Digital signature – FAQ.
Everything you need to know about eSignatures at a glance.
Why do we use eSignatures?
The requirements of our modern society, eBusiness, eCommerce and eGovernment demand secure and legally compliant ways of exchanging electronic data and information.
It is therefore necessary to verify the identity of the communication partner. For this reason, the electronic signature (eSignature) was developed.
The electronic signature technically fulfils the same purpose (the same criterion) as a handwritten signature on paper documents.
Completeness and unchangeability of data
Identifiability of the originator of data
Access to data only for authorized persons
We have clearly summarized the legal principles and terminology surrounding the topic of eSignatures in various articles for you. Take a look at our FAQ below to find out about common questions regarding digital signatures!
Our experts will also be happy to help you with any legal questions you may have!
The digital signature
The qualified electronic signature
The eIDAS Regulation
»For many of our clients, the legal basis is one of the central issues when introducing the electronic signature. With our eSignature solutions, we meet the highest standards in terms of legal validity and security!«
Head of Project Management & Legal Issues
Frequently asked questions – FAQ.
An electronic signature or eSignature is defined as „data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign“.
What does that mean in concrete terms? To put it simply, any form of mark that is intended to show that the content of an electronic document has been approved or accepted represents an electronic signature. It is not decisive how this mark looks like or how it has been applied to the document. Rather, it is important that:
- it can be determined who has attached this mark to the document (authenticity), and
- it can be ensured that the content of the document has not been altered after this mark has been attached (integrity).
We differentiate between the following levels of electronic signature:
- basic signature
- advanced signature (AES)
- qualified signature (QES)
The legal evidentiary value increases with increasing signature level. At the same time, the necessary requirements increase as well.
The legal framework conditions with regard to the electronic signature are laid down uniformly throughout the European Union in the eIDAS Regulation. More information on the eIDAS Regulation can be found in the next section. The legislation of many other countries is based on the eIDAS Regulation, e.g. the Swiss Federal Act on Electronic Signatures, ZertES.
These two terms are often used as synonyms, but in fact they refer to two different things. While “electronic signature” is regarded as a legal term, the digital signature is the underlying technical or cryptographic process. In practice, a so-called Public Key Infrastructure (PKI) is commonly used for this purpose.
Both with the advanced and with the qualified electronic signature, there is always a digital signature involved fom a technological point of view. This is not necessarily the case with a basic signature.
The verification can be performed using any common PDF reader program. In Adobe Reader, a live signature verification is executed, which can be reviewed in more detail by clicking on the signature dialog in the upper left corner or, alternatively, directly on the signature visualization. Furthermore, the signed document can also be verified by the Signature verification of the RTR or by the A-Trust verification tool.
Read more about the digital signature in our detailed summary.
The eIDAS Regulation is the legal basis regarding digital signatures in the European Union. To be precise, it is the “Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market”.
The abbreviation eIDAS means
electronic IDentification, Authentication and trust Services.
The eIDAS Regulation has been in force since July 1, 2016.
The eIDAS Regulation regulates the use of digital signatures, trust services and electronic identification across the EU in a total of 52 articles. You can find the complete regulation here – if you enjoy reading legal documents.
Some key aspects of the eIDAS Regulation:
- A qualified electronic signature has the same legal effect as a handwritten signature.
- A qualified electronic signature based on a qualified certificate issued in one Member State is recognized as a qualified electronic signature in all other Member States.
In short: No. Just because a digital signature complies with the legal requirements of the eIDAS regulation does not mean that it has the same legal effect as a handwritten signature. This only applies if it is a qualified electronic signature that is eIDAS-compliant.
Learn more about the eIDAS Regulation in our detailed summary.
Qualified electronic signature (QES).
The QES is the only form of digital signature that fully corresponds in its legal effect (with a few exceptions in the notarial environment) to the handwritten signature.
A QES is an advanced electronic signature (AES) that:
- is always based on a qualified certificate – this is a digital certificate issued by a “qualified trust service provider” according to the eIDAS Regulation and thus fulfills a number of requirements defined in Annex I of the eIDAS Regulation.
- has been created by a qualified electronic signature creation device.
The status of “qualified trust service provider” is granted by a corresponding supervisory body after a positive conformity assessment and entitles the holder to issue qualified certificates for a QES.
An example of a qualified trust service provider is the Austrian trust center and XiTrust partner A-Trust.
This is usually a hardware security module (HSM) that is used to store and apply the signature key. In practice, the following options are used for this purpose:
- Hardware token in the form of a smart card (card signature)
- HSM is located at the trust service provider, signature is triggered remotely (remote signature)
Since the eIDAS regulation, which specifies the requirements for QES, is the world’s most stringent legal regulation regarding electronic signatures, QES implicitly has worldwide validity.
Example: In the USA, the Electronic Signatures in Global and National Commerce Act (ESIGN Act) provides the legal basis for the use of digital signatures. In comparison, however, the eIDAS Regulation sets much higher requirements when it comes to the legal validity of electronic signatures.
Yes, the QES fulfills the legal requirement under § 126a of the German Civil Code (BGB) in conjunction with the Trust Services Act.
Yes, the QES meets all requirements defined by the FDA regarding digital signatures in Title 21 CFR part 11.
Learn more about the qualified electronic signature in our detailed summary.
The term remote signature is used when a qualified electronic signature (QES) is triggered by technical means that do not require a local signature unit (e.g., card reader). In practice, the cell phone is normally used for this purpose.
To use remote signature, a qualified certificate is required – just as it is for QES. This certificate is issued by a qualified trust service provider after appropriate authentication and is linked to the phone number. The user thereby receives a digital identity that enables the use of the remote signature.
One example of such a digital identity is xIDENTITY, a service provided by XiTrust and the qualified trust service provider A-Trust. Identification takes place online in a video session within a few minutes, and the certificate issued is valid for 5 years.
For Austrian residents, the “cell phone signature” corresponds to the function of xIDENTITY.
Translated with www.DeepL.com/Translator (free version)
For the secure use of remote signature, two-factor authentication comes into play for every signature transaction. For this purpose – e.g., when signing a document in the eSignature platform MOXIS, a password is first entered (“knowledge” factor) and the transaction is confirmed via cell phone (“ownership” factor).
In the case of xIDENTITY, the following options are available for this purpose:
- Entering an SMS TAN
- Using the speed-sign app: scanning a QR code
- Using the speed-sign app: finger print
- Using the speed-sign app: face ID
By the way, the speed-sign app is available free of charge on the common platforms (iOS AppStore, Google Play, etc.).
SUMMARY – for a straightforward and quick overview of the digital signature:
Digital signatures allow documents to be signed digitally, and the legal basis for this in the EU is the eIDAS Regulation. There are three different types of digital signature – simple, advanced and qualified. The qualified electronic signature (QES) has the highest quality and is legally equivalent to the manual signature, which means that it can also cover all use cases with a written form requirement.
In practice, the QES is created with signature cards or by remote signature via cell phone. A digital identity is first required to use the remote signature. For this purpose, the service xIDENTITY is offered by XiTrust and its partner and trust center A-Trust. The digital identity can be issued online within a few minutes, is valid for 5 years and can then be used, for example, for legally valid signing by remote signature in the eSignature platform MOXIS.