How It Works: Qualified E-Signature Under eIDAS
With the eIDAS Regulation taking legal effect in 2016, the ease of cross-border digital business is a reality in the European Union (EU). The EU Regulation makes trusted communications and electronic transactions between businesses, citizens and public authorities easier among EU member states – removing the previous hurdles and fragmented legal frameworks for e-signatures and electronic identification from the Regulation's predecessor, the EU Directive.
Many people believed that the Directive mandated the use of the Qualified E-Signature in order for the e-signature to be legally effective, which wasn't the case. eIDAS corrected this misinterpretation and lets organizations choose from the types of electronic signature the optimal signature for that use case – whether that's the Basic (or Basic electronic signature), Advanced, or Qualified E-Signature. All three categories can be legally effective under eIDAS.
When Does It Make Sense to Use Qualified E-Signatures?
While all three forms of e-signature are perfectly acceptable and have the same admissibility as a handwritten signature, there are a number of use cases where organizations may need to use the Qualified E-Signature (QES). This type of e-signature is based on a digital signature created through a qualified signature creation device (QSCD) such as a smart card or USB token using a unique key and digital certificate known as a qualified certificate assigned to an individual person. The digital signature is important, because it applies a time stamp and electronic seal to the document. The qualified certificate and associated key must be obtained from a qualified Trust Service Provider (TSP or QTSP) and must be provided on a supported electronic signature creation device to use with a computer system. The qualified TSP will be included in an EU trust list.
A key objective of eIDAS is to enable the electronic identification and trust services to offer cross-border services, including issuing qualified certificates from a certificate authority to support the Qualified E-Signature. Examples include the use of smart cards for signing documents – particularly in the government, military and financial institutions that regularly deal with high value and high risk digital transactions.
Signing with Smart Cards
Admittedly, one of the most confusing aspects of eIDAS is how to put the regulation into practice. If you use an open electronic signature solution like OneSpan Sign, we make it easy to get started because our solution meets ALL of the eIDAS requirements for e-signatures right out-of-the-box. OneSpan Sign utilizes standards-based digital signatures and X.509 certificates, which ensures universal acceptance. You get immediate interoperability with qualified certificates issued by any qualified TSP – unlike other vendors whose platforms require development work to gain the functionality to support electronic certificates from specific issuers.
Whether you're using a government-issued national electronic identity card (e.g., Belgium eID) or a smart card issued by your local TSP such as LuxTrust in Luxembourg, our open approach means that you can accelerate your time-to-market and begin using eIDAS-compliant e-signatures with OneSpan Sign today – in conjunction with qualified certificates from any issuer.
Here's how it works:
- Prior to e-signing, the electronic documents are securely added to OneSpan Sign by the sender.
- The signatory enters OneSpan Sign through one of its supported channels and authentication methods before accessing the documents.
- The signer inserts their smart card into the reader and e-signs the documents as required by clicking the "Click to Sign" signature blocks.
- As each document is e-signed, the Qualified Electronic Signatures are secured by digital signatures created using the qualified certificate, which in this example is stored on the smart card that is connected to the computer.
- In each case, this action requires a PIN or password to complete the process.
The result is a secure, tamper-evident e-signed PDF. OneSpan Sign guarantees the integrity of the e-signed documents and visibly invalidates the documents if any changes are made. What's more, all of the information gathered during the signing process – e.g., who signed, in what order, when, where, which qualified certificate was used, etc. – is captured in a detailed audit trail that is permanently embedded within the signed PDF.
The Qualified E-Signature Doesn't Come Without Its Challenges
While e-signing documents with smart cards and other hardware devices remain a viable option in the EU market, it does pose a number of challenges. The process can be time-consuming and clunky at times because it requires a card reader that keeps people tethered to a computer. This can create a major roadblock in deploying e-signatures to your employees, partners and customers.
I can't emphasize this point strongly enough – it's one thing to implement the ultimate level of security in your signing process, but if no one uses it because it's tough or cumbersome to use, then you lose all the benefits of implementing a process that was meant to make doing business easier and faster. Therefore it's extremely important to take the time to weigh the costs/benefits of customer experience and security when deciding on which e-signature type to implement. In many cases, the Advanced Electronic Signature may be a more appropriate type of signature for your target business processes. In fact, in serving the European market for over a decade now, many of our European clients have opted for the Advanced signature in their implementations for common use cases such as signing contracts, agreements and onboarding documents in electronic form.
The good news is that new mobile and roaming public key infrastructure (PKI) technologies are emerging to solve some of the challenges associated with signing with hardware devices, and OneSpan Sign is the signature solution at the forefront of bringing these solutions to market to ensure the e-signing user experience and workflow is not only easy and convenient, but also secure at the same time.
eIDAS: A Bright Future for Digital Business in the EU
eIDAS facilitates the cross-border recognition of e-signatures in the EU. Is your business ready to capitalize on this? Visit our eSignature Legality Guide to learn more about the eIDAS regulation and other regulatory information governing e-signatures around the world.