The Complete Guide to eIDAS

The eIDAS regulation is the cornerstone of EU guidelines for the use of electronic signatures, providing a framework that ensures their legal validity and security. This guide will explore the key aspects of eIDAS, including its benefits, legal implications, and more, to offer a comprehensive understanding of how it upholds standards and protects users of e-signatures.

What is eIDAS?

The electronic identification, authentication, and trust services (eIDAS) regulation, introduced in 2016, replaced the eSignature Directive (1999). It establishes a framework that defines who can use e-signatures, along with a range of newly defined electronic “trust services” and the contexts in which they can be utilized. The primary goal of eIDAS is to enhance trust in electronic transactions by setting criteria that providers must follow to ensure secure and seamless digital document processes.

Why was eIDAS created?

Technology is continuously advancing, and digital services like eSignatures have become increasingly essential for businesses and individuals. While the rise in digital signature usage has been beneficial, it also highlighted the need for robust legislation to ensure trust service providers are accountable for maintaining secure systems. This is crucial for protecting signers and ensuring legally binding signatures, eliminating any doubts about the authenticity of documents.

The introduction of eIDAS provided a regulatory framework that effectively addressed the needs and challenges of electronic document solutions while staying in line with industry demands. Furthermore, eIDAS is currently undergoing reforms to accommodate advancements in identification technology, including the development of digital wallets, which we will explore later in this guide.

What are the Different Types of Signatures under eIDAS?

eIDAS defines three types of electronic signatures in its framework; basic, advanced, and qualified. 

Basic eSignatures

As the name suggests, this type of electronic signature is the simplest. Meaning it can be any form of signature that confirms the signer’s acceptance or approval of a document. For example, this can include clicking an ‘I accept’ checkbox or using a scanned handwritten signature. There are no set requirements for security or identity verification with basic eSignatures. This makes them best suited for use on less important or non-official documents, where there won’t be any legal implications. 

Advanced eSignatures

Advanced signatures are required to meet set criteria in order to be legally valid under the eIDAS regulation. This means they must provide a greater level of security, ID verification, and tamper-sealing in addition to being:

• Capable of correctly identifying the signer
• Uniquely linked to the signer
• Created using eSignature data that the signer has complete control over and can be confident that they have the sole ability to sign it 
• Linked to the data in a document so that the signer can monitor for further changes

Qualified eSignatures

Qualified eSignatures are the only type of signature to have a special legal status in the EU. Holding the same legal status as a handwritten signature. As well as meeting the requirements for advanced signatures, qualified signatures have to meet additional criteria in order to be issued with certification (only an accredited Qualified Trust Service Provider (QTSP) can issue a qualified certificate). The identity verification process for these types of signatures is multi-step, using both two-factor authentication and encrypted keys. Qualified signatures must meet the following eIDAS requirements:

• Protect the confidentiality of signature creation data
• Ensure that only one use of the signature is allowed
• Be appropriately protected by the signer
• Ensure the signature is secured against forgery
• Not change the data or prevent it from being presented to the signer before adding their signature

You can learn more about these types of eSignatures in our guide ‘What are the different types of eSignatures and which one should I use?’.

What are the Benefits of eIDAS?

There are several benefits of the eIDAS regulation for organisations and individuals including:

• Increased trust and security across transactions – eIDAS offers users assurance that their electronic transactions are protected. Also, the process is more streamlined and user-friendly, making it quicker and easier to capture signatures for important documents.
• Standardisation and transparency – eIDAS enforces uniform standards for providers offering trust services across the EU, which makes these services more transparent, and establishes a Digital Single Market (DSM). This means that trust services complying with the regulation can be openly circulated in the internal market. 
• Interoperability and service convenience – the eIDAS regulation for electronic identification and trust services makes it easier and quicker for organisations to complete transactions from anywhere in the EU. This is beneficial for a wide range of businesses as collaboration and remote working partnerships become more and more commonplace.
• Minimise process costs – eIDAS provides more flexibility for businesses and organisations to transition to digital documents rather than paper. Therefore, they can reduce paper-based costs, easily share documents, and shorten the length of time the identification and customer acquisition process takes.

Does eIDAS still Apply in the UK?

In short, yes, the eIDAS regulation does still apply in the UK. Following the UK’s withdrawal from the EU, the UK retained an amended form of the eIDAS regulation. This means that the UK has kept many of the original aspects from the EU eIDAS. But have tailored them specifically for use within the UK. For example, there are no provisions relating to electronic identification schemes and the UK version excludes chapter II of the EU regulation. 

It’s important to note that even though the UK permits and recognises the legal standing of EU eIDAS qualified services, the same cannot be said for using UK qualified services in the EU. There is no automatic acceptance of UK eIDAS regulation services in the EU.

