The Electronic Identification and Trust Services Regulation (EU Regulation 910/2014/EC - also known as eIDAS) is a complex set of laws (including technical standards) that raise the bar for providing electronic trust services throughout all EU member states. This article tries to help in the decision making process of choosing between implementing Advanced or Qualified Electronic Signatures in the context of eIDAS. Even with the regulation in full force across all 28 member states, the majority of companies in the private sector are either lagging behind, or completely lost in a fog of confusion.
In Europe, there exists over 23 million small and medium enterprises. There’s a lot of confusion surrounding eIDAS and many of these businesses have little information available to explain the law simply.
It's true, the private sector is less affected by eIDAS than public services and government agencies.
Regardless of that fact, most businesses blame their late entrance on other obstacles. A lack of interest is not the primary reason for eIDAS's slow take-off. The terminology introduces new terms and concepts difficult to apprehend including e.g. electronic devices, and data types — identifications, certificates, signatures, seals, timestamps, creation data and devices — each divided into 3 assurance levels, with the legally significant levels being “advanced” or “qualified”. Another key reason for the lack of legislative comprehension is due to the complex architecture of the regulatory text itself. The written material includes the regulation itself, no less than seven implementing acts and about 30 norms, technical standards, specifications etc.
To be fair, many of the rules defined the EU Commission remain intentionally unspecified, leaving space for some interpretation to the supervision bodies of the member states in charge of the regulation implementation. The generalized text of such a multifaceted subject, combined with many overlapping requirements, makes eIDAS difficult to comprehend, even for the experts. Therefore, there is a need to clarify.
Trust Service Providers (TSPs) are responsible for assuring the electronic identification of signatories and eID services by using strong mechanisms for authentication, digital certificate provision and electronic signatures. Any changes to the data must be clearly indicated to the sender and recipient of the data. Also, the date and time of any changes must be indicated with an attached electronic time stamp.
Under eIDAS, an Advanced Electronic Signature (AdES) is considered legally binding, whereas a Qualified Electronic Signature (QES), such as those produced through qualified trust service providers (QTSPs), carries the highest probative value and is the digital equivalent of a handwritten one (if used as evidence in a court of law) and cannot be challenged easily because the authorship is considered non-repudiable.
Under eIDAS, the EU maintains an EU Trust List, which contains the providers and services that are given qualified status. If an entity is not on that list, they are not permitted to provide qualified trust services. Those providers that are listed on the EU Trust List must abide by the strict guidelines created under eIDAS. Read more on qualified trust service providers.
Comparing Advanced and Qualified Electronic Signatures
Both, advanced and qualified signatures must, with a high level of confidence, remain under the sole control of the signatory. Also, they are both required by law to link back to the electronic data with which they were created. Finally, the electronic signature creation data must be secured in such a manner as to preclude the possibility of the data being changed undetectably.
Although, these requirements call for a secure, auditable environment to authenticate and store the signature creation data, it does not necessarily protect against, for example, Brute Force attacks or other attacks that require strong encryption key management. In this respect, the QES has a much higher security and assurance level.
A QES is an "advanced electronic signature with a digital certificate that has been encrypted by a secure (qualified) signature creation device" (UK Government, 2014) through a qualified trust service provider. For QES, the signature creation device and other components involved in the signature activation process must also be certified according to specific, highly secure technical requirements that are put forward by ETSI (standardization body). Simply put, QES enhances the security requirements and legal assurance that AdES provides.
By law, a QES is considered as the equivalent to a handwritten signature within the EU. The Trust Provider’s signature endorses the Signatory’s certificate, which by the same token, officially “qualifies” the signatory’s electronic signature. These absolute requirements are what provide QES higher technical security compared to AdES.
Technical security and legal assurance advantages of Qualified Electronic Signatures
All qualified signatures must be created using a Qualified Signature Creation Device (QSCD). However, it is important to distinguish between local signing and remote signing.
Local signing is when an end user/consumer keeps hold of a personal device (e.g. a smartcard) that stores the signing key, and then uses the device to initiate the signature process. In this case, the smartcard and card reader have to be certified to become a QSCD.
