Are electronic signatures legal? eIDAS regulation 101
Everything you need to know about eIDAs, the EU regulations on electronic signature, and how to choose your e-signing provider for your business needs when it comes to contract management.
Electronic signatures are an integral part of the modern contracting process. Not only do they provide a new level of simplicity and speed, but they are in many ways more trustworthy. Nevertheless, there are still doubts out there on their legality and validity.
At the end of the day, a signature in any shape and form, has one common purpose: prove that something was agreed upon, and who agreed on it. To gain trust in the signature, the question that needs to be answered is therefore: How do we ensure that the right person signed and had the intention to sign?
But why does it feel much easier to question an electronic signature rather than a handwritten one? Because if we are being completely honest, how many times did 12-year-old you forge your parents’ signature to get out of PE class? And how many hands does that 89-page contract pass through before the CFO signs it? How long is it laying on their desk for? And where does it go once signed?
In this article, we will guide you through the EU regulations on electronic signatures, the different levels of electronic signatures, and their validity. We’ll start off with the core of it all, eIDAs regulation, and finalize with some practical tips and considerations when choosing your e-signing provider.
What is the eIDAS regulation?
eIDAS is an EU regulation adopted in 2014. It stands for “Electronic Identification, Authentication and Trust Services” and the goal of the regulation is to achieve more efficient and secure electronic interactions in all EU countries. By means of that – eIDAs is your go-to place to learn about the validity of e-signatures.
What is an electronic signature?
Before diving into the validity of an e-signature, let’s agree on what such a signature actually is. According to eIDAs it is:
(10) ‘electronic signature’ means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;
An electronic signature can therefore be as simple as signing off an email. However, depending on the sensitivity of the document in hand, you might want to further verify the signature.
To achieve some kind of common ground and trust in electronic signatures, eIDAs define three levels of electronic signatures; simple, advanced, and qualified. We’ll explain them in more detail below.
In the EU, the regulations on electronic signatures establish three levels of electronic signatures: simple, advanced, and qualified. These are applicable in all member states. The level of evidence and identification measures taken to show that the signature was made by the right person – this is what differentiates each level from the next.
Are electronic signatures valid?
The million dollar question! The short answer is yes, they are valid in the EU. The legal answer is the fact that the signature is electronic does not, alone, disqualify its validity. And the more evidence you have that the signature was made by the right person – the better off you are to prove its validity.
It should be noted that eIDAs in no way overrides national contract law, meaning that a member state is able to enforce stricter or specific rules around the signature of specific contract types. For example, a country might have the following rule: “employment agreements must be signed with advanced electronic signatures.”
Still, it is clear that qualified electronic signatures have the same legal effect as handwritten signatures. It is also clear that it does not matter in which EU country the signature was issued – it is still valid in all countries. The EU internal market shines through!
Legal effects of electronic signatures
1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.
2. A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.
3. A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States.
What is a simple electronic signature?
What we refer to as simple, basic or standard electronic signatures is an electronic signature as described in Article 3 above. For the sake of clarity, we refer to this as simple electronic signature (SES).
Although it is the lowest level of signatures, most simple electronic signatures include sophisticated audit trails, timestamps, IP addresses and other associated data to ensure proof of signature. So don’t judge a book by its cover (or signature level based on its name) – a simple electronic signature will, in many cases, be the appropriate choice for your business needs!
Don’t judge a book by its cover – or a signature by its name! A simple electronic signature will, in many cases, be the appropriate choice for your business needs.
What is an advanced electronic signature?
An advanced electronic signature is the second level of signatures. An advanced electronic signature will require the signee to identify themselves, typically by use of an electronic ID (e.g. Nordic BankID) or passport verification. The signee shall also be in sole control of the whole signing procedure, meaning that they are the only one who can (or should be able to) make the signature. Oftentimes multi-factor identification is used to achieve this. Lastly, it must be possible to verify that the document was not tampered with post signing, achieved by encryption.
For the signee user experience, the key difference between simple and advanced is the identification step. In the Nordics, you typically use your phone and BankID (the electronic identification system used in the Nordics).
Advanced electronic signatures might be the appropriate choice for more sensitive contracts that call for a higher confidence in the identity of the signatory. National legislation may also impose requirements on advanced electronic signatures. For example employment contracts, stock option contracts or especially valuable sales contracts might require advanced electronic signatures.
