Skip to main content
The Signicat Blog
Alexis Bischof-Plunkett

SMB Marketing Manager

Signed, sealed..but maybe not compliant?

Your contract is signed! You are out of the woods! All clear. Everything is compliant, right?. Except it might not be.

It’s a nightmare scenario! Let's say you found out that your electronic signature was not compliant in the end? Maybe the contract you signed is not legally binding? 

Electronic signatures have been around for nearly half a century. Nevertheless, solutions for everyday use have only become mainstream the last few years. A lot of people who used some of those platforms are under the impression that their electronically signed document is fully compliant with relevant regulations and that they are safe. They may be wrong. Your own work contract might not be valid. The apartment you recently bought from abroad might not really be yours!  

What does it take to be compliant?

The eIDAS Regulation is the common law on electronic signatures in the EU. eIDAS defines three levels of signatures: (simple) electronic signature is almost at “anything goes” level, Advanced Electronic Signature is at a good security level, while Qualified Electronic Signature is the top level. One cannot get any higher than a qualified signature.

eIDAS clearly states that “An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures”.

So, as a starting point, any electronic signature can be used. But that is not always the case. Many EU Member States have national laws that require certain deeds to be settled by qualified (or advanced) signature if they are done digitally. What happens if you end up signing such a deed using one of those “scribbled signature” online services that are not up to the requirements? Answer is it depends on national law, but there is a clear risk that the agreement is deemed as not binding.

Then there is quality of proof aspect. Although the simplest electronic signatures may be admissible in court, there is no guarantee that you will win the case based on such signatures. The stronger the signature, the stronger the evidence, with higher odds to win, especially if you have a qualified signature.

Why? Because a court is likely to start from the legal presumption that a qualified signature that validates correctly is made willingly by the person identified by the signature. And the signature is bound to the content of the document in such a way that subsequent changes, after signing, will be detected.

This is one example of a case where our qualified signature validation service gives you a boost. This service provides a comprehensive validation report by a qualified trust service provider, audited and supervised for both security and objectivity of the answer. If this report says “valid”, then someone opposing it in court will have a tough job.

So, a qualified signature is bullet proof, sweeping all doubt aside? Almost, but nothing is 100 %. If someone manages to convince the court that they were misled, threatened, or believed they signed something else than they did, then not even a document signed with a valid qualified signature will be legally binding. But getting such a claim accepted will be a tough job.

Especially if the document is signed through the Dokobit portal! Here, Dokobit as a neutral actor controls the signing process, ensuring that the document is shown in a trustworthy way and that the signer willingly consents to signing. Now, if you are forced to sign by someone pointing a gun to your head, that cannot be detected, but other claims of being misled should be fenced off.

Why would anyone doubt the authenticity of a signature, I hear you ask. Well, this is about regulating conflict and providing trust. From scratch. Not just providing electronic signatures. Proof a document of any kind, a contract, lease, bill of sale or the napkin detailing chores for pocket money done by a prodigal son, relies on the fact that it was actually signed by the parties involved.

It begs the question, how would you prove it wasn’t?

Well, it’s not that hard! It takes three minutes. Validate your document in Dokobit now

Documents are signed by people who never meet.

Deals are often done online today. The internet is slowly robbing most businesses of the illusion that people will accept showing up physically to do so.

In fact, entire industries are growing out of confidently doing “high-value, high volume” businesses without ever meeting their clients. And not doing so being the main criteria of why it works in the first place. Once conflicts have arisen, you can be sure one party is looking for ways to get out of it. The once conveniently easy electronic scribble now turns into a risk. A liability. People will want to argue its lack of authenticity. Its lack of assurance. They will try to repudiate it. Or, in case of fraud - leave you with the bill.

Once you have seen this, you cannot unsee it.

Let’s say you signed a document using a vendor of electronic signatures who can’t verify the identity of its users. Yes, you received an SMS to your phone. Yes, you were sent an email asking you to verify by clicking a link. It works for most honest cases.

However, none of these systems require identity verification.

The signature on your contract may be less secure than a fake ID at the club.

By verification we mean the assurance level of an old fashioned nightclub age limit inspection. A real person looking you in the eye, checking if the ID you brought actually matches your face. Or if you just “borrowed” it from your older brother. Verifying by phone texts or email, just means that a phone is linked to the signature. Or, an email. Your problem is, someone else may have had access to the phone. And anyone can make an email look like it was from anyone else. In short, the signature on your contract may be less secure than a fake ID at the club.

Furthermore, identity verification is not the only security measure baked into an electronic signature with a high level of assurance. Today, electronic signatures with a high level of assurance employ a whole bunch of tactics to build trust between parties in a digital world: The place in which you will never actually meet anyone.

The Dokobit validation service can prove that your signature complies with the relevant EU regulations. For example, you can validate that it meets the standards for a Qualified Electronic Signature (QES) – you can read more on those here – which means you are guaranteed compliant and that you have the strongest proof possible for your signature. If you go for a lower level of assurance, like verifying via phone text or email, the risk increases – and for the very weak signature methods, the risk might simply be too big.

How to make sure you have a legally binding electronic signature

1) You can see who has signed:

There will be an actual name – at least the first name and last name will be displayed. Depending on the case and the country in question, you may even get a national identity number that uniquely identifies the person, or at least a date of birth that with the name is close to unique. These elements will be incorporated into the signed document, either as metadata or visual next to their name. It will not be an e-mail or the name of a Disney character.

2) When it was signed:

The date, month and year of the signature is incorporated into the document, together with hour, minute, second and even microsecond of the action. This should always be included in the metadata. To be absolutely sure one should make use of certified qualified timestamps from trusted third-party providers.

3) That the signer's identity is verified:

You will always be able to know when it was signed, and what type of electronic identity was used for verification.

4) If the used certificate is the correct one:

There are many ways to validate and make sure the signature is properly generated according to all requirements. There is plenty of metadata we don't see visually in a compliant electronic contract. When e-signatures are validated, we are for instance talking about time stamps and that the signer had the correct identification.

5) If the certificate was provided by a Qualified Trust Service Provider (QTSP):

The EU has a list of all the qualified trust service providers within the EU  – Signicat and Dokobit are both on that list. These actors should be trusted for their services. This list should be used to check if (1.) the certificate is trusted. (2.) If the certificate is qualified and (3.) if it's stored in a QSCD: A qualified signature creation device (details here). A validation service can easily see if the contract has just an advanced electronic signature or – better: A “qualified” one. One that nobody from for instance a bank could actually fake if they wanted to claim they have a contract with someone.

6) If the document was tampered with, after it was signed:

A trusted tool to check your contract should also be able to take advantage of an “validation action”. A place where all the metadata is being validated, and goes through several checkpoints. The metadata should always match in the check up, and if it does not, the software (Dokobit) should know if something does not add up and know if something in the document has been tampered with. It might not know exactly what has happened. Like if something was deleted or added, but definitely knows that something has changed. And if something is chenged, it is not possible to trust the document anymore.

To actually be able to check all of these six legal marks – you will need a way to verify it. Dokobit by Signicat is the name of the digital tool to do just that!