Oversold e-signature levels

In one of our first blog posts, we have explained the electronic signature levels as defined by eIDAS regulation – “the Bible” of using e-signatures and trust services in Europe. As a quick reminder, there are three levels: simple, advanced and qualified, each with their own features and different levels of security and legal acceptance. Should you need to further refresh your knowledge, check our article available here.

For different reasons or due to some misconceptions (that we will detail on another occasion), people tend to take shortcuts when applying an e-signature. Some fall in the trap of thinking that adding new elements can upgrade their e-signature to a higher level.

For example, adding a timestamp to a simple electronic signature hoping that it will become an advanced one is a common mistake. The timestamp is, of course, useful, providing legal evidence about when date and time when the e-signature was executed, but it does not offer extra information about the identity of the signer or his intent of signing.

To make it clear, a simple electronic signature, even if it is accompanied by a timestamp, remains a simple one that needs to be backed up by other types of (solid) evidence in case of litigation.

Misleading e-signature levels

You could be very confident that the advertised e-signature level is the right one or the most appropriate one for your documents, while, in fact, it is not what it seems. This occurs when the issuer of the certificate needed for a qualified e-signature or timestamp does not appear in the EU Trusted List or is not validated in Adobe’s EUTL list. As a reminder, only the Qualified Trust Service Providers are authorised to provide qualified certificates for qualified signature or other qualified trust services (including timestamping, electronic sealing etc). In these cases, the validity of the signatures as well as their qualities are not guaranteed to last over time.

Naturally, discovering that the e-signature does not have the level or strength we thought it had is troubling. This could mean that we might have broken some internal risks and compliance principles which expose the company to more external risks. But this not necessarily means that everything is lost in case of litigation either. There is still hope for a favourable outcome; just the entire context will be under investigation. This will surely require a lot more efforts put in researching, analysing and providing extra evidence to support these degraded electronic signatures. This could translate into delays and increased legal fees on the one hand. On the other one, it could further impact the company’s insurance premiums.

The eIDAS qualified electronic signature properly applied is the one that could mitigate any legal risks and reduce the costs associated, but using a simple or advanced e-signature can absolutely work and suffice in specific circumstances. This is why companies should work closely with their Risk, Compliance and/or Legal departments in order to identify what e-signature levels are required for the specific documents they need to sign. What is advisable is to avoid a mismatch of e-signature levels in sensitive contexts, such as when signing or sealing high volumes of data or high risk documents.