Most of us have been faced with a situation of being asked to provide physically signed documents by mail or otherwise visit our nearest bank branch to sign a bank account opening form in person. Thankfully, however, both the private and public sector are waking up to the reality that not only are certain electronic signatures more secure than physical signatures, but that electronic signatures are legally binding for most documents and agreements.

At an EU-level, electronic signatures are regulated by the Regulation on electronic identification and trust services for electronic transactions (No 910/2014 of 23 July 2014) (hereinafter the “Regulation” or “eIDAS Regulation”).

The eIDAS Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities. As a regulation, rather than a directive, it is directly applicable in all EU Member States, which ensures consistent application across the EU, although some flexibility is afforded to Member States when it comes to defining the legal effect of electronic signatures.

In terms of the Regulation, there are 3 types of electronic signature, namely the:

1. Standard Electronic Signature;

2. Advanced Electronic Signature; and

3. Qualified Electronic Signature.

Standard Electronic Signatures

The standard electronic signature is defined as data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign. The Regulation provides no further detail on a standard electronic signature, which leaves room for interpretation. This means that any means that captures the intent of the signatory to approve a document or enter into an agreement can be regarded as a valid standard electronic signature. This could include having a scanned signature attached to a document and sent over by email by the signatory or marking a signature checkbox. While this is an extremely easy way to sign, a standard electronic signature is not the most secure way to sign a document.

Article 25(1) of the Regulation states that a standard electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures. This, however, does not mean that a standard electronic signature is legally equivalent to a handwritten signature, unless specifically provided for under national legislation.

Advanced Electronic Signature

The advanced electronic signature is an electronic signature that meets the following requirements:

(a) it is uniquely linked to the signatory;

(b) it is capable of identifying the signatory;

(c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under the signatory’s sole control; and

(d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.

In order to satisfy all of the above, it is generally accepted that the digital signature must be applied using a digital certificate. The digital certificate is issued by a Certificate Authority to an individual and such certificate is unique to that individual and thus capable of identifying that signatory whenever used, as no other person holds the same digital certificate.

Such digital certificates would then make use of public-key cryptography, where content is encrypted using an individual’s public key and can only be decrypted with the individual’s private key. As the private key is known only to the holder this ensures that the e-signature is only used by the actual signatory, thus satisfying the third requirement (i.e, para. (c) above). Such digital signatures are applied to the document and normally time-stamped, following which no further changes to the document are allowed, unless the document is digitally signed once again through the same process and by all parties. In other words, the e-signature is linked to the data in such a way that any subsequent change in the data is detectable. Most cloud-based e-signature software available for use online such as Docusign and Hellosign, falls within this category of electronic signature.

Qualified Electronic Signature

A qualified electronic signature is defined as an advanced electronic signature that is created by a qualified electronic signature creation device (meeting the requirements listed in Annex II of the Regulation), and which is based on a qualified certificate for electronic signatures.

In terms of the Regulation, a qualified electronic signature shall have the equivalent legal effect of a handwritten signature. The Regulation also states that a qualified electronic signature based on a qualified certificate issued in one EU Member State shall be recognised as a qualified electronic signature in all other Member States. In fact, the European Commission recently announced that as from November 2019, European citizens can use national eID schemes from 6 EU countries across borders, thanks to the eIDAS Regulation. Member States are now obliged to recognise the German National Identity Card and Electronic Residence Permit, the Italian eID means of SPID (Public System of Digital Identity), six Estonian eID means (ID card, RP card, Digi-ID, e-Residency Digi-ID, Mobiil-ID, Diplomatic identity card), the Spanish DNIe, the Luxembourgish National Identity Card and the Croatian Personal Identity Card (eOI) when citizens from other countries want to use their online public services.

In order to ensure a uniform application across Member States, the Regulation provides a list of requirements that the “qualified certificate” must contain.

Firstly, the qualified certificate must be issued by a qualified trust service provider, which is defined as a trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body. In terms of Article 22 of the eIDAS Regulation, each Member State shall establish, maintain and publish trusted lists, including information related to the qualified trust service providers for which it is responsible, together with information related to the qualified trust services provided by them. You can find a list of trust service providers (both qualified and non-qualified) using the Trust List Browser.

Secondly, the qualified certificate must contain:

(a) an indication, at least in a form suitable for automated processing, that the certificate has been issued as a qualified certificate for electronic signature;

(b) a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including at least, the Member State in which that provider is established and:

— for a legal person: the name and, where applicable, registration number as stated in the official records,

— for a natural person: the person’s name;

(c) at least the name of the signatory, or a pseudonym; if a pseudonym is used, it shall be clearly indicated;

(d) electronic signature validation data that corresponds to the electronic signature creation data;

(e) details of the beginning and end of the certificate’s period of validity;

(f) the certificate identity code, which must be unique for the qualified trust service provider;

(g) the advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider;

(h) the location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (g) is available free of charge;

(i) the location of the services that can be used to enquire about the validity status of the qualified certificate;

(j) where the electronic signature creation data related to the electronic signature validation data is located in a qualified electronic signature creation device, an appropriate indication of this, at least in a form suitable for automated processing.

Please note that this article does not constitute legal advice. Specialist legal advice should be taken in relation to specific circumstances. The contents of this article are for general information purposes only. Whilst we endeavour to ensure that the information on this site is correct, no warranty, express or implied, is given as to its accuracy and we do not accept any liability for error or omission. We shall not be liable for any damage (including, without limitation, damage for loss of business or loss of profits) arising in contract, tort or otherwise from the use of, or inability to use, this site or any material contained in it, or from any action or decision taken as a result of using this site or any such material.