Comment: Adopting e-signatures in light of new regulation

Adopting e-signatures can bring huge benefits to organisations, however they need to ensure they are mindful of new Electronic Identification and Signature (eIDAS) legislation, writes Stefan Ropers, managing director, Central Europe, Adobe

E-signatures provide businesses with a number of benefits, including cross-border document authentication and instant verification of transactions. They also present a huge potential for businesses to improve their operations and provide alternative authentication solutions for customers, improving security and increasing potential revenue. However, businesses need to be aware of the challenges—both regulatory and operational—of transitioning to all-digital signatures.

While use of e-signatures continues to grow at pace, uptake is still uneven across different industries. Lack of technology standards has been an issue, as has been the fact that e-signatures historically have not had the same legal standing as physical signatures.

But major changes are underway: This summer, Adobe launched the Cloud Signature Consortium, a group of leading industry and academic organisations brought together to build a new open standard for cloud-based digital signatures across mobile and web. The aim of the initiative is to make electronic signing consistent, secure and scalable – so that anyone can sign digital documents from any digital channel or device.

Also this year, the first phase of the EU’s new regulation on electronic identification (eIDAS) became legally binding. The regulation aims to offer a common legal framework for understanding the types of authority an e-signature possesses; make it easier for citizens and businesses within member states of the European Union to understand the uses of e-signatures; and give e-transactions and other e-signed documents the same legal status as those that are paper-based. Another benefit of the regulation is the fact, that it makes qualified signatures compatible across all 28 participating EU countries and within the 180 trust centres of the EUTL (EU Trust Centre List).

As it will be mandatory for all business that utilise e-signatures to be eIDAS compliant, it is crucial that owners become familiar with the new legislation, and review and identify which business processes need to be updated for compliance.

eIDAS considers several categories of e-signatures, offering a standardised mechanism for a business or corporate entity to understand the legal standing of the signatory:

– Electronic Signatures

The definition of electronic signature is unchanged under eIDAS. The same fundamental standard – that an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely based on the fact that it is in electronic form – is still the rule.

– Advanced Electronic Signatures

This signature – as opposed to the plain definition of electronic signature that is in place under the current directive – allows unique identification and authentication of the signer of a document and enables the verification of the integrity of the signed agreement.

– Qualified Electronic Signatures

While both Advanced and Qualified Electronic Signatures are uniquely linked to the signer, Qualified Electronic Signatures are based on Qualified Certificates. Qualified Certificates can only be issued by a Certificate Authority which has been accredited and supervised by authorities designated by the EU member states and meet the requirements of eIDAS. Qualified Certificates must also be stored on a qualified signature creation device such as a smart card, a USB token, or a cloud based trust service.

By providing legal and regulatory standardization around e-signatures, the eIDAS regulation lays down a predictable legal framework for individuals, companies (in particular SMEs) and public entities to safely access services and conduct transactions online and across borders in just “one click”.

It will be mandatory for businesses to recognise electronic identities (eIDs) from mid-2018. A business that is unprepared for the eIDAS regulation may find that it risks restricting potential customers and partners, as it will not be able to facilitate long distance digital signage or legally verify documentation due to the absence of the right technical infrastructure.

What’s more, beyond the potential loss of new trade, a business may face legal repercussions for failing to comply with eIDAS adequately. Any business using e-signatures will, naturally, have to be compliant with the Data Protection act too. Regardless of its size, any business handling personal data is responsible for its protection.

Besides regulatory concerns, business owners will also have to evaluate which technologies can best advance this transition by engaging with the specialist vendor community, which can provide expert counsel on compliant solutions. Doing so will enable them to test their in-house expertise and verify that their current and planned technologies will continue to operate within regulatory boundaries.

Future gazing

With the arrival of eIDAS, businesses have been given a clear template of how to legally and efficiently use e-signatures. The use of e-signatures is only set to grow, as businesses continue to operate in an increasingly connected environment. By ensuring compliance as early as possible, businesses can better guarantee that they won’t be superseded by more agile, technologically-savvy competitors, while having the capability to conduct cross-border business security and safely.