The eIDAS Regulation.
The eIDAS Regulation is the most important legal basis regarding eSignatures.
eIDAS Regulation: content and objectives
The eIDAS Regulation is the legal framework for electronic signatures in the European Union. The abbreviation eIDAS stands for electronic IDentification, Authentication and Trust Services and carries the official designation (EU) No. 910/2014: Since its entry into force on 01.07.2016, the Regulation has regulated electronic identification and trust services for the performance of electronic transactions in the internal market of the European Union. The 52 articles of the eIDAS Regulation replace the previously applicable Directive 1999/93/EC. Although this had established a regulation on electronic signatures, it was not sufficient to represent a comprehensive cross-border framework for secure, trustworthy and easy-to-use electronic transactions. The eIDAS Regulation now on the table strengthens and extends the legal provisions of that original directive.
The central motivation for this amendment on the part of the European Parliament and the Council of the European Union was to create a reliable legal framework for electronic transactions. The preamble to the eIDAS Regulation therefore states: “This Regulation aims to strengthen trust in electronic transactions in the internal market by creating a common basis for secure electronic interaction between citizens, businesses and public administrations.” The goal is to increase the effectiveness of online public and private services, e-commerce and e-commerce in the Union.
The eIDAS Regulation literally regulates the use of electronic signatures for the first time in the EU and creates comprehensive legal certainty. The eIDAS Regulation is thus also the fundamental piece of legislation for electronic signatures, which today are used privately by individuals, by public authorities and by companies in internal and external signature processes. With the regulation, the EU has clearly clarified the status of digital signatures compared with handwritten signatures: no signature may be rejected simply because it has been set electronically. According to the European Commission, the eIDAS Regulation creates a predictable regulatory environment for electronic signatures between private individuals, companies and public authorities.
Advantages of the eIDAS Regulation are:
- legal certainty through a uniform legal framework for all member states
- enabling of remote digital signatures also with mobile devices
- transparency and standardization of trust service providers
- reduction of time-consuming administrative processes
There is no such thing as the one and only electronic signature. Similarly, the eIDAS Regulation does not contain any general rules on the type of electronic signature to be used for corporate, commercial or financial transactions. The eIDAS Regulation rather distinguishes between three categories of electronic signatures, which differ in terms of their quality and thus their legally binding nature:
Standard electronic signature
The simplest form of an electronic signature signature is described by the legislator as “data in electronic form that is attached to or logically associated with other electronic data and that the signatory uses to sign.” In concrete terms, this means that, for example, even a document signed by hand, scanned and thus digitized, has a simple electronic signature. This is because it is the electronic equivalent of a handwritten signature, with which the signatory expresses his or her agreement with the contents of the document in question. This form of electronic signature has a low level of security.
Advanced electronic signature
The requirements for the advanced signature, as described in Article 26 of the eIDAS Regulation, go beyond this. This substantial form of electronic signature is uniquely associated with a signatory, because it ensures that the signatory can be identified. At the same time, it must be ensured that the content of a signed document cannot be subsequently changed without this becoming immediately apparent, which would render the document invalid. In summary, the advanced electronic signature both ensures the integrity of the document and proves the authenticity of the signatory beyond doubt.
Qualified electronic signature
The qualified electronic signature is the highest form of digital signature. It has the highest legal force and is 100 percent equivalent to a handwritten signature in all EU member states. For this reason, the QES is also subject to the highest requirements, which are described in the eIDAS Regulation. Two elements are essential for the QES:
- The existence of a digital identity, as can be obtained in various identification procedures by private-sector and government providers.
- A qualified certificate from a state-approved trust service provider, a so-called trust center, gives the signed document its unique legal status.
The eIDAS Regulation therefore formulates a precise catalog of requirements for trust service providers in Chapter III. They ensure digital identity and are responsible for digital certificates and signatures. Only trust service providers that meet the requirements listed from Article 13 onward are considered qualified. Qualified, and thus state-recognized, trust centers are, for example, A-Trust, D-Trust or Swisscom Trust Services.
Qualified trust centers trigger legally secure qualified signatures by issuing electronic certificates. In Article 24, para. 1, the eIDAS Regulation formulates this core element for the issuance of qualified electronic signatures: “When issuing a qualified certificate for a trust service, the qualified trust service provider shall verify, by appropriate means and in accordance with the relevant national law, the identity and, where applicable, the specific attributes of the natural or legal person to whom the qualified certificate is issued.”
A quick overview of the tasks of trust service providers according to the eIDAS Regulation:
- issuance of qualified certificates for electronic signatures
- electronic time stamps
- validation of electronic signatures
- archiving of electronic signatures
The eIDAS Regulation distinguishes between qualified and non-qualified trust service providers. Companies and private individuals have the possibility to distinguish between them on the basis of the so-called “Trust List”. This list contains all providers and services that have qualified status in the relevant EU countries. Anyone not on the list is excluded from providing qualified trust services.