The Legal Admissibility of eSignatures through eIDAS

eIDAS ensures that electronic signatures are admissible as evidence in EU courts and cannot be denied any legal effect simply because it is in a digital format. However, the legal enforceability of a transaction with an electronic signature will depend on several different factors. Such as the type of signature used (basic signatures are less secure and won’t be legally binding in certain industries which regularly deal with sensitive documents) and the evidence data embedded in it. 

It’s important to note that the regulation does not determine when a signature is needed or the type of signature for a transaction. Therefore, it is the responsibility of each EU member state to confirm within its laws when a particular type of transaction is unable to be signed electronically. Or requires a more specific type of signature, such as advanced or qualified. 

No specific type of eSignature is legally required for most transactions in various industries. Including commercial, corporate, consumer, HR, and financial. However, there will be certain use cases which do require a specific level of electronic signature. Whether it is advanced or qualified, so be sure to check any document transactions you are involved with.

What is an eIDAS Certificate and How to Get One

eIDAS certificates offer proof of authentication systems that enable electronic transactions with the same legal standing as paper documents. A qualified certificate that has been provided to support a qualified signature in one member state, can be recognised as a qualified electronic signature in all other EU member states. The eIDAS regulation implemented the conformity assessment terminology. In order to fulfil the requirements for the QTSPs in all member states specified by eIDAS. 

Digital certificates are an essential security feature for electronic signatures. Containing sensitive data about the individual or business signing the document. A verified third party known as a Certificate Authority (CA) checks the information within the certificate. Once the signer’s identity is verified, a digital certificate is issued containing the signer’s public key. Which is then used to confirm the authenticity of a signature.

What is the New eIDAS Regulation?

Even though the original eIDAS regulation is still an integral framework for the use of electronic signatures and other trust services. 10 years since its initial development, digital consumer demands and the technology behind them have evolved significantly, and current regulation does not account for the changes. Reliance on digital solutions has increased at a much faster rate than anticipated due to global events. With discussions for eIDAS 2.0 beginning in 2020 following the coronavirus pandemic. 

One of the main objectives for the new eIDAS regulation is to encourage organisations to use secure and trusted digital identity solutions. As well as addressing the gaps that could not be filled by the previous framework. Also, the regulation aims to strengthen the infrastructure for digital solutions, supporting better interoperability of services and avoiding fragmentation for users. Changes in the eIDAS 2.0 regulation will focus on three key areas:

• Resolving weaknesses in the existing regulation
• Expanding to cover additional trust services such as electronic registered mail, electronic certificates for authentication, and more
• Proving identities with the Digital Wallet

Digital Identities and eIDAS 2.0

A core part of eIDAS 2.0 is digital identities and the introduction of the Digital Identity Wallet (DIW). Digital identities are a digital representation of the essential details that make up an individual’s identity, such as name and age. It can also include other information depending on your preference for example, an address and biometric data (face scan or fingerprint). A digital identity allows you to prove your identity quickly and easily, without the hassle of presenting physical documents. With a DIW, you will be able to securely store and manage your digital identity all from one place. We discuss eIDAS 2.0 and digital identities in more detail in our article ‘eIDAS 2.0 and the impact of digital identities’ should you want to learn more.

How is E-Sign Compliant with eIDAS?

As an industry leading eSignature provider, E-Sign maintains compliance with the eIDAS regulation. In order to effectively provide secure advanced signatures to our customers. Each signature is specifically linked to the signer and comes with a full audit trail, detailing essential details regarding the signature. Such as the date and time the document was signed and the location and IP address it came from. 

The signer has full control over their eSignature data and the robust security protocols we have in place ensure that our electronic signatures are practically impossible to forge. Our services are fully compliant with both the EU and UK versions of the eIDAS regulation.

In addition to advanced electronic signatures, E-Sign is currently working to achieve our goal of becoming a Qualified Trust Service Provider. To do this we are further developing our platform to meet the criteria set out by eIDAS for the provision of qualified electronic signatures. Once we have successfully become a QTSP, we will be able to expand our service offerings and support more industries with their electronic signature and digital solution needs.

Conclusion

We hope this guide has provided a deeper understanding of eIDAS and its pivotal role in ensuring the secure use of electronic signatures and other digital trust services. The regulation is vital in upholding high security standards among providers, safeguarding user data, and guaranteeing the legal validity of digital signatures.

At E-Sign, we are fully committed to complying with all relevant industry standards and regulations, both in the UK and internationally. eIDAS is just one example of the many regulations we adhere to. To learn more about our compliance practices, we invite you to explore our legality guide.

If you’re looking to save time and money with an efficient digital document solution, E-Sign is here to help. Our flexible pricing plans can be tailored to meet the unique needs of your organisation, regardless of industry. We offer customisable solutions to ensure that every aspect of your document management is streamlined and secure.

Start today by registering for our 14-day free trial, and experience firsthand how our platform can simplify your processes. If you have any specific questions or need assistance in selecting the best eSignature solution for your business, our friendly team is ready to help. Contact us today to discuss how we can support your needs.