How It Works: Qualified E-Signature Under eIDAS

Rahim Kaba, July 18, 2016

Now that the eIDAS Regulation is in full effect, the ease of cross-border digital business is a reality in the EU. The new Regulation comes at an opportune time to make trusted communications between businesses, citizens and public authorities easier in Europe – removing the previous hurdles and fragmented legal frameworks from the Regulation's predecessor, the EU Directive.
Many people believed that the Directive mandated the use of the Qualified E-Signature in order for the e-signature to be legally effective, which wasn't the case. eIDAS corrects this misinterpretation and lets organizations choose an optimal e-signature type – whether that's the Basic, Advanced or Qualified E-Signature. All three categories can be legally effective under eIDAS.

When Does It Make Sense to Use Qualified E-Signatures?

While all three forms of e-signature are perfectly acceptable, there are a number of use cases where organizations may need to use the Qualified E-Signature. This type of e-signature is based on a digital signature created through a device such as a smart card or USB token using a unique key and digital certificate known as a qualified certificate assigned to an individual person. The qualified certificate and associated key must be obtained from a Trust Service Provider (TSP) and must be provided on a supported device to use with a computer system.
A key objective of eIDAS is to enable TSPs to offer cross-border services, including issuing qualified certificates to support the Qualified E-Signature. Examples include the use of smart cards for signing documents – particularly in the government, military and financial institutions that regularly deal with high value and high risk digital transactions.

Signing with Smart Cards

smartcardAdmittedly, one of the most confusing aspects of eIDAS is how to put the regulation into practice. If you use an open e-signature platform like eSignLive, we make it easy to get started because our solution meets ALL of the eIDAS requirements for e-signatures right out-of-the-box. eSignLive utilizes standards-based digital signatures and X.509 certificates, which ensures universal acceptance. You get immediate interoperability with qualified certificates issued by any qualified TSP – unlike other vendors whose platforms require development work to support certificates from specific issuers.

Whether you're using a government-issued national electronic identity card (e.g., Belgium eID) or a smart card issued by your local TSP such as LuxTrust in Luxembourg, our open approach means that you can accelerate your time-to-market and begin using eIDAS-compliant e-signatures with eSignLive today – in conjunction with qualified certificates from any issuer.

Here's how it works:

  1. Prior to e-signing, the documents are securely added to eSignLive by the sender.
  2. The signer enters eSignLive through one of its supported channels and authentication methods before accessing the documents.
  3. The signer inserts their smart card into the reader and e-signs the documents as required by clicking the "Click to Sign" signature blocks.
  4. As each document is e-signed, the Qualified Electronic Signatures are secured by digital signatures created using the qualified certificate, which in this example is stored on the smart card that is connected to the computer.
  5. In each case, this action requires a PIN or password to complete the process.

The result is a secure, tamper-evident e-signed PDF. eSignLive guarantees the integrity of the e-signed documents and visibly invalidates the documents if any changes are made. What's more, all of the information gathered during the signing process – e.g., who signed, in what order, when, where, which qualified certificate was used, etc. – is captured in a detailed audit trail that is permanently embedded within the signed PDF.

eIDAS and E-Signature - What it means for your banking Business

eIDAS and E-Signature - What it means for your banking Business

Watch this on-demand webinar and discover how to meet document e-signature requirements as defined in the eIDAS regulation with eSignLive

Watch Now

The Qualified E-Signature Doesn't Come Without Its Challenges

While e-signing documents with smart cards and other hardware devices remain a viable option in the EU market, it does pose a number of challenges. The process can be time-consuming and clunky at times because it requires a card reader that keeps people tethered to a computer. This can create a major roadblock in deploying e-signatures to your employees, partners and customers.
I can't emphasize this point strongly enough – it's one thing to implement the ultimate security in your signing process, but if no one uses it because it's tough or cumbersome to use, then you lose all the benefits of implementing a process that was meant to make doing business easier and faster. Therefore it's extremely important to take the time to weigh the costs/benefits of customer experience and security when deciding on which e-signature type to implement. In many cases, the Advanced E-Signature may be a more appropriate fit for your target business processes. In fact, in serving the European market for over a decade now, many of our European clients have opted for the Advanced E-Signature in their implementations for common use cases such as signing contracts, agreements and onboarding documents.
The good news is that new mobile and roaming public key infrastructure (PKI) technologies are emerging to solve some of the challenges associated with signing with hardware devices, and eSignLive is at the forefront of bringing these solutions to market to ensure the e-signing experience is not only easy and convenient, but also secure at the same time.

eIDAS: A Bright Future for Digital Business in the EU

eIDAS facilitates the cross-border recognition of e-signatures in the EU. Is your business ready to capitalize on this? Download the eIDAS and E-Signature white paper, written by Lorna Brazell of Obsorne Clarke LLP for a concise breakdown of the regulation and how it impacts your business. The paper also includes a handy e-signature evaluation checklist for meeting EU-specific requirements.

Watch our on-demand webinar and learn what the new European Electronic ID and Trust Services (eIDAS) regulation will mean for your banking business!

Rahim Kaba is a passionate and results-driven digital technology leader who has played a key role in advancing digitization initiatives at organizations around the world. As VP Product Marketing at OneSpan, he leads the go-to-market strategy of the company's growing portfolio of solutions.