Electronic Signature


Why do we use eSignatures?


The requirements of our modern society, eBusiness, eCommerce and eGovernment demand secure and legally compliant ways of exchanging electronic data and information.

It is therefore necessary to verify the identity of the communication partner. For this reason, the eSignature was developed. It should represent an unfalsifiable, verifiable and traceable digital signature.
The electronic signature thus technically fulfils the same purpose (the same criterion) as a handwritten signature on paper documents.


Integrity

Completeness and unchangeability of data

Authenticity

Identifiability of the originator of data

Confidentiality

Access to data only for authorized persons




Harald Krassnigg

Head of Project Management & Legal Issues

Watch Harald Krassnigg in our video blog

“For many of our clients, the legal basis is one of the central issues when introducing the electronic signature. With our eSignature solutions, we meet the highest standards in terms of legal validity and security!”



Electronic Signature – FAQ


General


What is an electronic signature?
An electronic signature or eSignature is defined as „data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign“.

What does that mean in concrete terms? To put it simply, any form of mark that is intended to show that the content of an electronic document has been approved or accepted represents an electronic signature. It is not decisive how this mark looks like or how it has been applied to the document. Rather, it is important that:

  • it can be determined who has attached this mark to the document (authenticity), and
  • it can be ensured that the content of the document has not been altered after this mark has been attached (integrity).
What types of electronic signature are there?
We differentiate between the following levels of electronic signature:

  • basic signature
  • advanced signature (AES)
  • qualified signature (QES)

The legal evidentiary value increases with increasing signature level. At the same time, the necessary requirements increase as well.

How is the electronic signature regulated by law?
The legal framework conditions with regard to the electronic signature are laid down uniformly throughout the European Union in the eIDAS Regulation. More information on the eIDAS Regulation can be found in the next section. The legislation of many other countries is based on the eIDAS Regulation, e.g. the Swiss Federal Act on Electronic Signatures, ZertES.
Is there a difference between an electronic and a digital signature?
These two terms are often used as synonyms, but in fact they refer to two different things. While “electronic signature” is regarded as a legal term, the digital signature is the underlying technical or cryptographic process. In practice, a so-called Public Key Infrastructure (PKI) is commonly used for this purpose.

Both with the advanced and with the qualified electronic signature, there is always a digital signature involved fom a technological point of view. This is not necessarily the case with a basic signature.


eIDAS Regulation


What is the eIDAS Regulation?
The eIDAS Regulation forms the legal basis for electronic signatures in the European Union. Specifically, this is “Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market”.

The abbreviation eIDAS refers to electronic IDentification, Authentication and trust Services.

How long has the eIDAS Regulation been in force?
The eIDAS Regulation has been in force since July 1st, 2016.
What does the eIDAS Regulation state?
The eIDAS Regulation regulates the use of electronic signatures, trust services and electronic identification throughout the European Union in a total of 52 articles. The complete regulation can be found here – in case you enjoy reading legal texts.

Some important aspects stated in the eIDAS Regulation:

  • A qualified electronic signature has the same legal effect as a handwritten signature.
  • A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States.
Does an “eIDAS compliant“ electronic signature always correspond to a handwritten signature in terms of legal effect?
In short, no.

Just because an electronic signature complies with the legal requirements of the eIDAS Regulation does not mean that it has the same legal effect as a handwritten signature. This only applies if it is a qualified electronic signature (QES) that conforms to eIDAS.


Qualified Electronic Signature (QES)


What is a qualified electronic signature (QES)?
The QES is the only level of electronic signature whose legal effect fully corresponds to that of a handwritten signature (with a few exceptions in the field of notaries).
What are the requirements for a QES?
A QES is an advanced electronic signature (AES) that is

  • always based on a qualified certificate – is a digital certificate issued by a “qualified trust service provider” according to the eIDAS Regulation and thus fulfils a number of requirements defined in Annex I of the eIDAS Regulation.
  • created by a qualified electronic signature creation device.
What is a qualified trust service provider?
The status “qualified trust service provider” is granted by an appropriate supervisory body after a positive conformity assessment and entitles to the issuance of qualified certificates for a QES.

An example of a qualified trust service provider is A-Trust, the Austrian Trust Center and partner of XiTrust.

What is a qualified electronic signature creation device?
This is usually a hardware security module (HSM) used to store and apply the cryptographic signature key. In practice, the following options are used:

  • Hardware token in the form of a chip card (signature card)
  • HSM is located at the trust service provider, signature is triggered remotely (remote signature)
Is a QES also valid outside the EU?
Since the eIDAS regulation, which defines the requirements for a QES, is the strictest legal regulation in the world for electronic signatures, a QES is implicitly valid worldwide.

Example: In the USA, the Electronic Signatures in Global and National Commerce Act (ESIGN Act) forms the legal basis for the use of electronic signatures. In comparison, the eIDAS Regulation makes much higher demands when it comes to the legal validity of electronic signatures.

Does a QES meet the written form requirement (e.g., according to §126a BGB in Germany)?
Yes, the QES fulfills the legal condition according to §126a BGB.
For the pharmaceutical industry: Does a QES meet the requirements of the FDA (Food and Drug Administration) for digital signatures?
Yes, a QES meets all the requirements that the FDA has defined for digital signatures in Title 21 CFR part 11.

Remote Signature


What is a remote signature?
A remote signature is defined as a qualified electronic signature (QES) triggered by technical means that do not require a local signature unit (e.g., card reader). In practice, the mobile phone is commonly used for this purpose.
What is required to use the remote signature?
A qualified certificate is required for the use of the remote signature, as is required for QES. After appropriate authentication, this certificate is issued by a qualified trust service provider and linked to the mobile phone number. Doing so, the user receives a digital identity that enables the use of the remote signature.

An example of such a digital identity is xIDENTITY, a service provided by XiTrust and the qualified trust service provider A-Trust. The identification takes place online in a video session within a few minutes, the issued certificate has a validity of 5 years.

For austrian residents, the “Handy-Signatur” is equivalent to xIDENTITY.

How to sign a document by remote signature?
For the secure use of the remote signature, two-factor authentication comes into play with every signing process. For this purpose, – e.g. when signing a document on the eSignature platform MOXIS – a password is first entered (factor “knowledge”), and the transaction is confirmed via mobile phone (factor “possession”).

In the case of xIDENTITY, there are the following options to confirm the transaction:

  • Entering a TAN sent via text message
  • Using the speed-sign app: scanning a QR code
  • Using the speed-sign app: fingerprint
  • Using the speed-sign app: Face ID

By the way, the speed-sign app is available free of charge on all popular platforms (iOS AppStore, Google Play, etc.).


SUMMARY – get a quick and uncomplicated overview of the eSignature:
 
With eSignatures, documents can be signed digitally; the legal basis for the European Union is formed by the eIDAS Regulation. There are three different levels of electronic signature – basic, advanced and qualified. The qualified electronic signature (QES) has the highest quality and is legally equivalent to the handwritten signature, so that all use cases requiring the written form can be covered.
 
In practice, the QES is created using a signature card or by remote signature via mobile phone. In order to use the remote signature, a digital identity is required first. For this purpose, XiTrust offers a service called xIDENTITY together with partner and Trust Center A-Trust. The digital identity can be issued online within a few minutes, is valid for 5 years and can then be used, for example, for legally valid signing by remote signature in the eSignature platform MOXIS.


Is there anything else you’d like to know?
Why not ask our experts!