On December 19, 2003, ZertES, the Swiss Federal law regarding the use of certification services with electronic signatures was approved into law.
This legislation regulates the conditions in which trust service providers may use certification services with electronic signatures. Additionally, ZertES, provides a framework that specifies the provider’s rights and obligations when providing certification services.
Purpose of ZertES
The intent of ZertES is to promote the use of secure services for electronic certification to facilitate the use of qualified electronic signatures that carry the same legal implications as a handwritten signature.
Acting in geographical proximity of the European Community, it is not surprising that ZertES is conceived similarly to eIDAS, in particular when looking at the tiered structure and legal value. ZertES has multiple assurance levels, the highest of which is the QES level equivalent to a handwritten one and mandatory for many official documents.
Requirements for Electronic Signatures under ZertES
An electronic signature in the understanding of ZertES refers to data in electronic form, attached to or associated with other data in electronic form , serving to authenticate the former.
So far, ZertES does not further specify how electronic signatures shall be technically implemented. However, to facilitate the international use of electronic signatures and their legal recognition, the Swiss Federal Council made international agreements and notably accepts electronic signatures, technically implemented as digital signatures following the following standards: XAdES, PAdES, CAdES.
Requirements for Advanced Electronic Signatures under ZertES
An advanced electronic signature, referred to as a Fortgeschrittene Elektronische Signatur is required to meet the following requirements to prove its authenticity:
Requirements for Qualified Electronic Signatures under ZertES
Similarly to eIDAS, ZertES allows to enhance the advanced electronic signature and its legal implication through a qualified certificate. The enhanced version is called qualifizierte elektronische Signatur (qualified electronic signature). It needs to be produced with a secure signature creation device and to be attached to a qualified certificate, valid at the time of the production of the signature.
Requirements for Qualified Certificates
A qualified certificate must include:
Certificate service providers issuing qualified certificates need to undergo an audit through a conformity assessment body appointed by the Schweizerische Akkreditierungsstelle.
Requirements for Secure Signature Creation Devices:
The Federal Council is responsible for regulating signature generation and issuing Signature Verification Keys (Signaturprüfschlüssel) to qualified certificates under ZertES. Secure signature creation devices must ensure that the signature key that is used can:
The following applies for the signature verification process:
Requirements for Qualified Trust Service Providers
Qualified trust service providers must meet the requirements specified under ZertES to ensure the validity of their certificates issued for electronic signatures. A provider of certification services can be a naturalized or legal citizen who:
Foreign suppliers may also provide certification services under the provisions of ZertES provided:
ZertES allows to electronically sign documents in a legally binding way. It offers a tiered approach of advanced and qualified electronic signatures to allow for staged levels of complexity and legal value. Similarly to EU law (eIDAS), advanced electronic signatures assure legal bindingness, but the qualified electronic signatures (doted with a qualified certificate) brings legal admissibility to court.
In a European context, cross-border communication between the Swiss and EU areas of jurisdiction is a daily occurence. Switzerland accommodating the headquarters of many internationally active banks and companies is a major reason for this. Therefore ZertES and the EU-pendant eIDAS are comparably conceived in technical design as well as with respect to legal implications.
Cross-border transactions can be conceived in legal compliance to ZertES and eIDAS and this valid in both areas of jurisdiction.However compliance to the standarized digital signing process has to be made sure and errors in the implementation need to be avoided as they could lead to legal invalidity of the signature.
Critical points are the implementation of the electronic signature through a digital signature, the choice of accredited certification providers and accepted signature creation devices and the technical workflow itself.
Cryptomathic's SIGNER has been designed in compliance with ZertES and eIDAS. The Swiss Conformity Assessment has verified compliance of Signer against applicable standards and the Signer solution has been declared fit for purpose and can thereby be implemented as a Secure Signature Creation Device to issue Qualified Electronic Signatures. Cryptomathic's vast implementation experience in Switzerland as well as the EU will assure a rapid and error-free implementation and is accompanied by expert adivce.
ZertES is currently under review. Best contact Cryptomathic for an actual status and information on expected changes and modifications.
Technische und administrative Vorschriften über Zertifizierungsdienste im Bereich der elektronischen Signaturüber Zertifizierungsdienste im Bereich der elektronischen Signatur (01.08.2011), by the Eidgenössisches Departement für Umwelt, Verkehr, Energie und Kommunikation UVEK, Bundesamt für Kommunikation BAKOM
REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (2014) by the European Parliament and the European Commission