eIDAS – a Step in the Right Direction

July 20, 2016

On 1 July, the new eIDAS Regulation came into force, changing the legal landscape for electronic signatures in the EU. The Regulation supersedes the E-Signature Directive 1999.  The European Commission felt that the Directive had failed to deliver a comprehensive cross-border framework for secure, trustworthy and easy-to-use electronic transactions. Directives – by their nature – give EU Member States discretion over their implementation. This resulted in a wide disparity between national laws and a failure to agree on common technical standards for electronic signatures and transactions, making it difficult to do cross-border business. The introduction of the eIDAS Regulation signals a step in the right direction and it will help advance the European Commission’s flagship Digital Single Market (DSM) strategy.  

A clearer vision 

First and foremost, the eIDAS Regulation provides organisations with a more predictable regulatory framework for cross-border e-commerce. The Regulation has direct effect in all 28 EU Member States and automatically overrides any conflicting electronic signature laws. In the UK, new legislation (the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016) will come into effect on 22 July. It will modify the Electronic Communications Act 200 so that our electronic signature laws are fully aligned with the Regulation. 

Although the Directive was ‘technology neutral’, it was commonly understood that digital signatures – defined as ‘advanced electronic signatures’ – required a physical smart card or token. A key innovation of eIDAS is that it opens the door for service providers to manage the electronic signature environment remotely, and use cloud technology so that their customers can generate and validate signatures on the move with their smartphone.  

The scope of the Regulation also extends further than the Directive. Electronic signatures are just one of several ‘trust services’ regulated by eIDAS. These trust services encompass any electronic services provided for commercial payment and include the creation and validation of electronic seals, electronic time stamps, electronic registered delivery services and website authentication. Nevertheless, most businesses will be principally concerned with electronic signatures and clarifying how they may be used under eIDAS for transactions governed by EU Member States’ laws.   

Breaking eIDAS down 

The Regulation defines three types of electronic signature – simple, advanced and qualified.  

A ‘simple’ electronic signature is defined as ‘any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign‘.  In layman’s language, it is the electronic equivalent of a written signature that a signatory can apply to a document to signify acceptance or approval. A typed name at the bottom of an email, a scanned PDF signature, the click of an ‘I accept’ button on a website and the standard signature generated via the DocuSign platform are all examples of a ‘simple’ electronic signature. 

An ‘advanced electronic signature’ is a more sophisticated and secure form of electronic signature produced using encryption technology. The Regulation requires that it is: uniquely linked to the signatory; capable of identifying the signatory; created using signature creation data (ie a private encryption key), that the signatory can use under their sole control; and linked to the signed data in such a way that any subsequent change in the data is detectable. 

The final type of signature is a ‘qualified electronic signature’. This is the gold standard and provides the highest level of admissibility and legal effect in the EU. Essentially, it is an ‘advanced electronic signature’ backed by a ‘qualified certificate’ issued by a trust service provider whose credentials appear in the EU Trusted List. The trust service provider must verify the identity of the signatory and issues the qualified certificate to provide assurance that the signatory is who claims to be.   

The vast majority of business and consumer transactions in the EU may be authenticated with a simple electronic signature. Nevertheless, there are some transactions which – as a matter of national law – may require an advanced or qualified electronic signature or the parties may choose these signatures because they afford more security and a higher level of authentication.  

Positive progress but no silver bullet 

The new Regulation is a significant step in the right direction towards seamless cross-border electronic transactions and it will boost the Digital Single Market.  

All forms of electronic signature will now be admissible in an EU Member State court as evidence to establish the authenticity or integrity of an electronic document. 

But, it is important to note that the Regulation does not purport to harmonise EU Member States’ laws on whether a signature is actually necessary to conclude a business transaction. The Regulation provides that a ‘qualified electronic signature’ has the equivalent legal effect of a handwritten signature, but otherwise leaves it to national law to define the legal effect of an electronic signature.  

What this means is that an EU Member State may prohibit the use of an electronic signature for certain transactions (eg a land transfer) or require a higher form of signature (such as an advanced or qualified electronic signature) to approve the transaction.  

Looking forward, eIDAS is likely to prompt rising demand for secure and reputable electronic signing platforms that provide greater evidential weight behind signatures thanks to the full digital audit trail that they offer. Where businesses are transacting across EU borders or on a pan-global basis, such platforms will be pivotal to them being able to complete the digital transformations that will prove a key differentiator in their industry.

Richard Oliphant is EMEA General Counsel at DocuSign: https://www.docusign.co.uk/