Understanding eIDAS e-signature levels and their associated legal value
When speaking of e-signature in EU, the key reference for both providers and users is Regulation No 910/2014, commonly referred as Electronic Identification and Trust Services for Electronic Transactions (eIDAS).
E-signature levels according to eIDAS
According to eIDAS, there are three levels of e-signature, each associated with different legal values. We will describe them in more detail below:
1. Simple e-signature level
What is a simple electronic signature?
As the name suggests it, the simple e-signature has a very low level of complexity, which makes it widespread and easy to adopt. We have all used it at some point, maybe even without knowing it. An email footer, a scanned image of the handwritten signature sent by email, the tick used to accept the Terms and Conditions of a website when logged in the account, the fingerprint used to approve an online transaction are just a few examples of what a simple e-signature can be.
What security level offers the simple e-signature?
The simple e-signature has a low level of security and assurance. It cannot guarantee that the person signing the document is who he pretends to be. It does not provide details on the signing event (such as time, date etc.) either. For example, when ticking the “Accept terms & conditions” box of an online transaction, the provider receives your consent, but he does not know with certainty and cannot prove that you are the one who actually accepted the conditions (and not someone else who had access to your computer).
Unsurprisingly, this form of e-signature does not enjoy a great level of trustworthiness in case of litigation. The judge cannot rule it out as evidence just because it is a simple form, but you may be required to back it up with other proofs.
2. Advanced e-signature level
What is an advanced electronic signature?
The advanced e-signature is more secure and reliable than the simple one as it must meet specific eIDAS requirements as laid down in article 26. Advanced e-signature:
- it is uniquely linked to the signatory;
- it is capable of identifying the signatory;
- it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
- it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
This means that the advanced e-signature is able to guarantee that the signatory is who he says he is. In addition, this type of e-signature is created with the help of a device in the sole possession of the signatory adding an extra layer of security. The system also detects whether the data has been tampered with after the signing event, in which case the e-signature is invalided.
What is the advanced electronic signature legal value?
The documents signed with an advanced e-signature are also fairly protected as the providers use encryption technology to protect the data. Finally, the advanced e-signature enjoys a greater level of confidence compared to the simple one. In case of litigation, it is up to claimant to demonstrate its validity.
3. Qualified e-signature level
What is a qualified e-signature?
The qualified e-signature is the strictest and most complex type of all signatures. It is the only one having the legal equivalent of the handwritten signature, making contracts 100% sealed and legally binding across all EU member states.
Technically speaking, it is an advanced e-signature, meaning that it meets the 1, 2, 3, 4 requirements above, but, in addition, it is created based on the use of a qualified signature creation device (QSCD) and relies on a qualified certificate for electronic signatures. These two extra features ensure that the qualified e-signature is unique, confidential and secure.
Moreover, the qualified certificate can be issued only by a Qualified Trust Service Provider, an entity regularly audited and controlled to make sure it provides the highest level of security. In case of litigation, it weighs as much as a “wet ink” signature. Its validity is presumed and the reverse burden of proof principle is applied. If the signatory contests its validity, then he is the one who has to demonstrate that the e-signature is invalid.
Which electronic signature level should you choose?
Having gone through these explanations, you might be tempted to opt for the advanced form because it might seem the best compromise. In fact, all e-signature forms can be used to sign electronically all types of documents. Maybe some documents can be signed with an advanced signature level, for others it is mandatory to use a qualified e-signature and others can be signed with a simple e-signature, completed by a time-stamping service, for example.
In any case, collaborating with a Qualified Trust Service Provider (QTSP) is essential if you want to conduct business in EU member states. It can guide and support you in choosing the right type of e-signature and, most importantly, it ensures that all e-signature forms comply with eIDAS requirements.
LuxTrust is a QTSP in EU Trusted List and provides eIDAS compliant e-signature solutions.