Q&A: What is eIDAS, anyway?
The Electronic Identification, Authentication and Trust Services Regulation 2014/910 or eIDAS sets out the framework for the legality of electronic signatures in the EU. It defines and regulates the use of three types of signatures; electronic signatures, qualified electronic signatures (QES) and advanced electronic signatures (AES). QES is the highest standard of electronic signature and provides a single set of rules across the EU. Customers can use DocuSign eSignature to deliver all three. When the UK left the EU, eIDAS became part of UK domestic law under the European Withdrawal Act.
Why was the eIDAS legislation around electronic signatures introduced?
The eIDAS Regulation was introduced to replace the E-Signature Directive (1999).
The previous directive gave EU Member States discretion over how they implemented its provisions into national law. This inevitably led to a disparity between national laws and a failure to agree upon common technical standards for electronic signatures, making it challenging to do cross-border business. Technology has moved on since the Directive was enacted in 1999. Mobile and cloud technologies have emerged, and the Directive had become a bit dated. For example, it required that an ‘advanced electronic signature’ be created using means that the signatory can maintain under their sole control. Although the Directive was ‘technology neutral’, the requirement for sole control was interpreted to mean a smart card or physical token. Now the Regulation offers the possibility for providers to use cloud technology, and it enables customers to generate and validate electronic signatures with a mobile device.
What is the key focus of the eIDAS Regulation?
The eIDAS Regulation aims to enable citizens, businesses, and public sector bodies to carry out convenient and secure electronic transactions across EU borders. This has two components: firstly, the Regulation enables mutual recognition and acceptance of electronic identification schemes across EU borders; secondly, it establishes a common legal framework for an array of ‘trust services’ including electronic signatures, electronic seals, time stamping, electronic registered delivery services, and website authentication.
The Regulation has a direct effect in all EU Member States. From 1 July 2016, it automatically replaced the Directive and will take precedence over any conflicting national e-signature laws. The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 came into force on 22 July to revoke the Electronic Signature Regulations 2002 and modify the Electronic Communications Act 2000. Following Brexit, the UK has passed the European Union (Withdrawal) Act 2018 to provide legal certainty and continuity of EU laws under UK laws, including eIDAS, which governs electronic transactions in the European Single Market and electronic signatures. Discover more about the impact of Brexit on electronic signatures.
Can you tell us a bit more about the different types of signatures that can be used and when they are applicable?
Electronic signatures are broadly accepted throughout the industrialised world as equivalent to a written "wet” signature. For most use cases, customers, and locations, an electronic signature is sufficient. However, transactions in heavily regulated industries, in foreign countries or with governmental entities may require or prefer digital signatures, which offer a heightened level of identity assurance compared to electronic signatures.
The Regulation defines three types of electronic signature – simple, advanced, and qualified.
- Simple Electronic Signature - A ‘simple’ electronic signature is defined as ‘any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign’. In layman’s language, it is the electronic equivalent of a written signature that a signatory can apply to a document to signify his acceptance or approval. A typed name at the bottom of an email, a scanned PDF signature, the click of an ‘I accept’ button on a website and the standard signature generated via the DocuSign platform are all examples of a ‘simple’ electronic signature.
- Advanced Electronic Signature - An ‘advanced electronic signature’ is a more sophisticated and secure form of electronic signature produced using encryption technology. The Regulation requires that it is: uniquely linked to the signatory; capable of identifying the signatory; created using a private encryption key that the signatory can use under their sole control; and linked to the signed data in such a way that any subsequent change in the data is detectable.
- Qualified Electronic Signature - The final signature type is a ‘qualified electronic signature’. This is the gold standard and provides the highest level of admissibility and legal effect in the EU. Essentially, it is an ‘advanced electronic signature’ backed by a ‘qualified certificate’ issued by a trust service provider whose credentials appear in the EU Trusted List. The trust service provider must verify the signatory’s identity and issue the qualified certificate to provide assurance that the signatory is who it claims to be.
The vast majority of business and consumer transactions in the EU may be authenticated with a simple electronic signature. Nevertheless, there are some transactions which – as a matter of national law – may require an advanced or qualified electronic signature, or the parties may choose these signatures because they afford more security and a higher level of authentication. These three electronic signatures offer increasing levels of legal protection, and as the level of assurance increases, the implementation requirements become more stringent. eIDAS doesn’t prescribe which signature should be used for which scenario. The level of signature that organisations select is based on established and local industry usage, specific laws and the organisation’s risk tolerance.
The differences between an electronic signature, AES and QES relate mainly to the ID verification process. If a legal relating to a transaction arises, DocuSign eSignature's Certificate of Completion, which is generated for each signing experience serves as an audit trail and evidence of the transaction regardless of the type of signature used.
How do you think eIDAS is beneficial from a business perspective?
The Regulation establishes a predictable regulatory framework for electronic transactions. This galvanises cross-border e-commerce and the digital economy. Businesses require trusted services and secure electronic signature platforms like DocuSign. The Regulation has opened the door for trust service providers to use cloud technology so customers can generate and validate electronic and digital signatures on the move using their smartphone or tablet. I think this can continue to play a big role in driving the digital transformation of all businesses in the UK and across the EU.
Does eIDAS mean that organisations can conduct all of their transactions electronically?
No. The Regulation does not standardise EU laws on what form of signature is necessary for the valid execution of an electronic contract. The Regulation provides that a qualified electronic signature has the equivalent effect of a handwritten signature but otherwise leaves it to national law to define the legal effect of electronic signatures. This means that an EU Member State (or its courts) may prohibit the use of electronic contracts for certain transactions and require a paper process. In the UK, for example, previously a land transfer could only be registered with HM Land Registry if it was signed by hand, although electronic signatures on deeds have now been introduced and HM Land Registry accepts electronic signatures. In civil law, in countries such as Germany and Italy, some documents must be formally notarised in the presence of a public notary. However, the exceptions are rare and Electronic signatures are valid for most corporate, commercial, consumer, financial and HR transactions in the EU.
Driving Global Business with Electronic Signatures
DocuSign eSignature provides a smooth signing experience for organisations that must comply with eIDAS and other similar regulations worldwide. For further guidance, readers may be interested in the electronic signature legality guides, which have been prepared by local lawyers covering the EU Member States and other key jurisdictions, including the US, China, India, Australia. Sign up for a free trial of DocuSign Electronic Signature to get started.