Difference between advanced and qualified electronic signatures
In the wake of the digital revolution that has swept the world, countries updated their regulations to incorporate digital signatures to facilitate online business. In the EU, eIDAS regulation has classified three primary types of e-signatures: SES, AES and QES. This post clarifies the different digital signatures and provides guidance on which one may suit your business needs.
Advantages of digital signatures
Digital signatures have increasingly become a standard business practice in the EU for people and companies to provide legal consent. Everything from multimillion-dollar contracts down to basic record management and accessing government services is now possible via digital signatures.
There are many advantages of adopting digital signatures in place of wet ink on paper. It facilitates ease of access to government for citizens, reduces a company’s vulnerability to fraud, and cuts down costs and time.
Indeed, there are many reasons a company or organisation should get on board with e-signatures, particularly focusing on QES as we will elaborate shortly, stating the difference between advanced and qualified electronic signatures, providing a brief explanation of the simple e-signature.
eIDAS and regulatory electronic signature standards
Within the EU, the electronic IDentification Authentication and trust Services, commonly known as eIDAS, regulates electronic signatures. eIDAS regulation defines three assurance levels of e-signatures to facilitate a common regulatory standard across EU member countries.
These include:
- Simple Electronic Signatures (SES)
- Advanced Electronic Signatures (AES)
- Qualified Electronic Signatures (QES)
Companies must consider their business needs when selecting the appropriate e-signature method. The core point of differentiation between the three formats of e-signatures relates to the level of security provided. SES is designed for low-risk scenarios, AES for moderate risk with high-volume demands, whereas QES is a robust signature format suited for large financial transactions that require a high level of security.
Simple Electronic Signature (SES): a brief explanation
An SES is the most basic level of e-signature that enables a user to accept something electronically. eIDAS provides a broad definition of what accounts for SES. To paraphrase the legalese, it is data on an electronic form that is used by a signatory to sign. For example, SES accepts scanned signatures and webpage tick-boxes for accepting terms and conditions.
The benefit for non-highly regulated companies using SES is that it is just a click. However, from a data security perspective, it does not ensure the integrity or authenticity of the signed document and limits the reach of a company’s digital performance and offering. The SES is not accepted as a compliant method for customer onboarding, as it is considered a high-risk operation.
Advanced vs Qualified Electronic Signature (AES vs QES)
More advanced digital signatures include AES and QES, with different strengths and weaknesses.
The Advanced Electronic Signature (AES), unlike an SES, guarantees the authenticity and integrity of a signed document. An AES provides a more robust approach to electronic signatures by incorporating additional key security protocols. Under the measures stipulated by eIDAS, an AES must be uniquely linked to the individual and capable of identifying the signatory. In addition, the form being used must be tied to the signature data to ensure any changes are detectable.
These requirements are most commonly met when using Public Key Infrastructure (PKI) technology. Digital signatures that use PKI technology qualify for the AES standard as defined by eIDAS. The documents that may require an AES include employment contracts, bank documents and One-Time Passwords sent via text or email for login verification.
Even more advanced, a Qualified Electronic Signature (QES) provides the highest level of security for electronic signatures. It is based on the same security protocols as an AES. However, a critical difference between advanced and qualified signatures is that a QES requires a Qualified Signature Creation Device (QSCD) that generates signatures with a qualified certificate.
Only Trust Service Providers (TSPs) and Certification Authorities, such as Signicat, are eIDAS-approved organisations legally permitted to provide a QES certificate in the EU.
In addition, unlike AES, a QES requires face-to-face or video verification of the signer as a pre-requisite before being granted QES signatory capability. KYC companies such as Signicat are equipped with automatic video identification to provide their customers with the freedom of remote identification. Once the user has been verified, they are provided with a unique PIN code to create a two-factor authentication of the signature user.
With the high level of security offered with a QES, in the case of a dispute, the burden of proof lies with the party disputing the validity of the signature instead of the company, opposite to what happens with the AES.
Due to this, a QES is often used for the onboarding process and major contracts and documents such as commercial contracts, sale agreements and mortgage documents.
Which Assurance Level does my company need? Choosing Between Advanced Electronic Signature vs Qualified
The primary factors a company needs to consider when weighing up its decision on a digital signature are what regulatory requirements the company is obliged to comply with and how far it wants to go to do so.
If a company is highly regulated and one of its most important business concerns is maintaining a high level of security because they are dealing with major commercial agreements, then opt for a QES. It is the gold standard of electronic signatures and holds the same weight in court as a handwritten witnessed document.
Besides, with QES Multi onboarding from Signicat, choosing the Qualified Electronic Signature as your go-to for customer onboarding and all other processes of identity proofing not only assures you comply with the highest European regulatory standards but also, thanks to VideoID, that you offer the best user experience to your clients with a fully digital and automated flow they can complete seamlessly in seconds.