Is a digital signature legally valid?
Electronic signatures under the eIDAS Regulation
The eIDAS Regulation makes a distinction between the standard electronic signature, advanced electronic signature and qualified electronic signature:
- The ordinary digital signature
- The advanced digital signature
- The qualified digital signature
1. The ordinary electronic signature.
This is the simplest version. It concerns any form of ‘signing’ that identifies the signatory and says something about the integrity of the message. An ordinary electronic signature is, for example, a scan of a normal signature that is inserted in the document, or a ‘scribble’ made with the mouse..
The eIDAS Regulation provides three criteria that need to be fulfilled in order to qualify the signature as a standard
1. The existence of ‘data in electronic form’;
2. attached to or logically associated with
other data in electronic form; and
3. used by the signatory to sign.
These criteria are not further explained in the eIDAS Regulation, with the consequence that the fulfilment of these criteria leave room for interpretation. This means that many electronic tools can meet those criteria and can be qualified as standard electronic signature.
The eIDAS Regulation stipulates that a standard electronic signature ‘shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is an electronic form or that it does not meet the requirements for qualified electronic signatures’. Each member state has the possibility to define the legal effects of the standard electronic signature. This means that the legal effect of a standard electronic signature is depending on national legislation.
2. The advanced electronic signature.
With the advanced signature, the emphasis is on the reliability of the process. The following aspects play a role in determining the degree of reliability, evidential value:
- It is uniquely linked to the signatory;
- It makes it possible to identify the signatory;
- It is created with means that the signatory can keep under his sole control; and
- It is linked in such a way to the electronic file to
which it relates (‘association’), that any subsequent modification of the data can be detected.
To ensure the above, advanced electronic signatures use mathematical techniques to associate the message with a unique code, which is derived from the message itself and the identity of the sender. The association between the message and the code is established using a digital key, making the code unusable if the message is fake.
While discussion can arise with respect to the evidence of the standard electronic signature, for example when a signatory denies the signing of a contract, the advanced electronic signature provides more safeguards on the technical security of the signature and can provide more safeguards with respect to authentication. Advanced electronic signatures are therefore considered to be more reliable. You will find more information about the safeguards with respect to the advanced electronic signature of Evidos hereinafter.
3. The qualified electronic signature.
A qualified electronic signature is defined in article 3 (12) of the eIDAS Regulation as ‘an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures’. So, to be considered a qualified electronic signature, the qualified electronic signature must be based on a qualified certificate. This certificate must contain the specific information set out in Annex 1 of the eIDAS Regulation and be issued by a qualified certification service provider.
Like the advanced signature, the focus of the qualified signature is on the reliability of the process. The main difference between the advanced signature and qualified signature is the use of a qualified certificate by the signer. Qualified certificates are issued by bodies, called ‘certification service providers’. This can be governments issuing qualified certificates as a national digital identity, or commercial organisations. Evidos is not a qualified certificate issuer, but we provide the possibilities to create a qualified signature in our platform using a qualified certificate the signer already possesses.
According to the eIDAS Regulation a qualified electronic signature ‘shall have the equivalent legal effect of a handwritten signature’. This means all member states must recognize the qualified electronic signature and must treat the qualified electronic signature with the same legal effect as the handwritten signature.
Although it sounds like the best option to choose a qualified signature by default there can be some implications. The main question is if your end-users already have a qualified certificate they feel comfortable to instantly use in your application. So for example using a citizen digital identity in a business or private context. If not, it is difficult, costly and time consuming to issue a qualified certificate first. You should always look for the digital identities your end-user already possesses and if the level of trust of this identity fits the risk and regulation of your transactions.
The eIDAS Regulation states that an electronic signature ‘shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is an electronic form or that it does not meet the requirements for qualified electronic signatures’. If you have any question or doubts about the electronic signature for your transactions and the legal effect of this signature in your country, please contact us. We have extensive experience with the legal status of the electronic signatures.
Receive the whitepaper on digital evidence if you want to know more.