Electronic Seals according to eIDAS

 eSeal - solution for legal persons

The eIDAS regulation introduced Electronic Seals as a solution for legal entities, allowing them to protect authenticity and integrity of electronic documents and data. An Electronic Seal is based on the same technology as an Electronic Signature and also can be Advanced and Qualified. A Qualified Electronic Seal is verified with Qualified Certificate.

Article 3 of the eIDAS regulation
The ‘creator of a seal’ refers to a legal person or entity who creates an electronic seal.
‘An electronic seal’ refers to any data in an electronic form, which is attached to or logically associated with other data in electronic form, to ensure the latter’s origin and integrity.

Signature versus seal

In the European Union, a Qualified Electronic Signature (QES) has a recognized legal standing equal to a handwritten signature and provides a strong enabler to move all paper processes over to digital.

A QES can confirm “proof of will,” which is expected from people from all different walks of life and legal authorities in formal transactions, especially when public administration is somehow involved.

A seal can be considered as an electronic signature for a business or organisation. In other words, the main difference between a seal and a signature is that a signature is meant for individuals / natural persons, whereas a seal is used by a legal entity (business or organisation) and can be used by more than one person or system within the legal entity. Examples would be invoices, which are automatically generated by an accounting system or signed messages send by a sensor in the Internet of Things.

The legal implication

The eIDAS regulation states that a Qualified Electronic Seal shall enjoy the presumption of integrity of all data and of correctness of the origin of that data to which the Qualified Electronic Seal is linked. Like regular handwritten signatures, a Qualified Electronic Seal is recognized in the European Union - a Qualified Electronic Seal, based on a qualified certificate issued in one Member State, shall be recognized as a Qualified Electronic Seal in all other Member States. However, this legal value does not apply for legal proceedings and “proof of will”.

Achieving legal effect with an electronic seal

Automation of the issuance of legal documents was formerly impossible with an electronic signature because its creation needed “natural person” to sign. However, an electronic seal allows full automation of services of issuing legal documents, which are confirmed as authentic by an electronic seal. To achieve legal value of the sealed documents, the creator of the seal, needs to base it on one of the following legal bindings:

Legal effect is regulated in European or local law. For example if an EU Member State law says that legal documents can be issued by authority and to seal confirms its status. The eIDAS  regulation gives a legal effect of electronic seals protecting certificates and timestamps; and also PSD2 (Revised Payment Service Directive) gives the legal effect of seals in communication between banks and payment service providers.

Legal effect is regulated in the service policy or any other service agreement. It means that the policy acknowledges responsibility of the seal creator over sealed documents. For example, electronically sealed tickets are authentic and integral. In addition, the ticket issuer is responsible for them regarding to the policy.

Automatisation enabler

An electronic seal needs another document or act, to legally bind responsibility to a sealed document. But when binding is acknowledged an electronic seal allows for full automation of the document processes and services. An electronic seal is the main tool for trust service providers and enables them to issue certificates, timestamps and validation reports 24/7/365. The significance of electronic seals will only grow and will be used to protect evidence from systems and devices.

References and Further Reading

• REGULATION (EU) No 910/2014  on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
• Selected articles eIDAS  (2014-today), by Gaurav Sharma, Guillaume Forget, Stefan Hansen, Michal Tabor , Peter Landrock, Torben Pedersen, Dawn M. Turner, and more

• Selected articles on Authentication (2014-today), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more

• Selected articles on Electronic Signing and Digital Signatures (2014-today), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
• REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council

• Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council

• Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
• Draft NIST Special Publication 800-63-3: Digital Authentication Guideline (2016), by the National Institute of Standards and Technology, USA.
• NIST Special Publication 800-63-2: Electronic Authentication Guideline (2013), by the National Institute of Standards and Technology, USA.
• Security Controls Related to Internat Banking Services (2016), Hong Kong Monetary Authority