Update on the eIDAS regulation, the European framework for electronic signatures

The eIDAS Regulation, designed to encourage the development of digital uses within the European community, was adopted by the European Parliament and the Council of the European Union on 23 July 2014.

Applicable since 1 July 2016, it lays down a common foundation for dematerialisation and harmonises the rules governing electronic interactions between all Member States. In particular, it has eliminated all the grey areas around the legal value of an electronic signature.

What are the requirements of the European eIDAS regulation? How can you ensure that your electronic signatures are compliant? Why use a trusted service provider ? We'll answer all your questions in this article!

See all software Electronic Signature

eIDAS regulation: definition

Meaning of eIDAS

The eIDAS regulation, which stands for Electronic Identification And trust Services, is a set of rules on electronic identification and trust services for electronic transactions within the European Community.

It particularly concerns public sector bodies and trust service providers within the internal market.

Objectives of the European regulation

The regulation aims to :

• promote the emergence of a digital single market by strengthening confidence in electronic transactions within the EU;
  
  
• standardise and clarify the rules on electronic identification (eID) and trust services for all Member States;
  
  
• establish a strict legal framework and demanding standards that give any electronic signature the same legal value as a handwritten signature.

💡It repeals Directive 1999/93/EC, whose transposition into national law and technical implementation by the Member States were different, which slowed down the expected development of cross-border exchanges. In addition, the directive focused solely on electronic signatures, whereas the eIDAS regulation addresses all types of electronic interaction in the broadest sense.

Scope of application

The eIDAS regulation addresses the following main issues:

• theinteroperability and legal effects of trust services such as :
  • electronic signatures
  • time stamping
  • electronic seals,
  • electronic registered mail,
  • issuing website authentication certificates;
• qualification of Trusted Service Providers (TSPs);
• drawing up European trust lists of CSPs and qualified operators;
• eID guarantee levels (low, substantial and high) for the online identification and authentication of European citizens.

The 3 types of legal signature under eIDAS

The eIDAS regulation strengthens the legal value of electronic signatures. It distinguishes between two main types of electronic signature

• qualified signatures on the one hand
• and non-qualified signatures (simple and advanced).

Each has its own specific uses, depending on the degree of reliability and security required.

The simple electronic signature

The simple signature offers a basic level of security, while guaranteeing the integrity of the signed document. It cannot guarantee the identity of the person signing, or provide additional information such as the date and time of signing.

It is the most widely used protocol, because it is quick and easy to set up.

Advanced electronic signature

The advanced signature adds an extra level of security to the simple signature. The data is encrypted using a technology that protects it and provides a higher level of reliability. This is made possible by :

• a digital certificate associated with the signatory
• a PAdES (PDF Advanced Electronic Signatures) signature format that makes it identifiable and visible,
• two-factor authentication to verify identity.

Any change to the document after signing will be detected, making the process highly secure.

The qualified electronic signature

The qualified signature adds new security features compared with the advanced signature, namely :

• visual verification of the signatory's identity, either in person or by videoconference ;
• use of an SSCD-certified signature system.

This is the highest level of security, because only a Trusted Service Provider can deliver it, guaranteeing a secure and unique signature via a qualified certificate.

Its secure and complex system makes it fully equivalent to a handwritten signature in person.

How does eIDAS guarantee the legal value of an electronic signature?

The eIDAS regulation lists several criteria for defining the legal value of an electronic signature at European level:

• the issue of an electronic certificate to authenticate the identity of the signatory,
• the conformity of the electronic signature process and the application of high security standards, attested by eIDAS certification,
• any signature in electronic form, even if it does not meet the requirements of a qualified electronic signature, must be able to be accepted as evidence in legal proceedings at European level,
• respect for the integrity of the signed document , which must not be altered,
• electronic documents must be stored for ten years in a secure electronic safe.

In practice, to ensure the reliability and compliance of the electronic signature services you use, check that the electronic signature certificate is issued by a competent authority or trusted third party.

A trusted third party is a player in digital trust, guaranteeing the protection of data and electronic documents exchanged between all users. They must be able to provide proof of their eIDAS certification if you request it.

These certificates of compliance with the eIDAS regulation guarantee that the security and confidentiality standards imposed by eIDAS are met.

💡You're not quite there yet and are wondering more specifically how electronic signatures work and what they're used for? We've got just what you need! Thanks to this guide designed by DocuSign, you'll know everything there is to know about electronic signatures: how they work, what they can do for you, how to choose your service provider... in a concise guide that's essential for a better understanding of what's at stake. Download it for free:

Choosing a Trust Service Provider

Within the meaning of Article 3, subparagraph 19, of the eIDAS Regulation, a Trust Service Provider may be a natural or legal person providing one or more trust services. It may be qualified or unqualified.

Where a qualified trust service provider issues a qualified certificate for a trust service, it shall verify, by appropriate means and in accordance with national law, the identity and any specific attributes of the natural or legal person to whom it issues the qualified certificate.national law, the identity and, where appropriate, any specific attributes of the natural or legal person to whom it issues the qualified certificate.

Article 24-1, eIDAS

A "qualified" Trust Service Provider (TSP) must provide qualified electronic trust services as defined by the eIDAS regulation. This is the case for Universign, which offers electronic signature, time-stamping and electronic seal services.

By choosing a PSCo, you can be sure that your electronically signed documents have a recognised legal value and that all your digital transactions are reliable, secure and compliant with the eIDAS regulation.

These operators must comply with a set of security rules and follow a strict qualification process. They obtain certification from a supervisory body, attesting that they meet the requirements of the eIDAS regulation.

💡 In France, the national supervisory body is the Agence nationale de sécurité des systèmes d'information (ANSSI), whose role is to implement the regulation, and in particular to ensure the qualification of trusted service providers on French territory.

See all software Electronic Signature

FAQ: eIDAS and the electronic signature

Is the legal value of a digital signature the same as that of a handwritten signature under eIDAS?

Under article 25-2 of the eIDAS regulation, any electronic signature is admissible as evidence in court and therefore has legal value. An electronic signature cannot be refused as evidence in a court of law simply because it is not in handwritten format.

What's more, with a qualified electronic signature, which is the highest possible level of security and reliability, "the legal effect (...) is equivalent to that of a handwritten signature".

When should simple signatures, advanced signatures and qualified electronic signatures be used?

Here are the recommended uses for each type of electronic signature:

• the simple signature : to be used in the case of low legal or financial risks, such as lease agreements, employment contracts, quotations or expense claims, for example;
  
  
• the advanced electronic signature : to be used where the risk of disputes is moderate, such as contracts not subject to specific regulations, like credit contracts, life insurance policies, etc.; and
  
  
• Qualified electronic signatures: must be used when the risks are high, for regulated and/or high-value financial transactions, or for high-risk contractual documents requiring written form as proof.

What is a certification authority?

A Certification Authority (CA) is a trusted organisation (a company or an administrative authority, for example) authorised to issue and manage digital certificates on behalf of users.

These certificates ensure the validity, reliability and level of security of your electronic signatures, in accordance with the eIDAS regulation.

How can I recognise a certified Trusted Service Provider?

You can use the Trusted Service Provider of your choice, in France or in the European Union.

For your electronic signatures qualified at European level, you must choose your solution from among the certified Trusted Service Providers grouped together by the European Commission in lists ( European Union Trusted Lists - EUTL) and recognised as reliable by all the Member States.

In France, consult the national trust list drawn up by ANSSI : it lists the qualified trust service providers and their qualified trust services recognised in France.