In today’s rapidly evolving digital landscape, the need for secure and reliable electronic transactions is more crucial than ever.
The European Union has recognized this necessity and implemented a regulatory framework known as eIDAS. If you’re reading this, you’ve probably heard of eIDAS. But deciphering what exactly it is, what it regulates, and how it relates to eSigning takes some research and time.
Luckily, we’ve summed it up for you in this article.
Cross-border Business Opportunities
The acronym eIDAS stands for “electronic Identification, Authentication and Trust Services“. It is a regulation introduced by the European Parliament and the Council of the European Union in 2014, defining European standards for electronic transactions, including Digital Identity, Electronic Signatures, Certificates, and Trust Services.
Key Principles of eIDAS
The main reason behind introducing eIDAS regulation was to drive digital growth and innovation within the EU. That is supposed to be achieved via the following key principles:
- Mutual Recognition: eIDAS promotes the mutual recognition of electronic identification means across EU member states. This means that an electronic identification issued in one country should be recognized and accepted in another, facilitating cross-border digital interactions.
- Interoperability: eIDAS ensures the interoperability of different electronic identification systems. This allows individuals and businesses to use their electronic identities across various platforms and services seamlessly.
- Security: Security is a fundamental aspect of eIDAS. The regulation establishes strict security requirements for electronic identification, authentication, and trust services, ensuring the protection of sensitive data and the prevention of fraud.
Three Levels of eSignatures Explained
eIDAS regulates various authentication and trust services, including Electronic Signatures, Electronic Seals, or Electronic Timestamps. It defines three levels of eSignatures – simple, advanced, and qualified.
Simple electronic signature
An electronic signature is defined as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign“. Therefore, anything as simple as writing your name or initials under an email can be considered a simple electronic signature.
Advanced electronic signatures (AES)
An advanced electronic signature is an electronic signature which is additionally:
- uniquely linked to and capable of identifying the signatory
- created in a way that allows the signatory to retain control
- linked to the document in a way that any subsequent change of the data is detectable
The most commonly used technology able to provide these requirements relies on the use of a public-key infrastructure (PKI), which involves the use of certificates and cryptographic keys.
Qualified electronic signature (QES)
A qualified electronic signature is an advanced electronic signature which is additionally created in a qualified signature creation device (QSCD) and is based on a qualified certificate for electronic signatures.
It also requires face-to-face, or video verification of the signer as a pre-requisite before being granted QES signatory capability.
QSCD is a secure device where the signature’s private key is stored, for example, a smartcard, HSM Module, or USB token.
QES has the same legal standing as a handwritten traditional signature in the EU.
Legal Standing of Electronic Signatures According to eIDAS
The legality of electronic signatures gets a bit confusing, as there is a lot of information out there that might seem conflicting. But in a nutshell – all electronic signatures are legally binding under eIDAS. For an eSignature to be legally binding, you technically don’t need an electronic certificate or a qualified device.
The key difference between the three levels is how secure they are and how easy or hard it is to prove their validity before court.
eIDAS states that no electronic signature should be denied legal effect. However, only QES has the same official legal standing as a “wet ink” (= handwritten pen on paper) signature. In practice, that means that if the signature is disputed, it is up to the disputing party to prove its legality.
For simple and advanced electronic signatures, the burden of proof lies on the disputed party or the signature issuer, not the signer themselves. With AES though, it is significantly easier to find the true identity of the signer and therefore confirm or refute the signature’s validity.
Tip: Looking for an eSignature solution that is simple, easy to use, but also eIDAS certified to Advanced level? Try Circularo for free.
Who Needs eIDAS?
eIDAS is essential for various stakeholders involved in digital transactions and interactions.
Let’s explore who can benefit from eIDAS.
Businesses and E-commerce Platforms
For businesses operating in the European Union, eIDAS offers a standardized and legally recognized framework for electronic transactions. It enables businesses to provide secure and reliable services, build trust with their customers, and expand their reach across EU borders.
E-commerce platforms can benefit from eIDAS by implementing electronic signatures and seals, streamlining their processes, and ensuring compliance with legal requirements.
Government Organizations and Public Services
Government organizations and public services heavily rely on secure and trusted digital interactions with citizens. eIDAS provides the necessary tools and standards to establish secure electronic identification and authentication systems. This enables government entities to offer efficient and user-friendly online services, such as tax filings, document submissions, and access to public records.
Individuals and Consumers
eIDAS benefits individuals and consumers by simplifying their online experiences. With eIDAS-compliant electronic identification, individuals can access a wide range of digital services, such as online banking, e-commerce platforms, and government portals, using a single electronic identity. This eliminates the need for multiple usernames and passwords and enhances convenience and security.
Are electronic signatures legally binding under eIDAS?
Yes, eIDAS clearly states that no electronic signature should be denied legal effect just because it is electronic.
To make sure that your digital signatures are easily verifiable and can’t be disputed, use Advanced or Qualified electronic signatures that are eIDAS certified by an official Accreditation Body.
What level of authentication do my documents need?
The optimal assurance level depends on the risk profile of each transaction.
For day to day correspondence and low risk transactions (little or no money involved), a simple electronic signature should be sufficient.
For moderate risk scenarios with high volume demands, AES is optimal. The majority of business transactions fall into this category.
For extremely high profile financial transactions that require the upmost level of security, you might want to upgrade to QES.
Which countries use eIDAS
All 27 EU Member States are regulated by eIDAS. Some other non-EU countries have also adapted eIDAS or similar framework, such as the United Kingdom, which inherited eIDAS from their time in the EU, or the UAE, which is developing their own framework heavily based on and compatible with eIDAS.
What does it mean to be eIDAS certified?
To obtain eIDAS certification, the Trust Service Provider (for example, an eSignature solution) must first fit all the requirements stated in the regulation. This is then examined by an auditor appointed by the EU itself under the oversight of a Conformity Assessment Body.
If the audited TSP meets all the process and technical standards, the audit result is an official eIDAS certification for given Trust Service Provider.
To ensure maximum level of compliance and security when it comes to eSignatures, and to truly enjoy all the benefits we talk about above, always look for a solution that is eIDAS certified.