eIDAS Regulation
Starting July 1, 2016, the prevailing EU directive on electronic signatures, termed the eSignatures Directive 1999/93/EC, was replaced by the new Regulation (EU) No. 910/2014 on electronic identification and trust services called the eIDAS regulation. It assures progress in online transactions for individuals, businesses, and public administrations in two areas: electronic identification services and trust services.
The eIDAS regulation was adopted to facilitate seamless digital transactions among individuals and businesses across countries within the European Union. The new regulation will go a long way in establishing a climate of trust when it comes to online and digital transactions in the EU.
eIDAS electronic signature definition in the EU
According to the eiDAS regulation, an electronic signature is defined as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.”
Key Concepts in the eIDAS regulation
Mutual Recognition:The eIDAS Regulation establishes the concept of mutual recognition, which ensures that electronic identification (eID) and trust services are universally acknowledged and accepted across all EU member states. This principle enables seamless cross-border transactions by guaranteeing that eIDs and trust services issued in one country are valid and trusted in others.
Trusted Service Providers (TSPs): Trusted Service Providers play a pivotal role within the eIDAS framework. These entities are responsible for delivering various trust services, including electronic signatures, electronic seals, electronic time stamps, and registered delivery services. Acting as intermediaries, TSPs ensure the security, integrity, and confidentiality of electronic transactions and communications.
TSPs must comply with specific requirements outlined in the eIDAS Regulation. This involves implementing adequate security measures, maintaining audit trails, and adhering to standardized technical specifications. They may also need to be accredited or supervised by national regulatory bodies to ensure compliance.
Electronic Signatures: eIDAS recognizes different types of electronic signatures, each carrying a distinct level of legal validity. These include simple electronic signature, advanced electronic signature, and qualified electronic or digital signature
Electronic Seals: In the eIDAS framework, electronic seals serve as the digital counterparts to traditional seals and are employed to ensure the integrity and authenticity of electronic documents or data. According to eIDAS, electronic seals are electronic data that are logically associated with other data, providing guarantees regarding the origin and integrity of the document or data.
Typically used by legal entities such as companies or public authorities, electronic seals offer assurance that the associated document or data has not been tampered with and originates from the indicated source. Similar to electronic signatures, different levels of electronic seals exist, including advanced electronic seals and qualified electronic seals.
Electronic Time Stamps: Electronic time stamps play a crucial role in establishing the integrity and chronological order of electronic transactions and communications. They provide indisputable evidence that specific data existed at a particular point in time.
An electronic time stamp is a digital mark that associates a specific time with a set of data. It safeguards against manipulation or backdating of electronic records or documents. By utilizing a trusted time stamping authority, individuals and organizations can ensure the integrity and legal validity of their electronic data over time.
Electronic time stamps find applications in various areas, including legal contracts, financial transactions, electronic archiving, and compliance with regulatory requirements. They enhance trust and reliability in electronic transactions, particularly in cross-border scenarios.
Provisions and Requirements:
Identification and Authentication: The eIDAS Regulation sets criteria for secure electronic identification, including uniqueness, integrity, non-duplication, data protection, and privacy. It promotes the use of reliable and secure identification methods across EU member states.
Trust Services: eIDAS covers trust services such as electronic signatures (simple, advanced, and qualified), electronic seals, electronic time stamps, registered delivery services, and certificates for website authentication. The regulation establishes requirements and standards for these services, ensuring interoperability and legal validity.
Cross-Border Recognition: eIDAS enables the recognition and acceptance of eIDs and trust services across EU member states, facilitating seamless and secure cross-border transactions. It promotes interoperability, removing barriers for individuals and businesses.
Notification and Supervision: The regulation outlines procedures for TSPs offering trust services to notify the relevant supervisory authority in their member state. TSPs must provide information about their services and comply with regulatory requirements. National supervisory bodies verify compliance and regulate TSP activities.
These provisions and requirements foster a secure, reliable, and harmonized digital environment in the European Union.
Compliance and Implementation:
Compliance Obligations: Businesses and organizations must comply with eIDAS to ensure secure and reliable electronic identification and trust services. This includes adhering to requirements for electronic signatures, seals, time stamps, delivery services, and website authentication. Implementing security measures and respecting privacy and data protection rights are also essential.
Technical Standards and Requirements: eIDAS establishes technical standards to support secure electronic identification and trust services. This includes specifying cryptographic algorithms, secure signature creation devices, and standardized electronic formats and protocols. Compliance ensures reliability, interoperability, and security.
National Implementing Legislation: Member states implement eIDAS into their national laws, adapting it to their legal systems. This ensures enforceability and may include additional requirements or procedures. Member states determine specific rules for electronic identification while aligning with eIDAS principles and objectives.
Conformity Assessment: eIDAS establishes processes to assess trust service providers (TSPs) for compliance. This includes evaluating technical infrastructure, verifying compliance with requirements, assessing reliability and competence, and conducting audits. Conformity assessment maintains trust and credibility in electronic identification and trust services.
Complying with eIDAS fosters a secure, interoperable digital environment, enabling seamless electronic transactions in the European Union.
