simple eSignature, is the one that has the lowest level of security.
Although the security offered by simple electronic signature is very limited for both the signer and the person requesting the signature, its use has been widespread until the emergence of platforms such as Signaturit, as emailing a scanned documents with a hand-made signature was by far the most affordable way of requesting and acquiring a signature remotely.
This type of electronic signature has a much higher level of security than the simple electronic signature: it ensures that the signer can only have been the individual to whom the signature was requested, while significantly reducing the risk of false impersonation and identity theft.
The advanced electronic signature offered by Signaturit meets each of the following legal requirements:
- It ensures that a signature can only be associated with a single signer by collecting a large amount of digital information at the time of signing and by additionally using a time-stamping authority to ensure maximum integrity.
- To identify the signer, Signaturit’s advanced electronic signature can identify where the signature was made, verify the source address, time and destination of the signature request as well as capture biometric data: speed, velocity and pressure (the latter is available on select devices). In the case of a dispute, any of this information can be made available to prove authenticity.
- The signer is also guaranteed full control over his/her signature by the sheer versatility of our platform, providing a fast, easy and comfortable signing process from literally any mobile device or desktop. You only need to use your finger, a stylus or mouse to digitally sign a document, removing the need to involve any other entity.
- Due to encryption of the document generated during the signing process, any subsequent change in the signature is simply not possible by either signer and recipient, guaranteeing its full integrity.
While this type of electronic signature offers an even higher level of security, its use is hampered by the need for a qualified electronic signature certificate and a qualified electronic signature device, which in turn must meet a number of requirements as set out in the new EU Regulation.
For this reason, qualified electronic signatures are usually limited to official governmental procedures or ones carried out by financial entities or Social Security. Its operational complexity does not make it recommendable for companies and/or individuals seeking signatures from individuals located remotely, especially if the signatories do not have the relevant certificate.
Companies seeking to use electronic signatures to streamline and confer an additional layer of security on all its signing processes must first consider where within their company’s hierarchy it is necessary to use such a tool, that is to say, locally or globally, departmentally or company-wide. Once this is established, an internal survey should be carried out to determine which specific departments and work procedures require electronic signatures, the relationships between departments, which people are involved in each process, and what levels of security are most needed. The results will help determine what type of electronic signature - whether simple, advanced or qualified - is the most appropriate option to give your company the best return on investment.
At Signaturit, we can help you find the best electronic signature solutions for your business. For any questions or comments, please contact us through the following form, or call us directly on +34 93 551 14 80.
This post is also available in Spanish.
- Beyond your online reputation, what defines your digital identity and what legal rights are associated with it?
- What impact has the new EU Data Protection Regulation had on biometric data?
- How to use lean principles within a traditional management structure.
Regulation (EU) No 910/2014
* Source: World Wide Web Consortium (W3C).