Electronic signatures on digital documents can save costs, work more effectively and avoid media disruption. To benefit from the advantages of secure electronic signing in Switzerland, the services of a so-called certification service provider are required. Since Switzerland is not a member of the European Union, it is not subject to the EU regulation eIDAS. Instead, Swiss jurisdiction regulates this in an independent federal law, the Swiss Signature Act (ZertES). These are the legal requirements for the quality and use of electronic certificates, including electronic signatures, and the requirements for certification service providers.
What exactly certification service providers are, what different services do they offer, and what legal framework conditions apply to them? You will find out in this guide.
The certification service generally has the task of confirming data in an electronic environment and issuing digital certificates. In the climate of electronic signatures, it will receive, verify and register the data of the signer or the signing organization and issue signature certificates. Then, you can use these issued certificates with electronic time stamps in signature applications or solutions. The law only defines the offer of a qualified electronic signature.
According to Art. 3 ZertES, the certification service is provided by domestic or foreign organizations that can demonstrate appropriate staff with specialist knowledge, experience, and qualifications and operate reliable and trustworthy systems such as signature and seal creation devices. The Swiss Accreditation Service (SAS) of the State Secretariat for Economic Affairs accredits the bodies that recognize certification service providers, the so-called supervisory authority. In Switzerland, KPMG is verified and recognized as an official supervisory authority. The SAS publishes the list of recognized providers of certification services on its website. The supervisory authorities repeatedly audit the providers and thus regularly check the requirements for the certification service offering.
A certification service provider issues regulated and qualified certificates and time stamps. The regulated certificates can be issued to natural persons or organizations, the so-called UID entities listed in Switzerland's UID register. For this purpose, the provider generates, stores, and uses private cryptographic keys within a Public-Private Key Infrastructure (PKI) framework on secure signature and seal creation devices. It can also manage the private keys for the signatory within the framework of a remote signature service. The identity and data of the signatory must be verified as part of the registration for the service; the task may also be delegated to a third party under Art. 9 No. 6 ZertES (so-called "delegation of the registration authority activity"). The providers must document all their activities, maintain a directory service for the certificates and, for example, declare unlawfully obtained certificates invalid.
With certification service providers, electronic transactions in Switzerland would be possible today. Certificates not only secure communication but also ensure that the immutability of a document is guaranteed within the scope of the signature and that the authorship can be proven.
|
Since 2014, the Federal Act on Certification Services in the Field of Electronic Signature and Other Applications of Digital Certificates, or "ZertES" for short, has regulated the requirements for the quality of certificates and their use, as well as the prerequisites, rights, and obligations of certification service providers. The law forms the legal basis for the electronic signature in Switzerland and equates the handwritten signature with the qualified electronic signature. |
The Ordinance on Certification Services in the Field of Electronic Signature and Other Applications of Digital Certificates, also called "VZertES" for short, supplements the federal law ZertES with more detailed regulations, e.g.
|
|
|
The technical and administrative regulations on certification services in electronic signatures and other applications of digital certificates, in short, "TAV," form an annex to the VZertES and refer to the exact standards that providers of certification services must comply with. Incidentally, these are the same standards that the eIDAS Regulation attracts: Standards of the European Telecommunications Standards Institute (ETSI), but also ISO/IEC, CEN, or US standards (FIPS). |