What is the Difference Between Advanced and Qualified eSignatures?

It’s important for any organisation that is looking to use an electronic signature solution to have an understanding of the different types of signatures. This is because your business or industry may be highly regulated and use sensitive document transactions, which therefore require additional security and verification from your chosen signature platform, ensuring the legal validity and authenticity of the signed document.

In this guide, we’ll define the main types of signatures as established by the eIDAS regulation and clarify the differences between advanced and qualified e-signatures so that you can find the right solution for your operational needs.

What is the difference between advanced and qualified e-signatures?

Under the eIDAS regulation, both advanced and qualified e-signatures are classed as legally binding. However, qualified electronic signatures are the only type of e-signature that share the same legal weight and equivalence as a handwritten signature (if used as evidence in a court of law). 

A QES cannot be easily challenged as the authorship is considered to be non-repudiable. Both types of e-signatures share many similarities but there are also differences between them as a QES is designed to have a higher security and assurance level for more regulated industries that regularly handle sensitive document transactions. In essence, a QES enhances the security and identity verification requirements and legal assurance that an AES provides.

What is eIDAS?

The Electronic Identification and Trust Services Regulation, also known as eIDAS, is a detailed set of laws and technical standards that provides an overall framework for providing electronic trust services in all EU member countries. It is important to note that following the UK’s exit from the EU, the country amended the eIDAS regulation, retaining most of the same standards within the regulation but adapting to better suit UK organisations. 

The purpose of eIDAS is to increase confidence in using electronic transactions by implementing criteria that providers are required to follow to enable convenient and secure digital document processes. The eIDAS regulation defines three types of electronic signatures: simple, advanced, and qualified.

What is a simple electronic e-signature?

Simple eSignatures (SES) are the most basic and easiest to implement as there is no identity verification required. A signature can be added to a document by anyone who opens it whether that is by drawing the signature, typing it, uploading an image, or ticking a checkbox. This makes them an ideal option for instances where a basic document needs to be signed, that won’t have a significant legal implication. 

Simple signatures are legally binding in some cases, but some industries and scenarios require a higher level of authenticity for the signature to be legally accepted. Due to the lack of verification, similar to a traditional wet signature, simple eSignatures can be easier to forge, which is why they are best utilised on non-official documents. 

eIDAS states that at the most basic or simple level, an e-signature can be defined as ‘data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.’

What is an advanced e-signature?

Advanced electronic signatures (AES) use Public Key Infrastructure (PKI) technology to satisfy the criteria set out by the eIDAS regulation in order to be legally binding and valid on documents. This means that the electronic signature is applied with a digital certificate, which is similar to an electronic version of a passport or driving license, that is only provided after thorough identity verification by a trusted third party (often referred to as a Certificate Authority or CA).

Electronic signatures and the subsequent signatures are therefore unique to the signer and practically impossible to forge. Under eIDAS, advanced e-signatures must meet the following requirements:

• Be capable of identifying the signer
• Uniquely linked to the signer
• Created using e-signature creation data that the signer can, with a high level of confidence, have under their control
• Linked to the data in a way that any subsequent change is detectable

An advanced electronic signature ensures that only the signer possesses the private key required to create the signature, providing confidence in the signer’s identity. Additionally, the automated authentication process verifies the document’s integrity by detecting any alterations made after it was signed whenever the recipient accesses the document.

Integrity and authenticity are guaranteed for an AES if the above eIDAS requirements are met. The regulation confirms that the signature cannot be legally denied simply because it is in an electronic format. As a result, a properly created and implemented advanced e-signature is just as good, if not better, than a handwritten signature.

Use cases for advanced e-signatures

There are a wide range of documents across many industries that can be signed using an advanced electronic signature, including:

• Commercial contracts
• Non-disclosure agreements
• Exchange agreements
• Employment contracts
• Lease and tenancy agreements

What is a qualified e-signature?

