Author: Mario Voge

E-signatures: Choosing the right level for your digital processes

The signature remains the last analog hurdle in various processes that are otherwise already 100% digital. Electronic signatures can help to become completely digital, even in highly regulated areas. But be careful - not all electronic signatures are equal: The legislator (the EU) distinguishes between three levels. Here is what simple, advanced, and qualified signatures are all about.

1. The simple electronic signature (SES)

The simple signature only consists of "data in electronic form which is attached to or logically associated with other data in electronic form and used by the signatory to sign" (eIDAS Article 3). This type has no further requirements, making any conceivable form possible. We most frequently use the SES when we write an e-mail: "Yours sincerely – John Smith," written as a greeting, linked to the rest of the document, and as an expression that this e-mail comes from John Smith.

Still, from the regulatory point of view, it's a non-binding "Mickey Mouse signature" because an image is placed as a signature without any authentic value. The receiver won't know if John Smith or Mickey Mouse placed that "image."

There is also a variant with a scanned image of a handwritten signature. But, of course, this can also be copied directly. Everyone has probably received fraudulent emails in which criminals pretend to be friends or members of well-known companies. Why do we still use such signatures in business despite their high susceptibility to forgery? Because we deal with transactions or contracts that are underpinned in other ways. For example, we quickly pay the first installment of a mobile phone contract, confirming the purchase or service contract. Claiming afterward that we were unaware of this contract or never signed it would also be problematic in court.

2. The advanced electronic signature (AES)

The advanced electronic signature also relies on certificates (a special data set confirming persons or objects' characteristics and can be cryptographically verified). It requires that these have been “created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control" (eIDAS Article 26). It should also be possible to recognize subsequent changes to a signed document. However, the exact design of the process is left to the respective providers. Although the courts recognize this type of signature and may not be rejected in court per se *, the free presentation of evidence comes into play, and the signature's authenticity must be proven in case of doubt. Therefore, The advanced signature is unsuitable as the sole means of proof in court.

Technically, the AES is similar to a qualified electronic signature (QES), without the regulatory "proofing line" from the beginning (Is it John Smith uniquely) or proven evidence with attributes of that person?

3. The qualified electronic signature (QES)

The certified, audited solution within a QES declares the highest level of the identification of that person (Validation of the authenticity) John Smith plus the unique binding of a chosen authentication means ("electronic pencil", which will used as  - "YES, I want to sign that legally binding document, with all means behind")

In most legal systems, however, the reversal of proof applies to qualified electronic signatures. This means that the signature's authenticity does not have to be proven but refuted in case of doubt. This means that the QES is equivalent to a handwritten signature in most cases*. QES is, therefore, the method of choice for digital contracts in a highly regulated environment such as finance or the insurance industry. It is straightforward to use today and the ideal choice from a risk perspective.

However, QES is subject to strict regulatory requirements to guarantee this trust. For example, the certificates used for this purpose may only be issued by a certified and audited Trust Service Provider (TSP). In the European Union, their activities are precisely regulated in the eIDAS Regulation. In Switzerland, there is a corresponding equivalent in the form of ZertES. Swisscom Trust Services is registered as a TSP in both jurisdictions and can provide certificates for advanced and qualified signatures.

Conclusion

The decision favoring a signature level always depends on the respective use case. With legal counsel, companies should ensure what legal certainty a specific process requires, how business-critical it is, and what liability risk may exist. Due to the more complex process, qualified signatures generally cost a little more, so they should only be used where necessary. The AES can also offer a secure and cheaper option for many processes. It is, therefore, best for companies to work with a TSP such as Swisscom Trust Services, which offers certificates for both cases.

 

 
Notes & Disclaimer

*“An electronic signature (either simple, advanced, or qualified) shall not be denied legal effect and admissibility as evidence in legal proceedings solely because it is in an electronic form or does not meet the requirements for qualified electronic signatures. Regarding qualified electronic signatures, they explicitly have the equivalent legal effect of handwritten signatures across all EU Member States.” https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/eSignature+FAQ

The information provided here does not constitute legal advice and is not intended to address legal issues or problems that may arise in individual cases. The information on this website is of a general nature and is provided for information purposes only. Swisscom Trust Services AG assumes no responsibility for the accuracy, completeness, or timeliness of the information contained on this website. Legal advice should only be obtained from qualified lawyers.

 


 

You have already developed an understanding of your business processes that could be digitized with e-signatures. Let's discuss implementation and how we and our partners can support you!

Latest blog articles

10.12.2024

FAQ: Electronic Authentication

Do you have any questions? Contact us!

Read more

03.12.2024

Unlock Business Growth with Advanced...

In the digital transformation era, organizations face the dual challenge of...

Read more

27.11.2024

FAQ: Electronic Identification

Do you have any questions? Contact us!

Read more

08.11.2024

Some EU signatures: Paid for...

I occasionally take a European tour of the world of trust services and examine...

Read more

Latest blog posts