What is the eIDAS regulation?
The Electronic Identification, Authentication and Trust Services regulation came into effect in the European Union on July 1, 2016. It was created to standardize the regulations for electronic signatures and transactions. Legally, it is known as EU Regulation No. 910/2014.
eIDAS is the replacement for the Directive 1999 on electronic signature. It ensures that all Member States meet the same standards and regulations. eIDAS was designed to correct any inconsistencies, reduce hesitation, and build trust among internal markets as it related to electronic signatures and transactions. The goal was to ensure that electronic documents with e signatures would be recognized and accepted across all Member States in the EU.
What does the eIDAS regulation cover?
Compared to the Electronic Signatures Directive 1999, eIDAS is more broad. In addition to electronic signatures, the eIDAS regulation also covers electronic identification, delivery, archive services, and website authentication.
eIDAS stipulates a standardized set of regulations related to electronic identification and trust services.
Under the scope of the chapter of electronic identification, eIDAS offers guidance in ensuring that electronic identification is recognized across all EU Member States.
The Electronic Signatures Directive 1999 focused primarily on e-signatures and their certifications.
The eIDAS regulation includes a chapter on trust services that provides more standardization in relation to trust services for authentication and signatures, including:
- Electronic signatures
- Certificates for electronic signatures
- Electronic seals
- Website authentication
- Electronic registered delivery services
Qualified trust service providers must meet requirements defined by the Member State and are identifiable by the standard EU trust mark.
What are the benefits of the eIDAS regulation?
With the Directive for electronic signatures, there was a lack of uniformity throughout the EU. Each country had their own interpretation of the system. This meant that the required levels of security and authentication had a lot of variance.
eIDAS presents a set of guidelines that benefits businesses and citizens alike, including in the form of:
- Improved trust in online and electronic transactions
- Recognition of electronic identification across all member states
- Faster and streamlined process for cross-border transactions
- Consistent electronic signature regulations across the EU
Who is affected by eIDAS?
Anyone conducting electronic transactions using electronic signatures in the EU is covered by the eIDAS regulation. This makes it possible for businesses and consumers to conduct their transactions without having to be physically present.
While consumers completing electronic transactions should be aware of the regulations, the burden of compliance generally falls on the trust service provider.
What is considered an electronic signature under eIDAS regulation?
Electronic signatures under eIDAS include any data in electronic form which is attached to, or logically associated with, other data in electronic form, and which is used by the signer to sign. There is no requirement for a specific type of technology to be used when qualifying an electronic signature under eIDAS.
eIDAS defines three levels of assurance for identification: low, substantial, and high. Similarly, eIDAS has established three categories of e-signatures:
- Electronic signatures
- Advanced electronic signatures
- Qualified electronic signatures
While they are all valid as electronic signatures, the type of signature affects how much evidence is required to prove that the signature is genuine.
Here are the major distinctions between the three types of signatures.
Types of electronic signatures
An electronic signature is first and foremost a legal concept. Generally, it is about having a lasting record of a signatory’s intent. A digital signature is different from an electronic signature. Digital signature refers to the encryption technology used in e-business and electronic commerce applications, including e-sign applications.
An electronic signature is considered a basic or simple electronic signature. It can be a typed name or a copy of a handwritten signature. Since these types of signatures can be forged, the court may require more additional supporting evidence to prove the signature is genuine.
Basic or simple electronic signatures
The basic e-signature is technology-neutral. Meaning, any electronic form or process is generally accepted so long as the resulting e-signature meets three basic requirements for signing. The requirements for an electronic signature are that the signature must be:
- Used by the person associated with the signature
- Used in a manner that demonstrates the intent of the signer
- Associated with the document or data the signer intended to sign
Advanced electronic signatures (AES)
An advanced electronic signature goes beyond the basic e-signature by tying authentication to the signature and the document. This mitigates risk in business transactions by providing additional evidence that can be used to verify the authenticity of the signature. It is more difficult to forge and less evidence may be required by the court to prove the intent and authenticity of the signature.
