Signing is a way of showing consent when different stakeholders agree on something and the digital production of a signature is no different. Digital signature processes are integrated in a global ecosystem, where the signature represents the deliberate consent of a signatory so that a contract or transaction can be executed in a non-repudiable way in accordance with contract fulfillment and legal requirements.
The remote electronic signing experience can be represented in the below value chain:
As input, you have documents to be signed and as output, you get the signed documents that allow contract execution. Porting this to the digital world improves efficiency, security and certainly convenience since it allows for an end-to-end digital experience offering:
- Higher transformation rates and time savings when a compelling user experience is provided
- Cost savings without mailing, scanning, etc.
- Better sustainability
As the diagram shows, the remote signing experience is tightly bound to other functions including:
- Customer identification (Registration Authority)
- CA services (for certification generation and dissemination)
- Authentication services (required to guarantee that the signature operation was duly authorized by the signatory)
For a signature solution to be rolled out at the qualified level (Qualified Electronic Signature) and implemented in a corporation, a number of support activities need to be duly performed.
- Contractual aspects: performing the above functions comes with some liability. Even though the core signing service is provided by a single legal entity (the registered trust service provider), it is likely in practice that several legal entities are implied including the TSP, the end-user, the business application owner and the Registration Authority. To define the contractual terms and responsibilities, the involvement of legal departments is often required.
- Audit: a successful audit by an eIDAS accredited Conformity Assessment Body is a necessity to offer the level of a Qualified Electronic Signature. The scope of the audit encompasses all functions and a number of security controls, technical and operational standards must be enforced.
- Integration: for the solution to be deployed in a frictionless way as part of an existing business portal, integration is required. Depending of the level of control and privacy requirements, some parts of the solution may be operated on-premise and some in the cloud.
- Project management: to steer these activities and ensure that business objectives are met, it is common practice to appoint a project manager to supervise the implementation.
To provide a consistent and coherent solution and shorten the implementation time, Cryptomathic has teamed up with a number of partners in these fields (Technology suppliers, Trust service providers, Auditors, System integration, etc.). This extends our core value proposition and offers a primary contact point to a total solution which is tailored to your needs.
Please feel free to contact us to learn more about our global value proposition or if you are interested in partnering with us.
References and Further Reading
- COMMISSION DELEGATED REGULATION (EU) supplementing Directive 2015/2366 of the European Parliament and of the Council with regard to regulatory technical standards for strong customer authentication and common and secure open standards of communication (2017), by the European Commission
- Selected articles on Authentication (2014-18), by Heather Walker, Luis Balbas, Guillaume Forget, Jan Kjaersgaard, Dawn M. Turner and more
- Selected articles on Electronic Signing and Digital Signatures (2014-todays), by Ashiq JA, Guillaume Forget, Jan Kjaersgaard , Peter Landrock, Torben Pedersen, Dawn M. Turner, Tricia Wittig and more
- REGULATION (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (2016), by the European Parliament and the European Council
Proposal for a REGULATION concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), (2017), by the European Parliament and the European Council
- Revised Directive 2015/2366 on Payment Services (commonly known as PSD2) (2015), by the European Parliament and the Council of the European Union
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission
DIRECTIVE 2013/37/EU amending Directive 2003/98/EC on the re-use of public sector information (2013) by the European Parliament and the Council
- Recommendations for the Security of Internet Payments (Final Version) (2013), by the European Central Bank
Image: architecture_250, courtesy of perceptions (creative break), Flickr (CC BY-ND 2.0)