The eIDAS Regulation set standards that allow businesses and individuals to access public services across the EU in a safe, secure and seamless manner. It also ensures that trust services, such as electronic signatures, hold the same legal power in the European Union as wet signatures and can be used across borders. As part of this, the regulation defined three different types of e-signature – SES, AES and QES.
Each provides a different level of security and authentication, and you can choose the type you need based on the kind of document you want to sign. For guidance on this complicated, but important electronic signature system, read this article. You will also find a breakdown of what each signature requires, the level of security it provides and the type of document on which you might use it.
E-Signature Assurance Levels
eIDAS, which stands for electronic IDentification, Authentication and trust Services, came into force in 2014 and applied to electronic identification and trust services for electronic transactions in the EU from July 2016. Article 8 of the eIDAS Regulation created definitions for three different electronic identification assurance levels for applications such as electronic signatures. They are:
Technology that provides a low assurance level means that you can have only “a limited degree of confidence” that the person you are identifying is who they say they are.
Technology that provides a substantial assurance level means that you can have more confidence that the person you are identifying is who they say they are.
Technology that provides a high assurance level means that you can have “a higher degree of confidence” that the person you are identifying is who they say they are.
These electronic identification assurance levels provide the basis for the three types of electronic signature. A Simple Electronic Signature (SES) provides a low assurance level, an Advanced Electronic Signature (AES) provides a substantial assurance level and a Qualified Electronic Signature provides a high assurance level.
Types of Electronic Signature According to eIDAS
Here are the three different types of electronic signature, what they entail and which types of documents they are best suited for.
Simple Electronic Signature
The Simple Electronic Signature, also known as the Basic Electronic Signature, provides the lowest level of assurance. It meets the base definition of an e-signature, which Article 3 states is:
“data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”
There is no requirement to check the authenticity of the signer or to link the signature to the person, but it does still count as an electronic signature. This means that it could be:
- your name printed by you on an email
- typing your name at the bottom of a form
- a signature on a parcel delivery person’s terminal
- scanning a copy of your wet signature and pasting it into an electronic document
- hitting a button that says ‘I Agree’, as often featured on the terms and conditions of an app.
In the case that someone denies having signed the document in question, the burden of proof for its authenticity lies with the party that requested the signature. Without any traceable link between the signature and the signatory, it is often very difficult to prove that it is genuine. This is why an SES is unsuitable for important documentation.
However, for basic applications, an SES is useful and easy to implement. It does not require any hardware to create, making it a straightforward solution.
Advanced Electronic Signature
The Advanced Electronic Signature provides the substantial assurance level. For an AES, you need to be able to identify the signer using a Secure Signature Creation Device (SSCD) that is linked solely to them, but you do not need to guarantee that they are who they claim to be.
You should also be sure that the signatory had sole control over creating the signature, meaning it is created on their computer, phone or another device. In addition, an AES requires that no one can change or tamper with the document once the signer has signed it. It sometimes includes multi-factor authentication where the signatory may have to input a code sent to the phone number held on account for that identity or answer a personal security question in addition to using their password.
The technology that helps you achieve these requirements is often a Public Key Infrastructure (PKI). When a Certificate Authority (CA) issues a digital certificate to a signer after checking their identity, this provides the signer with a secure personal cryptographic key that identifies them alone. When they generate a signature using this method, it links back to them and can also act as proof of whether anyone has accessed and changed the document following the signature.
Examples of documents that may require an AES include:
- Sending a One-Time Password (OTP) over text message or email to verify a login
- Employment contracts
- Banking documents
As with the SES, in cases of disputes over whether the correct person signed the document, it is up to the issuer to prove the signatory was who they said they were. However, there is a more comprehensive audit trail with an AES which makes it easier to prove.
Qualified Email Signature
A QES requires all of the same protocols as an AES, but is also created by a Qualified Signature Creation Device (QSCD) and uses a qualified certificate to generate signatures. It is the most secure of the three types of electronic signature and, unlike the other two types, when a signatory disputes the use of their signature, the burden is on them to prove that they did not.
The bodies that provide the qualified certificates for these signatures are called qualified Trust Service Providers (TSPs). All TSPs have been granted the right to perform this task by the authorities in their EU member state, which place them on EU trusted lists.
Another key element is that the signer must be verified by a face-to-face meeting or equivalent process, such as over a video call before they can sign their first QES. In addition, multi-factor authentication such as entering a PIN code is always required to ensure their validity.
These added levels of security make the QES a legally valid digital signature. As a result, it has the same effect in court as a handwritten signature.
Examples of when you might require a QES include:
- Large commercial agreements
- Major sales agreements
- Mortgage documents
One important consideration for businesses using electronic signatures is how they handle data in compliance with the General Data Protection Regulation (GDPR). The process of having people sign documents and contracts means that you have to store their personal information for extended periods of time. Given that GDPR requires you to gain consent to hold data, and that it should be encrypted and secure, you need to factor this into your processes.
Using an electronic signature platform such as Signhost by Evidos deals with these compliance issues on your behalf. It is a 100% legally valid solution that gives you peace of mind that you have your GDPR obligations covered.
How to Choose the Right Solution
Choosing the correct type of signature for your documents is, generally, down to the business in question, which must make a risk assessment based on their own situation. You might opt to use different types of signature based on the importance of the document, but it is a decision that must be made based on the security offered and the legal implications if there was a dispute.
Another decision to make revolves around how to verify signers. This must be based on the signing and identification methods available in the country in which you work and the signer is based, which may be different. Signhost helps with this too, as it is constantly updated to ensure it incorporates all of the available identification methods in the EU and beyond.
You should also consider the markets you will work in. Conforming to eIDAS brings a high level of confidence within the EU, and there are global equivalents, too. ESIGN in the United States is an example of additional regulations you may need to follow.
Cases When Electronic Signatures Are Not Appropriate
Electronic signatures, according to Article 25 of eIDAS, “shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.” This shows that the EU sees e-signatures as a legal method of proving agreement in any digital platform.
There are no specific cases mentioned in eIDAS where the use of electronic signatures is forbidden, but the Directive on Electronic Commerce sets out some examples of contracts that member states can insist exist only in physical form. In these cases, an electronic digital signature would not be appropriate as there is no digital version of the document. They are:
- contracts that create or transfer rights in real estate, except for rental rights;
- contracts requiring by law the involvement of courts, public authorities or professions exercising public authority;
- contracts of suretyship granted and on collateral securities furnished by persons acting for purposes outside their trade, business or profession;
- contracts governed by family law or by the law of succession.
How can you get an electronic signature?
To get an SES, you can photograph or scan your wet signature, draw it on a paint program, type your name out in full, type an X or make any kind of digital mark. For an AES and QES, you need a secure and trusted platform such as Signhost to create the signature and help you verify the signer’s identity.
Can deeds be signed electronically?
If deeds are available electronically, it is usually possible to sign them digitally. However, real estate contracts are one of the categories of documents that do not need to have an electronic version created. EU member states can choose to keep them as a physical-only entity, which would prevent electronic signing.
Can you notarise an electronic signature?
You can notarise an electronic signature and, as an example, on the 19th March 2021, signatories representing the EU member states electronically signed and notarised the commitments made during the union’s fourth European Digital Day.
There is a big difference between the different types of electronic signature: SES, AES and QES. In order to ensure that you meet all of the requirements for each type, you should use an online e-signature platform such as Signhost. It is kept up-to-date and provides compliance with privacy protocols, regulations and best practices in all the major states as well as with GDPR. Try out Signhost for free here.