In addition to the requirements needed for a simple electronic signature, an advanced electronic signature must be:
- Uniquely linked to the person using the signature
- Able to identify the signer
- Created in a way that the signer is confident it is under their sole control
- Linked to the document, so any changes made afterwards are identifiable
For their use of electronic signatures, most businesses and banks opt for the advanced electronic signature as their standard form of e-signature. By including built-in authentication assurance, it increases security without impacting the customer experience.
Qualified electronic signatures (QES)
The term “qualified electronic signature” is based on the eIDAS regulation but it is similar to many other laws around the world that require a certificate issued by an accredited organization.
The OneSpan qualified electronic signature is an advanced electronic signature that also requires a personal digital certificate in addition to all other standard requirements. The digital certificate is a secure, personal and unique electronic identity credential that must be issued to the signer in a form they can keep under their control.
In addition to the requirements of both electronic signatures and advanced electronic signatures, a qualified electronic signature must be:
- Created using a qualified electronic creation or signature creation device
- Supported by a qualified certificate (issued by a qualified trust service provider; an example would be itsme in Belgium)
Like an advanced e-signature, it is recognized as equivalent to a handwritten signature. However, if challenged in a dispute, this type of signature requires no additional evidence by the court, under Article 25 of eIDAS.
The qualified e-signature reverses the burden of proof that normally occurs during a digital transaction. With simple electronic signatures and advanced electronic signatures, it is up to the organization initiating the transaction to authenticate the signer. But, with a qualified e-signature, the signer must produce the digital certificate used to authenticate themselves.
In practice, other forms of e-signatures may be challenged in legal proceedings and the organization initiating the transaction may need to prove to the court that it is reliable and original; in short, that it has legal effect. While some countries may favor admissibility of electronic signatures based on digital certificates, they cannot deny admissibility of the signed document to court solely because the signature is in the form of a basic or advanced e-signature.
What type of signature should you use under eIDAS?
The type of signature you should use depends on the type of transaction and the level of risk (e.g., authentication risk, legal risk, compliance risk, adoption risk, etc.) your organization is willing to take. According to the white paper eIDAS and E-Signatures: A Legal Perspective, if the law does not specify a qualified e-signature is necessary for a document to be legal, an advanced electronic signature can suffice.
Hear firsthand from a European organization, P&V Insurance in Belgium, about their use case and how their legal team made the decision to adopt the advanced electronic signature in lieu of the qualified electronic signature. For P&V Insurance, the question became: How to choose the right type of e-signature for each use case? The initial use case is life insurance applications – a low risk process where the compliance requirements are minimal.
“The insurance application does not have the same level of risk as the policy, therefore an Advanced E-Signature is sufficient. However, for documents that need strong legal enforceability, such as the policy itself or the beneficiary change form, we need Qualified E-Signatures or even ink signatures to be compliant,” says Marc Lucion, Senior IT Project Manager.
According to the insurer’s general counsel, “We advised the business to use Qualified E-Signatures (with government-issued eID and PIN) at least for certain acts or contracts in function of the risk, sensitivity, or amount. However, we also agreed that Advanced E-Signatures (with authentication and SMS one-time passcode) were legally sufficient for most insurance applications. In all cases, the e-signed documents had to be kept and archived in our systems.” Read more in this case study: P&V Insurance lays the groundwork for enterprise esignature.
eIDAS solves for the inconsistency of electronic transactions throughout EU Member States. While it may seem complex, by setting up a set of basic standards, eIDAS helps create a seamless electronic environment. The increased trust in electronic processes will foster faster long-term economic and social growth throughout the EU. As a business, it is important to familiarize yourself with eIDAS and ensure your organization is compliant.
OneSpan’s electronic signature solution, OneSpan Sign, supports all types of signatures under the eIDAS regulation. Learn more about how OneSpan Sign is designed to meet e-signature requirements in countries that have enacted electronic signature laws.
For further information on electronic signature law, and the legal effectiveness and enforceability of e-signatures for your business transactions or with a specific type of agreement or contract, visit our e-signature legality guide and consult your legal counsel.