From 1 July 2016, the Regulation (EU) No. 910/2014 known as “Regulation on electronic identification and trust services for electronic transactions in the internal market” (the “eIDAS”) will be effective in all Member States. The eIDAS Regulation integrates and implements the E- signature Directive 1999/93/EC (the “Directive”) that currently governs the operation of electronic signatures in the EU. The E-signature Directive has been in place for 15 years: it has gaps, legal and technical interoperability issues and does not cover the new technologies that have emerged since 1999 (such as mobile and cloud). Clearly an update was needed.
As of 1 July 2016 the Directive will be entirely repealed by and wholly integrated into, the eIDAS. The integration of the Directive into eIDAS means that any obligations which derive from the Directive, will still feature in the eIDAS. In addition to those parts of the Directive which have been integrated into eIDAS, there are some new measures in eIDAS, which were not previously in force in the Directive.
The eIDAS Regulation enables the use of electronic identification means and trust services by citizens, businesses and public administrations to access on-line services or manage electronic transactions.
With eIDAS, the EU has managed to provide a predictable regulatory environment and legal framework for people, companies (in particular SMEs) and public administrations to safely access services and do transactions online and across borders.
eIDAS divides electronic signatures into three types:
- Simple electronic signatures, which are “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.” 10 This could be something as a photo of a signature.
- Advanced electronic signatures, which are uniquely linked to the signatory, capable of identifying the signatory. Moreover this type of signature is created using electronic signature creation data that a signatory can, with a high level of confidence11, use under his/her sole control and it is linked to the data signed in such a way that any subsequent change in the data is detectable12.
- Qualified electronic signatures, which are “advanced electronic signatures that are created by a qualified electronic signature creation device, and based on a qualified certificate for electronic signatures.” 13
eIDAS sets out minimum requirements14 for what constitutes a “qualified electronic signature creation device”; for example, the confidentiality of the electronic signature creation data used for creating the electronic signature should be reasonably assured.
In addition, the electronic signature creation data used for creating an electronic signature, with reasonable assurance, should be protected against forgery, and must not be derived from another source.
Moreover, a qualified trust service provider may only generate electronic signature creation data on behalf of the signatory. Certification service providers (as they are currently identified in the Directive) will be replaced by “trust service providers” (TSPs), defined in eIDAS as entities that provide one or more trust services15. Such services include the creation, verification and validation of electronic signatures and seals, and the preservation of such electronic signatures and seals. Member States will be required to designate a supervisory body for supervising TSPs and ensuring that TSPs comply with their obligations under eIDAS. Under eIDAS, all TSPs will be liable for damage caused intentionally or negligently due to a failure to comply with their obligations under eIDAS.
eIDAS also sets out the details16 of what a “qualified certificate for electronic signatures” should contain, such as: (i) the name of the signatory; (ii) details of the beginning and end of the certificate’s period of validity; and (iii) the advanced electronic signature of the issuing qualified trust service provider.
Under eIDAS, an electronic signature (whether qualified or otherwise) must not be denied legal effect and admissibility as evidence in legal proceedings just because it is electronic in nature or fails to meet the requirements for a qualified electronic signature.17
A qualified electronic signature is automatically granted the equivalent status of a handwritten signature18. Furthermore, a qualified electronic signature based on a qualified certificate issued in one Member State must be recognised as a qualified electronic signature in all other Member States19. The scope of eIDAS expressly includes electronic signatures, electronic seals, electronic time stamps, and electronic registered delivery services and there are specific provisions which govern the recognition of each authentication method. However, it is up to each Member State to define what type of signature is required for a particular contract.
In conclusion, eIDAS will provide for usable, trustworthy and convenient signatures for citizens and businesses in e-procurement, e-invoicing, signing contracts online, tax online, e-health, online banking and much more across all the Member States.