Requirements for advanced electronic signatures
An advanced electronic signature shall meet the following requirements:
(a) it is uniquely linked to the signatory;
(b) it is capable of identifying the signatory;
(c) it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
(d) it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
What is a qualified electronic signature?
A qualified electronic signature is the last and highest level of signatures. This is the only level of signatures that explicitly is equivalent to a handwritten signature.
On top of the requirements for the advanced signature, a qualified signature would require identification verification by a face to face meeting, online video meeting or equivalent when placing the actual signature. Furthermore, the creator of the signature must be a qualified electronic signature device and the signature must be based on a qualified certificate, which can only be issued by a Qualified Trust Service Provider (QTSP) – more information below.
Qualified electronic signatures, according to the EU regulation on electronic signatures, are the only signature acknowledged as equivalent to handwritten signatures. On top of the identification measures required for advanced signatures, QES also requires the signatory to further identify themselves, sometimes by face to face meetings, or via video meetings The signature must be delivered by a QTSP (Qualified Trust Service Provider). This level of signature will be appropriate for your most sensitive contracts.
(12) ‘qualified electronic signature’ means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures;
Qualified certificates for electronic signatures
- Qualified certificates for electronic signatures shall meet the requirements laid down in Annex I. […]
ANNEX I – Link
ANNEX II – Link
What is a Qualified Trust Service Provider?
To be able to provide qualified trust services under eIDAs, a provider must be a Qualified Trust Service Provider (QTSP). It is the member states that qualifies (certifies) the providers. The member state also reports the providers they have qualified to the EU. The list of QTSP’s can be found on the EU Commission’s website here.
It is important to note that there is no requirement to be a QTSP unless you provide qualified signatures. Since applying to become a QTSP is quite a comprehensive procedure, signing providers not providing qualified services do not, by nature, apply for QTSP. So, if you are only in the game for simple and advanced signatures, don’t mind the QTSP certifications.
How do I choose my E-signing provider?
Now you know all you need to know to make an informed decision about your e-signing provider. As always in the legal world – your choice will depend on your specific situation. Therefore, we recommend you consider the below before making your final decision.
The national requirements
Has your country established national rules around electronic signatures?
Yes, eIDAs set the standard for electronic signatures in the EU. Still, the member states may require certain contracts or documents to be signed by hand, by advanced signatures, or even qualified signatures.
In Sweden for example, it is now possible to sign your annual report with advanced electronic signatures. (Årsredovisningslag (1995:1554), 2 kap. 7 §)
The industry requirements
Does your industry call for a higher level of signature?
Although not required by law, you may want to go for the advanced or qualified level if you are in the banking or financial sector. Or perhaps using advanced signatures has simply become standard practice in your field.
The sensitivity of your documents
How important is it that you can trust the signature process of a specific contract?
A simple NDA might for example be executed with a simple signature. Whereby a stock option agreement would call for one of the higher levels.
The gut feeling
Honestly, what is your gut telling you?
While it is tempting to opt for the best, i.e. Qualified Electronic Signatures, just to be on the safe side, you may end up both complicating processes and overpaying for your signatures.
In the same way, you may also feel more comfortable going for the advanced signature. In the Nordics for example, we use our BankID’s several times a day for different purposes. Using it for signatures is therefore very familiar and makes you, the contract issuer or the signee, feel safe.
Nevertheless, simple signatures do include much more data than a handwritten signature. They are going straight to the signer’s email inbox, and you don’t have to worry about losing a page on the way. They are smooth and they are good!
If you have more questions about electronic signatures in the EU, check out the European Commission’s FAQ and glossary here.
What does Precisely offer?
Precisely is a contract lifecycle management software (CLM), and we offer all different levels of electronic signatures, with a various number of providers. Our default solution Dropbox Sign (formerly HelloSign) is simple signatures, whereas, for example, Nordic BankIDs qualify as advanced. We also have EU options where you can upload a copy of your passport. On top of this, we have the possibility to offer qualified electronic signatures with a selection of providers.
To learn more about Precisely’s electronic signature providers, check out our integrations information or book a demo to talk to our contracting experts.
We also want to highlight that we are always open to integrate with new signing providers, and finding the best solution for our customers. Please reach out to us should you have any further questions on the options available for you.
Disclaimer: this article was written by Precisely’s in-house Legal & Compliance Manager, but only for informational purposes and shall not be interpreted as legal advice.