What are the types of eSignatures recognized by eIDAS regulation?
The eIDAS Regulation defines three types of electronic signatures:
- Simple electronic signature (or just Electronic signature).
- Advanced electronic signature (AES)
- Qualified advanced electronic or digital signature (QES)
Legality and admissibility of electronic signatures under eIDAS
Article 25 of the eIDAS regulation reaffirms the legal admissibility of eSignatures as it says:
An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.
A qualified electronic signature will be considered the equivalent of a handwritten signature, but the Commission Decision of 16 October, 2009 (2009/767/EC) states that to simplify procedures and facilitate cross-border use, “procedures by electronic means should rely on simple solutions, including as regards the use of electronic signatures.”
It goes on to specify in Article 1 that the Commission in no way prevents member states from accepting any type of electronic signatures—normal, advanced, or qualified. The eIDAS regulation backs this and seeks to create a streamlined market for digital transactions and e-commerce using national eID and electronic signatures.
Simple or basic electronic signature (SES)
As defined by eIDAS, Simple electronic signature (or electronic signature) covers all the broad types of electronic signatures as data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication. This is technology-neutral, which means any electronic form or technology is generally accepted. The resulting electronic signature should demonstrate the intent of the signer, be made by the person associated to the signature, and should be indelibly associated to the document the signer intended to sign.
Advance electronic or digital signature (AES)
An Advanced electronic signature is a type of electronic signature which is required to meet certain specific requirements on signer identity, security and sanctity of the signed document. The requirements specified under eIDAS are
- It is uniquely linked to the signatory.
- Is capable of identifying the signatory.
- Is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control.
- Is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
Qualified advanced electronic or digital signature (QES)
The final type of signature defined under eIDAS is the Qualified Electronic Signatures (QES). While both Advanced and Qualified Electronic Signatures are uniquely linked to the signer, Qualified Electronic Signatures are based on Qualified Certificates. Qualified Certificates can only be issued by a CA which has been accredited and supervised by authorities designated by the EU member states and meet the requirements of eIDAS. Qualified Certificates must also be stored on a qualified signature creation device such as a smart card, a USB token, or a cloud based trust service, we are not a TSP (Trusted Service Provider).
Benefits and Impacts of the eIDAS regulation:
Facilitating Digital Single Market: The eIDAS Regulation plays a vital role in promoting the growth of the Digital Single Market in the European Union. By harmonizing electronic identification and trust services across member states, eIDAS eliminates barriers and encourages seamless digital transactions across borders. This fosters innovation, competition, and economic development within the Digital Single Market.
Enhanced Security and Trust: eIDAS significantly enhances the security and trustworthiness of electronic transactions and communications. The regulation establishes stringent requirements for electronic identification, authentication, and trust services. By adhering to these requirements, businesses and individuals can ensure the integrity, authenticity, and confidentiality of their digital interactions. The utilization of advanced electronic signatures, seals, and time stamps provided by trusted service providers strengthens the security and reliability of electronic transactions, minimizing the risk of fraud and unauthorized access.
Cross-Border Business: eIDAS has a profound impact on facilitating cross-border e-commerce, public services, and electronic communication within the European Union. The mutual recognition of electronic identification means and trust services among member states enables businesses to expand their operations effortlessly across borders. This streamlines cross-border transactions, reduces administrative burdens, and promotes a more efficient and integrated European market. Citizens can access public services, engage in online shopping, and interact with businesses across EU borders with ease and confidence.
Citizen Empowerment: eIDAS empowers individuals by providing secure and convenient digital services. With recognized electronic identification, individuals gain access to a broad range of online services, including government portals, banking, healthcare, and e-commerce platforms. This eliminates the need for repetitive paperwork, physical presence, and manual processes. Citizens can confidently engage in digital interactions, knowing that their identities are protected, their transactions are secure, and their privacy is respected. eIDAS enables individuals to exercise greater control over their digital identities and enhances their participation in the digital society.
Cost Savings and Efficiency: The adoption of eIDAS brings potential economic benefits and efficiency gains for businesses and public administrations. By replacing traditional paper-based processes with electronic transactions, organizations can reduce costs associated with printing, postage, and manual handling. eIDAS promotes automation and streamlines workflows, leading to increased efficiency and productivity. Furthermore, the interoperability of electronic identification and trust services across member states eliminates the need for multiple identities or cumbersome authentication processes when conducting cross-border business. This simplification reduces complexity, saves time, and enhances overall operational efficiency for businesses operating in the European Union.
Overall, eIDAS has a transformative impact on the European digital landscape. It supports the growth of the Digital Single Market, strengthens security and trust, facilitates cross-border business, empowers citizens, and enables cost savings and efficiency gains. eIDAS sets the foundation for a more interconnected, secure, and prosperous digital future within the European Union.
eIDAS and Signeasy
Signeasy’s verified email for every user, 2FA with passcode and biometric authentication, audit trail & document verification to indicate tampering makes it an Advanced Electronic Signature provider. This covers a significant number of daily business transactions across industries.
