The first question many people ask us when we talk about Signaturit’s advanced eSignature solution is, "but... do electronic signatures have legal validity?" The resounding answer is yes, the electronic signature is legal throughout the European Union and in many other countries, including the United States.
It is entirely normal that there are still doubts about its legal weight, as well as a reluctance to use one due to the lack of information about it, but eSignatures are set to completely replace the traditional paper-and-pen method of signing documents. This is not just because the latter is less secure but also because it usually requires the signer to be physically present, which increasingly is considered a less viable option in our digital era.
In this post we review the European legislation establishing the legal validity of electronic signatures, the types of electronic signatures that currently exist and how the advanced electronic signature differs from the qualified electronic signature.
This post is also available in Spanish.
Electronic signatures are legal.
1. What laws regulate them?
Yes, electronic signatures are legal and recognized as valid in Regulation No 910/2014, known as eIDAS, which entered into force throughout Europe last July 1, 2016.
The eIDAS is directly applicable in all member states by the fact that it is a regulation, and not a directive. It replaces the previous European standard for electronic signatures (Directive 1999/93/EC) which left room for interpretation and had complicated the validity and recognition of electronic signatures between different EU countries, thus hindering the consolidation of a single internal market for European e-commerce.
Regulation (EU) No 910/2014 of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market, repealing Directive 1999/93 /EC.
(2) “This Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union.”
In other words, the new European regulation establishes a new legal framework for any kind of electronic identification system and trust services in Europe. This includes electronic signatures, electronic seals, time stamps, documents, delivery services, email certificates and certification services for Website authentication.
In Spain, Law 59/2003 of 19 December governs the use of electronic signatures. This law is derived from the previous European legislation that was repealed with the advent of the eIDAS Regulation, and therefore it has also been partially repealed.
It is likely that a new Spanish legislation will be created to regulate those details that eIDAS has left to the discretion of each EU member state, but in no case will it overlap with what has already been established by the new European mandate.
In any case, Law 59/2003 is defined as follows:
- Article 1.1.: "This law regulates electronic signatures, their legal effectiveness and the provision of certification services."
- Article 2.1.: "This law shall apply to certification service providers established in Spain and to any certification services that are offered through a permanent establishment in Spain by providers with residency or domiciled in another EU member states".
- Article 2.2.: "A certification service provider is the natural or legal person who issues electronic certificates or provides other services related to electronic signatures."
2. What types of electronic signatures exist?
Article 3 of EU Regulation 910/2014 uses the following definitions:
- Electronic signature: "data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign".
- Advanced electronic signature: an electronic signature which meets the requirements set out in Article 26”. These requirements are the following:
- “it is uniquely linked to the signatory”;
- “it is capable of identifying the signatory”;
- “it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control”;
- “it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable”.
"An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures."”- Article 25, Legal effects of electronic signatures, Regulation 910/2014
3. What is the main difference between an advanced and a qualified electronic signature?
According to definitions set out by the eIDAS regulation, the main differences between advanced and qualified electronic signatures are:
- A qualified electronic signature must be created with a qualified electronic signature creation device.
- A qualified electronic signature must be based on a qualified electronic signature certificate.
> What is a qualified electronic signature creation device?
Qualified electronic signature creation devices must meet all requirements set out in Annex II of Regulation 910/2014.
For practical purposes, a qualified device is a piece of hardware able to ensure that electronic signatures are made securely and protected against possible forgeries. These devices must have cryptographic algorithms, suitable key lengths and collision-resistant hash functions.
> What is a qualified electronic signature certificate?
A qualified electronic signature certificate, as defined in Regulation 910/2014, is a certificate issued by a qualified trust service provider, and meets the requirements set out in Annex I of the regulation.
The purpose of an electronic certificate is to validate and certify that an electronic signature corresponds to a specific person or entity, since it contains data of the individual or entity in question:full name, ID number, algorithm and signature keys and issuing agency.
To obtain an electronic certificate it is necessary to appear in person before the issuing entity, so they can verify the identity of the person to be the user of the certificate. A classic example of this is the digital certificate contained within the Spanish national identity card, although some digital certificates are stored in software files.
4. What are the advantages of the advanced electronic signature with respect to the qualified electronic signature?
Given the number of requirements for an electronic signature to be considered as “qualified” it is difficult to use this type of signature to identify the user in transactions in which convenience, immediacy and, above all, mobility are at stake.
Since most of the population does not have easy access to qualified devices or qualified certificates, qualified electronic signatures only tend to be used in public administration. Most companies using electronic signatures opt for the advanced solution, since it allows them to operate safely in the online environment and to identify their customers or users with full legal guarantees.
Signaturit’s advanced electronic signature is easy to use from any device, whether computer, tablet or mobile, and is highly valued by digital consumers since it allows them to complete any formalities in seconds, whenever and wherever is convenient to them.
Signaturit complies with both the eIDAS regulation and Law 59/2003. This means:
- It allows the identification of the signer, since Signaturit records data associated with him/her unequivocally during the signing process, including email, geolocation, and biometric data when the device allow it, among other data.
- Signaturit is tamper-resistant; it is possible to detect any changes made to the signed document as we use a system of public / private keys for both the signed document and the audit trail, allowing us to encrypt all documents and ensuring their security at all times.
- It links the signer to the generated documentation and data, providing a set of hashes and unique keys that relate directly to the signer.
- Signatures are created under the exclusive control of the signer: the signature is generated directly from the signer’s device and can only be accessed from a private account.
Furthermore, Signaturit’s advance eSignature solution runs in strict adherence to the electronic signature laws currently in force in the United States, namely eSign and UETA Acts.
Register here and to try our advanced electronic signature solution and get access to all features free for 14 days. For more information, please get in touch by sending us an email to firstname.lastname@example.org or by calling us on +34 935 511 480.
This post is also available in Spanish.
Note: This post is an updated and improved version of a post we published on April, 14 2014 entitled: "What is the legal validity of an electronic signature?" The article provides information of a general nature and is not a substitute for legal advice.