Understanding eIDAS – All you ever wanted to know about the new EU Electronic Signature Regulation
by Dan Puterbaugh, Adobe System’s Director & Associate General Counsel
The Regulation (EU) N°910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) was adopted by the Council of the European Union on 23 July 2014. This new regulation establishes a new legal structure for electronic identification, signatures, seals and documents throughout the EU.
On July 1, 2016, eIDAS will become effective. As of that date, the existing EU Directive on electronic signatures will be replaced. Perhaps just as importantly, any laws of EU member states that are inconsistent with eIDAS will also automatically be repealed, replaced or modified. The result will be that for the first time there will be a consistent legal framework and a single market for the recognition of electronic signatures and identities across all of the EU member states. This provides the private sector with a predictable regulatory environment in which to develop and expand the use of electronic signatures and transactions in the EU.
In 1999, the European Commission published its first eSignatures Directive (eSignatures Directive 1999/93/EC). As a directive, it allowed the member states of the EU to interpret the new law and impose their own restrictions, limitations and exceptions to it. The result was that electronic signature law in the EU became a patchwork of differing laws. By example, Austria and Sweden adopted very strict versions of the law while other member states such as the United Kingdom adopted much more liberal laws like those in the United States. Worse, none of the member states adopted the same set of technical standards for their implementation, thus preventing a real interoperability. This fragmentation undermined the EU’s goals of moving towards a single market.
By 2011, revising the Directive became one of the European Commission’s top priorities. In order to repair these weaknesses and develop a single European digital market, a review was conducted and a new regulation adopted 3 years later. As it pertains to electronic signatures, the main purpose of the new Regulation was to ensure confidence in electronic signatures and create mutual recognition of electronic signatures across all member states.
The New Regulation
It is important to note that Regulation (EU) No 910/2014 is a regulation rather than a directive. As noted above, directives contain legal principles and are subject to member state interpretation and implementation. Regulations represent European Union laws directly applicable in the member states. Thus, one of the most important aspects of the new law is its uniform application across all member states.
Substantively, eIDAS is in two parts. The first section deals with government-recognized electronic identification systems and establishes a legal framework that will allow all EU member states to mutually recognize each other’s identification systems. This section targets the public sector and requires Member States to permit citizens from other member states to use their own electronic IDs to access their online services. Private sector companies are not directly impacted by this portion of eIDAS, although services developed for the public sector will likely also be extended to them.
The second section of eIDAS deals with electronic signatures. It clarifies existing rules, but also introduces a new legal framework for electronic signatures and seals. However, service providers are not obliged to change their way of working in a significant manner. Instead, eIDAS offers incentives to follow European rules, by granting greater legal certainty to services that follow eIDAS’s rules designed to improve the reliability of these services.
Impact of the New Regulation on Electronic Signatures
As noted above, on July 1, 2016, eIDAS will not only repeal the existing eSignatures Directive, it will also automatically replace any inconsistent national laws in Europe. Let’s examine some of the important changes to the status of electronic signatures.
Article 25 of the Regulation maintains the fundamental legal rule that all electronic signatures and verification services shall be admissible as evidence in legal proceedings. This includes electronic signatures, seals, time stamps, registered delivery services and certificates for website authentication.
eIDAS also includes a definition of the service companies that provide these electronic signatures, seals and stamps – Trust Services. It goes further and distinguishes between qualified and non-qualified Trust Services. Although these concepts were in the 1999 Directive, they were limited to certification services, and are now addressed in greater detail in the new Regulation. eIDAS provides a clearer definition of Trust Services and the requirements and supervision associated with them apply greater scrutiny to their operation than before. The objective of this scrutiny is to increase confidence in digital transactions and to encourage more people to use them by demonstrating their reliability and security as well as their clear advantages over handwritten signatures.
The definition of electronic signature is unchanged under eIDAS. The same fundamental standard – that an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely based on the fact that it is in electronic form – is still the rule.
Advanced Electronic Signatures
One key change of the new Regulation is the re-definition of Advanced Electronic Signature (AdES). This signature – as opposed to the plain definition of electronic signature that is in place under the current Directive – allows unique identification and authentication of the signer of a document and enables the verification of the integrity of the signed agreement. This authentication is typically accomplished through the issuance of a digital certificate by a Certificate Authority (CA). First, the signer obtains a certificate from a CA. Then, during the signing process, the signer’s certificate is cryptographically bound to the document using the private key uniquely held by the signer. This procedure also produces the effect of a tamper-evident seal protecting the integrity of the document. During the validation process, the reciprocal public key is extracted from the signature and used to both authenticate the signer’s identity through the trusted issuing CA and confirm that no changes were made to the document since it was signed. Although these certificates have existed for many years, eIDAS enables the signer to use the latest technologies, like mobile devices, to accomplish this.
Qualified Electronic Signatures
The final type of signature defined under eIDAS is the Qualified Electronic Signatures (QES). While both Advanced and Qualified Electronic Signatures are uniquely linked to the signer, Qualified Electronic Signatures are based on Qualified Certificates. Qualified Certificates can only be issued by a CA which has been accredited and supervised by authorities designated by the EU member states and meet the requirements of eIDAS. Qualified Certificates must also be stored on a qualified signature creation device such as a smart card, a USB token, or a cloud based trust service.
QES are doubly important because not only is a QES the only type of electronic signature that is the legal equivalent of a handwritten signature, but also only this type of electronic signature will ensure mutual recognition of its validity by all the EU member states. This mutual recognition is crucial for the creation of the single digital market across the entire EU.
Finally, eIDAS will introduce the recognition of electronic seals. These are similar to electronic signatures but only available to legal persons such as corporate entities. This raises the interesting prospect of minimizing the importance of the “authorized signer” for a particular entity. Instead, there will simply be a seal that is associated with that entity and any use of that seal will be presumed to be binding on that entity, especially in case of Qualified electronic seals.
Although the EC continues to issue implementing acts and the standardization framework associated to it has to be finalized before the July 2016 effective date, customers using electronic signatures should be aware of the new Regulation, including the unique electronic identification and the stricter supervisory measures which will apply to trust service providers. In particular, the importance of QES should figure prominently in one’s EU operational plans.