Qualified Electronic Signatures for eIDAS

In the world of business, every minute counts. When it comes to closing deals, it is imperative to minimize any delays or barriers to keep business moving at a fast pace. Delays often occur when one party involved in a business or government transaction must wait to receive signed documents from the other party.

Mailing documents back and forth by post or sending through facsimile takes time and is not very efficient by today’s standards. And of course, there is the obvious fact that these methods are not very secure.

There is always the risk of the information being sent becoming lost, stolen or tampered with before the intended recipient has received it. This is why now, more than ever, the need for fast and secure electronic transactions has become vital to everyday business processes. The use of qualified electronic signatures answers the call for that need, especially when conducting business across borders.

What is a Qualified Electronic Signature?

First, it helps to understand what makes a qualified electronic signature superior to a signature that is handwritten, electronically captured or created using another protocol of electronic signing. A qualified electronic signature is an "advanced electronic signature with a digital certificate that has been encrypted by a secure signature creation device" (UK Government, 2014). Simply put, a qualified electronic signature increases the level of security that an advanced electronic signature provides. By law, it is considered as the equivalent to a handwritten signature within the EU.

Authenticity Counts, Hence the Need for Qualified Electronic Signatures

The qualified electronic signature includes all the secure features that an advanced electronic signature provide by:

Having the ability to uniquely identify and link its signatory to the electronic signature.
Allowing the signatory to have sole control of the data used to create the electronic signature.
Identifying if the data has been tampered with after its accompanying message has been signed.
Invalidating the signature if signed data has been altered in any manner.

In simple terms, the difference between the advanced electronic signature and the qualified electronic signature is the addition of a qualified certificate. This certificate is issued by a qualified trust service provider, and it attests to the authenticity of the electronic signature to serve as proof of the identity of the signatory.

However, there is more to creating the qualified electronic signature than just the addition of the qualified certificate to an advanced electronic signature. The signature itself must be created using a qualified signature creation device (QSCD). This device is responsible for qualifying a digital signature with specific software and hardware that ensures that:

Only the signatory has control of their private key
The signature creation data that is generated is managed by a qualified trust provider
The signature creation data is:
- Unique
- Confidential
- Protected from forgery

To be recognized by the EU, the electronic signature can be implemented through the following three digital signature standards in compliance with the eIDAS Regulation:

The three standards have been developed by the European Telecommunications Standards Institute ETSI.

Qualified Trust Service Provider

A qualified trust service provider is an entity that has been given qualified status from a supervisory body in its Member nation that allows the entity to provide qualified trust services that are used to create qualified electronic signatures. The qualified trust service provider must follow the strict guidelines provided under the European eIDAS Regulation, which the supervisory body will ensure compliance to these guidelines.

As part of the certificate creation process, the qualified trust service provider must provide a valid date and time for created certificates. Signatures with expired certificates must be immediately revoked. Provider personnel must have appropriate training and use systems and software that are trustworthy and prevent certificate forgery.

A list of qualified certification-service providers is available through the Electronic Authority for Public Administration in each Member State of the EU or through the EU’s Electronic-Signatures Committee. For more information of the technical, required duty, and economic requirements that a qualified trust provider must follow, please refer to Section 3, Articles 20 and 21 of Regulation (EU) No 910/2014 -- Electronic Identification and Trust Services for Electronic Transactions in the Internal Market and Repealing Directive 1999/93/EC (eIDAS).

Legal Standing of Qualified Electronic Signatures

For legal admissibility, if the electronic signature meets all the requirements set forth under eIDAS for qualified electronic signatures, it cannot be dismissed in a court proceeding as evidence, unlike an advanced electronic signature. To be compliant with eIDAS, all EU Member States are required to recognize the validity of a qualified electronic signature if it has been created with a qualified certificate that has been issued by another Member State.

When used in public sector transactions across borders, member states are prohibited from requesting signatures that are higher than the qualified electronic signature (EIDAS-Regulation, Article 27, Electronic signatures in public services).

Article 24 (2) of the eIDAS Regulation grants a qualified electronic signature the same legal effect as a handwritten signature.

The potential for the continued integration of qualified electronic signatures into business and government use is great. This type of electronic signature minimizes possible security risks when completing business transaction online and helps save time and money for all involved.