Not All E-Signatures Are Created Equal – Don't Get Caught Out

Written by

When was the last time you signed a document using a pen and paper? Chances are that it was a while ago. In our day-to-day working lives, e-signatures have now almost entirely replaced wet ink signatures for sales contracts, vendor/supplier agreements, HR paperwork and more.

This has enabled organizations to significantly speed up administrative processes, save time and eliminate paper waste. But not all e-signatures are created equal. In fact, EU eIDAS regulation – which applies across the bloc and in the UK too – sets out three distinct types of e-signatures. Each of them has unique traits that affect their legality and enforceability. Let’s take a closer look at how they differ.

1. Simple Electronic Signatures

The EU’s definition of a simple e-signature is extremely broad, covering almost any form of electronic message associated with an individual. Your email signature, the e-card you signed recently for your colleague’s birthday, that free e-signature tool you’re using – they’re all simple e-signatures.

Whether simple e-signatures are considered legally admissible varies based on jurisdiction and how the signature was added – though no one’s likely to take you to court over the validity of your birthday greetings! Let’s look at the UK as an example, which has seen two contrasting rulings on this subject. In 2006, a court ruled that automatically generated email signatures didn’t provide sufficient evidence of the signatory’s intent to be legally enforceable. However, in 2014 another court determined that a regulated agreement under the Consumer Credit Act 1974 could be signed electronically using a simple e-signature, setting a liberal precedent around e-signature legality.

2. Advanced Electronic Signatures (AES)

Compared to simple e-signatures, advanced electronic signatures have a list of superpowers. An AES can identify and be directly linked to individual signatories, as well as enabling both signatories and document-issuers to see any subsequent changes to the document they signed. To do this, an AES relies on the use of a public key infrastructure – a certificate-based public key encryption system.

These features offer users more security, which in turn gives an AES a higher level of legal authority – making it a better candidate for business applications.

3. Qualified Electronic Signatures (QES)

Although it’s generally accepted in the EU that an AES must be ruled as admissible in legal proceedings, a qualified electronic signature has ‘more probative value’. In layman’s terms, this means courts will take it more seriously as a piece of evidence. So much so, that a QES is considered to be the electronic equivalent of a wet ink signature.

So, how do qualified e-signatures differ from advanced e-signatures? In addition to all the traits of an AES, a QES must be created by a ‘qualified signature creation device’ (QSCD), which stores the signing key. Examples of physical QSCDs include smart cards, SIM cards or USB tokens. It’s also possible for signatories to create a QES without having a physical device in their possession. In this instance, signatories remotely access a signing key, which is stored in a trusted service provider’s data center. This tends to be the preferred option for most organisations, as it removes the complexity of managing physical devices.

The second key differentiator between an AES and a QES is that the latter must be based on a ‘qualified certificate for electronic signatures.’ This certificate can only be issued by ‘qualified trust service providers’ (QTSPs), listed on the European Union’s database of trusted providers. For an organization to become a QTSP, it must undergo a robust series of assessments – as well as regular audits – to ensure it adheres to requirements set out in eIDAS regulation.

4. Timestamping – Something Else to Consider

Many organizations choose to enhance their e-signature processes with timestamping. This enables them to link documents to a precise time and date, which can be useful in establishing the sequence of events in legal cases.

Just like e-signatures, eIDAS regulation sets out a list of requirements for qualified timestamps. They must not be modifiable, they should be based on coordinated universal time, and they must also be provided by a QTSP. Qualified timestamps are legally valid for up to 30 years, unlike electronic and digital timestamps, which don’t have the same enforceability. 

Are You Using the Right Type of E-Signature?

Although understanding the various characteristics of different e-signatures defined by EU law can be difficult at first, eIDAS regulation plays a crucial role in bringing more transparency, security and speed to electronic interactions between organizations. For that reason, businesses should take time to examine their e-signature processes and determine if they provide an adequate level of legal protection.

Find a complete portfolio of Electronic and digital signature solutions, here: Actalis electronic and digital signature solutions. 

Brought to you by

What’s hot on Infosecurity Magazine?