Remote signing is where the signature key is protected by a TSP’s hardware (a hardware security module in a data center) and the signatory remotely (online) accesses the signing key to initiate the signing process with some form of strong authentication. In this case, a signature activation module (SAM) inside the hardware security module (HSM) is responsible for securely initiating the signing process. The SAM and the HSM have to be certified to become a QSCD. The certificate and key management lifecycle is managed entirely within the confines of a Hardware Security Module(HSM). All signature creation data is encrypted and stored in a database keystore and protected by the signing key, which never leaves the HSM unencrypted.
Exceeding the requirements to AdES, the eIDAS regulation sets the requirements for providing Qualified Trust Services and establishes Qualified Electronic Signatures with the same legal assurance as handwritten signatures within all EU Member States. Whenever European or National statutory Law defines the signature formalities for contract fulfillment, numerous contracts require handwritten signatures on a digital document for an execution in due form. Such contracts include, for example, work contract, tender, car rental insurances and more. Even notarizing legal documents by a government licenced notary is made possible.
But it also makes sense to apply signatures, where high monetary values or the protection of life demand a higher level of security (where the “qualified” security features are one important aspect in the composite security architecture). The “qualified status” also should be applied wherever high probative value for legal non-repudiation is important (even if there is no legal regulation demanding that).
Effort and costs
One of the biggest efforts to reach the qualified status is customer identification. Qualified trust service providers must demonstrate that the identity is sufficiently checked. Currently most of the banks and governments, applying eIDAS conduct a KYC process which requires physical presence of the user, in order to subsequently use the data digitally.
To speed up the onboarding process, such checks could be conducted online, either directly or with the help of an identity verification company. For example, eIDAS compliant customer identification processes are conducted by companies like PostIdent or Luxtrust.
Using identity verification companies would reduce the effort of actually setting up a signature service in-house to offer it to clients. But even such an up-front effort can, however, pay off significantly for large scale deployments.
For both, advanced and qualified electronic signatures, an institution faces recurring fees and one-time fees.
When using a qualified trust service provider, the company has to pay annual usage fees depending on volume, which are comparable to those of advanced electronic signatures. There are, however, other factors, including technology and deployment models, that further complicate matters when estimating the costs. Depending on the scale of deployment, a company could reduce recurring costs by taking some of the services in-house.
When going “qualified”, there will be an annual audit, validating important aspects of the architecture and eIDAS compliance. With respect to such an audit, a middle sized bank may be looking at costs of around 100k EUR for administration, including the actual audit by an external auditor per year.
In total, the costs for qualified signature services can be estimated at 2-3 times higher than for an advanced signature service.
The article tried to help in the process of decision making between Advanced and Qualified Electronic Signatures. It shows that qualified electronic signatures are required when automating the signing processes for contracts and documents requiring a “handwritten signature”. They allow to conceive scalable processes that significantly reduce headcount, effort and time.
Having implemented the process for qualified electronic signing and enrolled the users, Qualified Electronic Signatures can be applied where they are not necessarily required by law, but provide a higher level of security and legal assurance. An illustrative example would be financial transactions of payments above a certain threshold value.
In one institution or company, there might be separate use cases for both AdES and QES for PDF or XML. Cryptomathic’s eIDAS compliant signing technology has the advantage that both can be delivered through the same solution, Cryptomathic Signer. We will talk more on such hybrid applications in forthcoming articles.
References and Further Reading
- Selected articles on eIDAS (2014-today), by Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner, David McNeal and more
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 1) (2018), by Gaurav Sharma
- Benefits of the eIDAS Toolbox – Case Studies from Various Industries (Part 2) (2018), by Gaurav Sharma
- Digital Trade and Trade Financing - Embracing and Shaping the Transformation (2018), by SWIFT & OPUS Advisory Services International Inc
- REGULATION (EU) No 1316/2013 establishing the Connecting Europe Facility, amending Regulation (EU) No 913/2010 and repealing Regulations (EC) No 680/2007 and (EC) No 67/2010(12/2013), by the European Parliament and the European Council
- Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Gaurav Sharma, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more
- Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- eIDAS webinar 1: Using electronic Identification, Authentication and trust Services for Business (2018), by the European Commission
- The European Interoperability Framework - Implementation Strategy (2017), by the European Commission
- Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL amending Directive (EU) 2015/849 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing (2016), by the European Commission
- REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
- Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council