According to the eIDAS regulation, a qualified electronic signature (QES) is defined as “an advanced e-signature generated using a qualified signature creation device (QSCD) and backed by a qualified certificate for electronic signatures.” The QSCD plays a critical role in ensuring the security and reliability of a qualified e-signature.

As part of the regulation criteria, the QSCD must ensure:

• The confidentiality of the e-signature creation data
• The data used for signature creation can only occur once
• The data used for signature creation cannot be derived and the signature is protected from forgery using suitable security measures and technology
• The data used for signature creation can be reliably protected by the signer from use by other individuals
• Only a Qualified Trust Service Provider can create or manage data on behalf of the signer
• Qualified trust service providers that manage e-signature creation data on behalf of the signer may duplicate the data only for backup purposes as long as certain requirements are met. These requirements are: the security of the duplicated datasets must be at the same level as the original datasets and the number of duplicated datasets shall not exceed the minimum required to ensure the continuation of the service.

The second component of the QES definition specifies that the data used by the device must rely on a “qualified certificate for electronic signatures.” Such a certificate can only be issued by a Certificate Authority accredited as a Qualified Trust Service Provider (QTSP).

Use cases for qualified e-signatures

Qualified e-signatures often have specific use cases in high value or high risk documents across regulated industries. Some examples of documents that require a qualified signature include:

• Financial documents like bank loans and mortgages
• Public procurement or tender documents
• Legal authorisation documents to sign on behalf of someone else e.g., power of attorney
• Certain types of high value insurance documents
• Confidential or legal documents such as transfer agreements

Technical security and legal assurance of qualified e-signatures

Technical security

All qualified signatures must be created using a QSCD, but it is also important to differentiate between local and remote signing. Local signing refers to a process where the end-user/customer holds onto a personal device (such as a smart card) that stores the signing key. The device is then used to start the signature process. In cases of local signings like this, both the smart card and card reader need to be certified to become a QSCD. 

Remote signing involves safeguarding the signature key within a Trust Service Provider’s hardware, typically a hardware security module located in a secure data centre. The signer initiates the signing process by accessing the signing key online, which requires strong authentication. In this setup, all signature creation data is encrypted, securely stored in a database keystore, and shielded by the signing key for maximum protection.

Legal assurance

In accordance with eIDAS, a qualified signature exceeds the requirements for an advanced e-signature, establishing signatures that have the same legal assurance as a handwritten signature across all EU member countries. 

When European law defines signature formalities for contract fulfilment, various contracts require handwritten or equivalent signatures on digital documents. Some examples include banking and finance documents, work contracts, tenders, insurance, and notarised legal documents, which can now be signed digitally without compromising security or legal validity. 

Identity verification

In addition to providing security and legal assurance in regulated industries, a key distinction between advanced and qualified electronic signatures lies in the stringent identity verification requirements. Qualified Trust Service Providers must ensure that the identity of signers is thoroughly verified and authenticated as part of the QES process.

Many banks and governments that follow eIDAS currently use a KYC process requiring the physical presence of the customer in order to use the data digitally. However, completing these checks online would significantly speed up processes and ensure that customers are getting the best possible service. With the planned implementation of eIDAS 2.0 and Digital Identities, the use of qualified signatures and the identity verification measures involved will become even more significant, and they are likely to become more in demand with these advancements in digital ID technology.

Conclusion

Hopefully, this guide has provided you with a greater insight into the differences between advanced and qualified e-signatures. Qualified eSignatures are typically required when automating the signing process in highly regulated industries and for documents where a handwritten signature would traditionally have been used. 

A QES can also be used when they are not strictly required by law but if an organisation is looking for a higher level of security and legal assurance. However, in many use cases and industries, an advanced e-signature is a suitable solution for meeting an organisation’s needs for transaction security, authentication, and legal validity, as well as being more cost-effective in most instances.

Contact E-Sign today if you’re looking for an efficient, secure, and user-friendly electronic signature and digital document solution. You can also get started with E-Sign by registering for our 14-day free trial.