The Electronic Identification and Trust Services Regulation (eIDAS Regulation 910/2014/EC) is a single, standardised regulation that applies across all EU member states providing a consistent legal framework for accepting electronic identities and signatures.
Importantly, eIDAS states that no signature can be denied legal admissibility solely because it’s in electronic form.
Types of electronic signature
The eIDAS Regulation defines three levels of electronic signature, with increasing levels of technical trustworthiness and therefore credibility in legal proceedings:
Standard Electronic Signatures
- Standard electronic signatures can only be used by individuals.
- The eIDAS Regulation provides a broad definition of what an ‘electronic signature’ is without reference to any specific technologies: data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.
- For example, you can sign a document simply by scanning your signature or digitally ticking a box in a document.
- At this basic level there is no way of knowing the true identity of the person who has ‘signed’ the document and there is no way to tell that the file/document hasn’t been tampered with.
Advanced Electronic Signatures
- Advanced Electronic Signatures (AdES) overcome the limitations of basic electronic signatures.
- AdES must be uniquely linked to the signatory and can authenticate the signer and the document.
- Furthermore, it must enable the verification of the integrity of the signed agreement, i.e. detect if it has been tampered with.
- This authentication is normally provided with a digital certificate issued by a Certificate Authority.
- Signers create their signature using data solely under their control and the final document is tamper-evident.
Qualified Electronic Signatures
- Qualified Electronic Signatures (QES) are a stricter form of AdES and, under the eIDAS regulation, the only signature type given the same legal value as handwritten signatures.
- Qualified Electronic Signatures are based on Qualified Certificates which can only be issued by a Certificate Authority which has been accredited and supervised by authorities designated by the EU member states and meet the requirements of eIDAS.
- Qualified Certificates must also be stored on a qualified signature creation device such as a smart card, a USB token, or a cloud based trust service.