The qualified electronic signature.
eSignature with the legal validity of a handwritten signature.
A qualified electronic signature is the same in the digital world as a handwritten signature is in the analog world. By law, the qualified electronic signature (QES) is the highest-value form of digital signature. It differs from the standard electronic signature (SES) and the advanced electronic signature (AES).
The basis for all forms of electronic signature is the eIDAS Regulation of the European Parliament and the Council of the European Union. eIDAS is the English abbreviation for electronic IDentification, Authentication and Trust Services. The name stands for REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, which was in force until then.
Legal certainty with the eIDAS Regulation
As an instrument of legal harmonization, the eIDAS Regulation simplifies electronic signatures and promotes the expansion of digital solutions at the pan-European level. The QES is defined in Article 3 line 12 as “an advanced electronic signature created by a qualified electronic signature creation device and based on a qualified certificate for electronic signatures”.
The eIDAS Regulation radiates the legal certainty that has motivated investment in transformation processes in many places in the first place. Article 25, Paragraph 2 of the eIDAS Regulation stipulates that the qualified electronic signature has the same legal effect as a handwritten signature.
Qualified electronic signatures are always based on a qualified certificate. This can only be triggered by a secure signature creation device (SSCD). A state-recognized trust service provider, a so-called trust center, such as D-Trust (Germany) or A-Trust (Austria) provides the personal certificates. Swisscom is a special case in this context because it is bound by the Swiss signature law ZertES and not the eIDAS Regulation. Yet, personal certificates are used as well. They fulfill the essential requirement for a qualified electronic signature, namely that the person signing is identifiable beyond doubt and that the content of the document in question remains unchanged. Recognized trust service providers can be identified by the fact that they comply with the catalog of requirements formulated in the eIDAS Regulation.
Qualified and thus, state-certified trust centers are, for example, A-Trust (Austria), D-Trust (Germany) or Swisscom Trust Services (Switzerland). They ensure the maximum evidential value of a QES. They trigger legally secure qualified signatures by issuing electronic certificates. In Article 24, Paragraph 1, the eIDAS Regulation specifies: “When issuing a qualified certificate for a trust service, the qualified trust service provider shall verify, by appropriate means and in accordance with the respective national law, the identity and, where applicable, the specific attributes of the natural or legal person to whom the qualified certificate is issued.”
The key tasks of a trust center are:
- issuing qualified certificates for electronic signatures
- electronic time stamping
- validation of electronic signatures
- archiving of electronic signatures
The eIDAS Regulation differentiates between qualified and non-qualified trust service providers. Orientation is provided here for companies and private individuals by the so-called “Trust List”. This list contains all providers and services that have qualified status in the relevant EU countries. Anyone not on this list is excluded from qualified trust services. Registration and certificate creation are free of charge; at the main Austrian trust center A-Trust, for example, the mobile signature app is also free for users.
Companies that process electronic signatures of any signature quality in their processes with MOXIS, for example, pay for qualified electronic signatures via the number of MOXIS licenses purchased. The eSignature platform by XiTrust supports every form of electronic signature. The depth of integration means that MOXIS users can remain on the familiar interface of their preferred office system (e.g. SAP) and trigger signatures of any quality. MOXIS then operates “in the background”.
Which signature quality for which document?
The necessary signature quality always depends on the individual case. As a rule of thumb, not all digitally signed documents necessarily require a qualified electronic signature, i.e., with the same legal effect as a handwritten signature. In many cases, a standard electronic signature or an advanced electronic signature is sufficient.
1. Standard electronic signature for
- delivery offers (suppliers)
- orders (purchasing)
- internal company documents
- internal approval processes (“routing slips”)
Documents that use a standard electronic signature are not subject to any legal formal requirements and have only a low liability risk.
2. Advanced electronic signature for
- purchase and rental agreements
- account openings
- basic forms of employment contracts
As with standard electronic signatures, documents that are to be provided with an advanced electronic signature are not subject to any legal formal requirements and have a calculable liability risk.
3. Qualfied electronic signature for
- personnel leasing contracts
- employment contracts
- consumer loan agreements
- various official documents
Documents that require a qualified electronic signature are subject to a legal formal requirement and are characterized by a comparatively high liability risk. In Germany, the legislator prescribes the qualified electronic signature in Section 492 (1) of the German Civil Code (BGB) for consumer loan agreements. Section 12 of the AÜG stipulates the qualified electronic signature for employee leasing contracts.
Written form requirement
In Germany, legislation formulates the mandatory use of the qualified electronic signature in § 126 BGB as a “written form requirement”. Whenever this is given, a digitally signed document only achieves its validity through the QES. But beware: although signatures cannot be rejected by a court of law under the eIDAS Regulation because they are provided digitally, there are individual cases in which electronic signatures are not permitted. The most important example is notarial certification, but also the termination of employment contracts!
Requirements for the qualified electronic signature
The QES is the only form of electronic signature that requires a digital identity. Users must identify themselves once for this purpose. The “digital passport” is issued by various service providers and platforms, primarily using video-based identification procedures (video identification procedure). The online identification process requires a valid ID document, a computer and a cell phone. The identification process on the screen takes about ten minutes. One of the most important platforms for online issuing of digital identities is xIDENTITY.eu, a service provided by XiTrust and A-Trust.
Alternatively, individuals can also have their digital identity issued in person through the service of a public identification office. In contrast to the video ID procedure, this solution is more time-consuming and cost-intensive, as fees are incurred for official identification. Companies usually use their own registration officers: these are specially trained personnel who are authorized to register digital identities within the company.
Digital identities are usually issued for five years before they are renewed by repeated confirmation of the personal data. Furthermore, companies and public authorities issue digital identities in a personal face-to-face procedure. Authorized to do so are Registration Officers who have earned personal authorization to issue digital identities. In most cases, individual company employees have taken on this task.
A qualified electronic signature is created by means of two-factor authentication. This is based on the exchange of a public key and a non-public key: The public key is accessible to any person. It enables the signature to be verified. In contrast, the use of a private key can only be authorized by the signatory. The key pair ensures data integrity and authenticity.
QES is not required for all documents; it is prescribed by law only in the individual cases described above. Nevertheless, QES puts an immediate end to any form of legal uncertainty, because it is the digital equivalent of handwritten signatures. The QES also saves time, because there is no longer any need to check each individual case. Thus, in the end, the QES stands for an “all-round worry-free” package.