The EU Regulation No. 910/2014 (the “eIDAS Regulation”) recently came into force and established a new legal regime for electronic identification (“eID”) and trust services for electronic transactions. The eIDAS Regulation repeals Directive 1999/93 (the “Directive”) and directly applies across all EU Member States, therefore it does not require national law to implement it.
Aims of the eIDAS Regulation
The eIDAS Regulation introduces mutual recognition of eIDs and electronic trust services (including e-signatures, electronic seals, electronic time stamps and website authentication).
In respect of e-signatures, the eIDAS Regulation is designed to ensure that businesses and others carrying out transactions within the EU will be confident in knowing that their e-signatures will be legally valid for the purposes of executing documents. Once the legal validity of e-signatures is no longer in doubt, it is envisaged that digital interactions will become the de facto mode of carrying out transactions, particularly in the case of cross-border transactions.
Previous Legal Framework
The previous legal framework for e-signatures was provided for by EU Directive 1999/93 (the “Directive”). The transposition of the Directive in EU Member States, however, had resulted in uncertainty around the legal validity of e-signatures.
The Directive was transposed into Irish law by virtue of the Electronic Commerce Act 2000 (the “Act”). The Act provided that e-signatures have the same legal effect as traditional “wet ink” signatures, with exceptions to include: wills, codicils, trusts, enduring powers of attorney and any document in which an interest in real property may be created, acquired, disposed of or registered other than contracts for the creation, acquisition or disposal of such interests, which are excluded from the scope of the Act.
The eIDAS Regulation
Mutual Recognition of eIDs
The eIDAS Regulation requires EU Member States to recognise and accept any means of eID issued in another Member State which has been notified to the Commission, as set out in the eIDAS Regulation. The notification of accepted means of eID is voluntary. eIDs which have been notified will be published in the Official Journal of the European Union.
Legal validity of e-signature
The eIDAS Regulation provides that e-signatures should not be denied legal effect on the basis that it is in electronic form. As noted above, there was a lack of clarity surrounding the legal validity of e-signatures, due to the implementation of the Directive. The eIDAS Regulation now seeks to remedy this uncertainty.
Three levels of e-signature
The eIDAS Regulation recognises three of levels of e-signature:
- simple e-signatures: these are “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”. Anything which falls into this definition qualifies as a simple e-signature, for example, a typed signature.
- advanced e-signatures: an advanced e-signature is an electronic signature that:
- is uniquely linked to the signatory
- is capable of identifying the signatory
- is under the sole control of the signatory
- is linked to the data signed in such a way, that any changes invalidate it
- qualified e-signatures: a qualified e-signature is a signature that is created by a qualified electronic creation device and based on a qualified certificate for e-signatures.
Trust Service Providers and Supervision
The eIDAS Regulation provides that EU Member States are to designate a supervisory body (or bodies) to regulate qualified trust service providers - previously called certification service providers. These can either be qualified or non-qualified. The eIDAS Regulation also introduces an EU ‘Trust Mark’. This is for qualified trust services. Once acquiring the qualified status, the qualified trust service provider may use the EU Trust Mark to indicate a higher standard of security. Qualified trust service providers are required to abide by stricter rules and are more closely monitored by the supervisory body.
The supervisory bodies shall be established to supervise both forms of trust service providers to ensure that they meet the requirements as set out in the eIDAS Regulation. Both trust service providers are required to take technical and organizational measures to manage the risks posed to the security of the trust services they provide, and notify the supervisory body in case of a security breach. Where the security breach is likely to affect a natural or legal person, the trust service provider is required to notify the affected party. The supervisory body shall report on a yearly basis the security breaches to ENISA.
Member States may also establish a supervisory body in the territory of another Member State upon mutual agreement.
The eIDAS Regulation states that an electronic seal shall not be denied legal effect and admissibility in court proceedings solely on the grounds that it is in electronic form. The eIDAS Regulation recognises three levels of electronic seal, similar to that of e-signatures.
Electronic time stamps
An electronic time stamp is defined in the eIDAS Regulation as data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time. The eIDAS Regulation again provides that an electronic time stamp shall not be denied legal effect and admissibility as evidence in legal proceedings, solely on the grounds that it is in an electronic form.
An electronic time stamp shall be qualified where it meets the requirements as laid down by Article 42 of the eIDAS Regulation, namely:
- it binds the date and time to data in such a manner as to reasonably preclude the possibility of the data being changed undetectably
- it is based on an accurate time source linked to Coordinated Universal Time
- it is signed using an advanced electronic signature or sealed with an advanced electronic seal of the qualified trust service provider, or by some equivalent method
Companies Registration Office and e-signatures
The Companies Registration Office (“CRO”) have confirmed that they now accept some CRO documents which have been executed under e-signature. These documents include:
- B1 form – a form setting out a company’s annual return
- B10 form – a form setting out the changes in the company’s director/secretary
- C1 and C1A form – a form to register particulars of a charge in the State
More documents are to follow suit in the future.
The UK Companies House currently accept all forms of documents executed under e-signature.
The long term goal of the eIDAS Regulation is to increase and enhance cross-border e-commerce within the EU. The eIDAS Regulation will lead to increased uniformity between Member States and will ensure that enhanced security measures are used in electronic transactions.
Clients using electronic signatures to authenticate their transactions should be aware of these new provisions, including the unique electronic identification and the stricter supervisory measures which will apply to trust services.