eIDAS and the eSignature Standards Driving Digitization in the EU

The world is slowly but surely moving away from its centuries-old obsession with paper. With the very real threat of man-made climate change, it is a welcome sign that the world is moving towards electronic means for recording and communicating information which is reducing the pressure on our forests. In addition to the trees saved, this also reduces the carbon impact of having to physically ship those documents around – usually via the least carbon-efficient modes like airplanes.

But behind all of this digitization, there is a considerable amount of effort that goes on in the background in order to ensure that the customer’s entire digital journey is seamless, fast, error and fraud proof. In the European Union, regulations like eIDAS and their supporting technical standards provide the broad framework which allows for secure digital authentication and use of electronic signatures and seals. Digital signatures and seals enable a lot of the digitization of paper-based processes that we see today, right from financial services to eGovernance and everything in between.

eIDAS specifies three assurance levels for digital signature standards - the Simple Electronic Signature, Advanced Electronic Signature (AdES) and Qualified Electronic Signature (QES) - which come with each their assurance levels. Advanced Electronic Signatures (AdES) have to meet specific criteria under the eIDAS Regulation which differentiates them from simple electronic signatures. AdES is described in detail in this article but some of their requirements include:

• It uniquely identifies and links its signatory

• The private key used to create the electronic signature is under the sole control of the signatory

• If the data is tampered with after the message has been signed, the signature must identify that this has happened

• Invalidating the signature in the event its accompanying data has changed

With the highest assurance levels and legal value, a Qualified Electronic Signature is an Advanced Electronic Signature based on a qualified certificate, whereas the digital signature must be created by a Qualified Electronic Signature Creation Device (QSCD). Simply put, the difference between the AdES and the QES is the addition of a qualified certificate and certification requirements for the signature creation process. The certificate is issued by a qualified trust service provider, and it attests to the authenticity of the electronic signature to serve as proof of the identity of the signatory.

Qualified Electronic Signatures and Seals provided by Qualified Trust Providers in the EU ensure non-repudiation from a legal perspective and have the same legal value as handwritten signatures. This legal clarity combined with the inherent security built into these instruments is what makes them so exciting for digital service providers. A Qualified Electronic Signature created in any EU Member State will have the same legal value as a handwritten signature in all EU Member States.

The European Telecommunications Standards Institute (ETSI) produces the standards needed for all sorts of electronic communication systems like wireless, mobile, radio etc. For digitally signing different file formats, ETSI standards include:

• Cryptographic Message Syntax Advanced Electronic Signature (CAdES)

• XML Advanced Electronic Signature (XAdES)

• PDF Advanced Electronic Signature (PAdES)

CAdES is built around the Cryptographic Message Syntax (CMS) providing standards for advanced electronic signatures. XAdES does something similar for XML Digital Signatures and PAdES has been designed to allow PDF documents to carry advanced electronic signatures. PDF documents are popular because of the way they can present any paper document in a digital format and so signing them digitally has a rather wide array of applications.

This image demonstrates a sample workflow using PAdES for signing PDF documents electronically. Image Source: Adobe

The development of such standards allows businesses to improve efficiency, streamline and standardize their end-to-end document workflows, reduce costs and the cut down on the time it takes to process customer requests. The technology to go paperless and adopt a fully digital-delivery business model has existed for quite a while. However, there was always a barrier to this because of the need to manually sign documents which invariably led to hiccups and delays.

To be fair, such digital signing standards are not unique to the EU but the challenge here has been to develop standards that are acceptable to all Member States and can be used across borders. That aspect is indeed unique, and it presents a blueprint for global adoption of such standards. Also, and perhaps more important, detailed technical standards have been accompanied by a legal framework (EU regulation), making it binding in all EU countries alike. This not only provides a high probative value but also a legal standing in court with the validity of a handwritten signature.  What has been designed to make the European Single Market a reality, might eventually end up laying the foundation for a global endeavour on this front.

References and Further Reading

• Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, and more

• Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma

• Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma

• Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
• REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council

• Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more

• Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

• eIDAS webinar 1: Using electronic Identification, Authentication and trust Services for Business (2018), by the European Commission
• The European Interoperability Framework - Implementation Strategy (2017), by the European Commission
• Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission

• REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council

• Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council

• Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
• REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission

• DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council