The Complete Guide to eIDAS

The eIDAS regulation is the cornerstone of EU guidance relating to the use of electronic signatures. Establishing a framework that ensures their legal validity and security. In this guide we will be covering the key details and information relating to eIDAS, including the benefits of the regulation, legality, and more to provide a greater understanding of how it enforces its standards and protects users of e-signatures.

What is eIDAS?

The electronic identification authentication and trust services (eIDAS) regulation was introduced in 2016, replacing the eSignature Directive (1999). Its framework defines who can use e-signatures. In addition to various newly defined electronic “trust services”, and the context in which they can be used. The purpose of eIDAS is to increase confidence in using electronic transactions by implementing criteria that providers are required to follow to enable convenient and secure digital document processes.

Why was eIDAS created?

Technology is constantly evolving and digital services like eSignatures have become more prominently used by businesses and individuals. However, whilst this increase in digital signature usage was beneficial. There needed to be suitable legislation in place that would hold trust service providers accountable for maintaining highly secure systems. That protected signers and legally binding signatures, to remove any doubt or question over the authenticity of a document. 

The introduction of eIDAS meant that a framework could be implemented that accurately addressed the needs and concerns of electronic document solutions and kept up with industry demands. eIDAS is also currently being reformed to reflect further advancements in identification technology. Through the development of digital wallets, which we will be discussing later on in this guide.

What are the Different Types of Signatures under eIDAS?

eIDAS defines three types of electronic signatures in its framework; basic, advanced, and qualified. 

Basic eSignatures

As the name suggests, this type of electronic signature is the simplest. Meaning it can be any form of signature that confirms the signer’s acceptance or approval of a document. For example, this can include clicking an ‘I accept’ checkbox or using a scanned handwritten signature. There are no set requirements for security or identity verification with basic eSignatures. This makes them best suited for use on less important or non-official documents, where there won’t be any legal implications. 

Advanced eSignatures

Advanced signatures are required to meet set criteria in order to be legally valid under the eIDAS regulation. This means they must provide a greater level of security, ID verification, and tamper-sealing in addition to being:

• Capable of correctly identifying the signer
• Uniquely linked to the signer
• Created using eSignature data that the signer has complete control over and can be confident that they have the sole ability to sign it 
• Linked to the data in a document so that the signer can monitor for further changes

Qualified eSignatures

Qualified eSignatures are the only type of signature to have a special legal status in the EU. Holding the same legal status as a handwritten signature. As well as meeting the requirements for advanced signatures, qualified signatures have to meet additional criteria in order to be issued with certification (only an accredited Qualified Trust Service Provider (QTSP) can issue a qualified certificate). The identity verification process for these types of signatures is multi-step, using both two-factor authentication and encrypted keys. Qualified signatures must meet the following eIDAS requirements:

• Protect the confidentiality of signature creation data
• Ensure that only one use of the signature is allowed
• Be appropriately protected by the signer
• Ensure the signature is secured against forgery
• Not change the data or prevent it from being presented to the signer before adding their signature

You can learn more about these types of e-signatures in our guide ‘What are the different types of eSignatures and which one should I use?’.

What are the Benefits of eIDAS?

There are several benefits of the eIDAS regulation for organisations and individuals including:

• Increased trust and security across transactions – eIDAS offers users assurance that their electronic transactions are protected. Also, the process is more streamlined and user-friendly, making it quicker and easier to capture signatures for important documents.
• Standardisation and transparency – eIDAS enforces uniform standards for providers offering trust services across the EU, which makes these services more transparent, and establishes a Digital Single Market (DSM). This means that trust services complying with the regulation can be openly circulated in the internal market. 
• Interoperability and service convenience – the eIDAS regulation for electronic identification and trust services makes it easier and quicker for organisations to complete transactions from anywhere in the EU. This is beneficial for a wide range of businesses as collaboration and remote working partnerships become more and more commonplace.
• Minimise process costs – eIDAS provides more flexibility for businesses and organisations to transition to digital documents rather than paper. Therefore, they can reduce paper-based costs, easily share documents, and shorten the length of time the identification and customer acquisition process takes.

Does eIDAS still Apply in the UK?

In short, yes, the eIDAS regulation does still apply in the UK. Following the UK’s withdrawal from the EU, the UK retained an amended form of the eIDAS regulation. This means that the UK has kept many of the original aspects from the EU eIDAS. But have tailored them specifically for use within the UK. For example, there are no provisions relating to electronic identification schemes and the UK version excludes chapter II of the EU regulation. 

It’s important to note that even though the UK permits and recognises the legal standing of EU eIDAS qualified services, the same cannot be said for using UK qualified services in the EU. There is no automatic acceptance of UK eIDAS regulation services in the EU.

The Legal Admissibility of eSignatures through eIDAS

eIDAS ensures that electronic signatures are admissible as evidence in EU courts and cannot be denied any legal effect simply because it is in a digital format. However, the legal enforceability of a transaction with an electronic signature will depend on several different factors. Such as the type of signature used (basic signatures are less secure and won’t be legally binding in certain industries which regularly deal with sensitive documents) and the evidence data embedded in it. 

It’s important to note that the regulation does not determine when a signature is needed or the type of signature for a transaction. Therefore, it is the responsibility of each EU member state to confirm within its laws when a particular type of transaction is unable to be signed electronically. Or requires a more specific type of signature, such as advanced or qualified. 

No specific type of eSignature is legally required for most transactions in various industries. Including commercial, corporate, consumer, HR, and financial. However, there will be certain use cases which do require a specific level of electronic signature. Whether it is advanced or qualified, so be sure to check any document transactions you are involved with.

What is an eIDAS Certificate and How to Get One

eIDAS certificates offer proof of authentication systems that enable electronic transactions with the same legal standing as paper documents. A qualified certificate that has been provided to support a qualified signature in one member state, can be recognised as a qualified electronic signature in all other EU member states. The eIDAS regulation implemented the conformity assessment terminology. In order to fulfil the requirements for the QTSPs in all member states specified by eIDAS. 

Digital certificates are an essential security feature for electronic signatures. Containing sensitive data about the individual or business signing the document. A verified third party known as a Certificate Authority (CA) checks the information within the certificate. Once the signer’s identity is verified, a digital certificate is issued containing the signer’s public key. Which is then used to confirm the authenticity of a signature.

What is the New eIDAS Regulation?

Even though the original eIDAS regulation is still an integral framework for the use of electronic signatures and other trust services. 10 years since its initial development, digital consumer demands and the technology behind them have evolved significantly, and current regulation does not account for the changes. Reliance on digital solutions has increased at a much faster rate than anticipated due to global events. With discussions for eIDAS 2.0 beginning in 2020 following the coronavirus pandemic. 

One of the main objectives for the new eIDAS regulation is to encourage organisations to use secure and trusted digital identity solutions. As well as addressing the gaps that could not be filled by the previous framework. Also, the regulation aims to strengthen the infrastructure for digital solutions, supporting better interoperability of services and avoiding fragmentation for users. Changes in the eIDAS 2.0 regulation will focus on three key areas:

• Resolving weaknesses in the existing regulation
• Expanding to cover additional trust services such as electronic registered mail, electronic certificates for authentication, and more
• Proving identities with the Digital Wallet

Digital Identities and eIDAS 2.0

A core part of eIDAS 2.0 is digital identities and the introduction of the Digital Identity Wallet (DIW). Digital identities are a digital representation of the essential details that make up an individual’s identity, such as name and age. It can also include other information depending on your preference for example, an address and biometric data (face scan or fingerprint). A digital identity allows you to prove your identity quickly and easily, without the hassle of presenting physical documents. With a DIW, you will be able to securely store and manage your digital identity all from one place. We discuss eIDAS 2.0 and digital identities in more detail in our article ‘eIDAS 2.0 and the impact of digital identities’ should you want to learn more.

How is E-Sign Compliant with eIDAS?

As an industry leading eSignature provider, E-Sign maintains compliance with the eIDAS regulation. In order to effectively provide secure advanced signatures to our customers. Each signature is specifically linked to the signer and comes with a full audit trail, detailing essential details regarding the signature. Such as the date and time the document was signed and the location and IP address it came from. 

The signer has full control over their eSignature data and the robust security protocols we have in place ensure that our electronic signatures are practically impossible to forge. Our services are fully compliant with both the EU and UK versions of the eIDAS regulation.

In addition to advanced electronic signatures, E-Sign is currently working to achieve our goal of becoming a Qualified Trust Service Provider. To do this we are further developing our platform to meet the criteria set out by eIDAS for the provision of qualified electronic signatures. Once we have successfully become a QTSP, we will be able to expand our service offerings and support more industries with their electronic signature and digital solution needs.

Conclusion

Hopefully this guide has offered a greater insight into eIDAS. And its importance in establishing the secure use of electronic signatures and other digital trust services. The regulation is essential in maintaining high standards of security amongst providers. To protect user data as well as ensuring that their digital signatures are legally valid. 

E-Sign is committed to adhering to all relevant industry standards and regulations both in the UK and internationally. With eIDAS just being one example of this. You can learn more about our compliance through our legality guide. If you’re looking to save time and money with an effective digital document solution, E-Sign can support you. Our pricing plans offer flexibility so we can tailor our services to meet the bespoke requirements of each organisation and industry we work with. 

Get started with us today by registering for our 14-day free trial. You can also contact us if you have any specific queries and our friendly team can discuss the best e-signature solution for your needs.