Why using Qualified Electronic Signatures is the safest option when digitizing your signing process.
If you are a small or large business, an international company, or just an individual person, you need to be certain your digital transactions are fully legal, accepted across borders, and completely secure. But in reality what you are signing, when making a deal, is just ones and zeros on a computer. You never sign the actual, physical document, so you need to be extra certain that you are able to trust that those bits and bytes are handled securely.
You don’t want to make a business deal, have it fully signed and delivered and discover that you have no grounds to enforce it. This is why when making these types of agreements, you should always use electronic trust service providers (TSPs) which operate under the EU regulations.
But for the highest level of security, using a qualified trust service provider (QTSP) should be involved for your peace of mind.
1. What is a Qualified Electronic Signature?
There are three main types of electronic signatures according to eIDAS, the european regulation for electronic identities and trust services. Each type represents an increased level of legally binding signatures, but national laws decide which type of signature is binding in the end.
First of all, a Standard Electronic Signature (SES) - sometimes also called a Simple Electronic Signature - which is a scribble on a screen or an e-mail message, for example. This could be a signature drawn on an iPad, for example, or with a mouse. In some regions, a Standard Electronic Signature can be a legal way to get approval on electronic documents and transactions, but it’s important to keep in mind that with SES, there is no evidence that the signee is who they say they are. Nor is there a binding to the information you are signing, or protection against changes.
Then, there is Advanced Electronic Signatures (AES) and Qualified Electronic Signatures (QES) which both require a digital signature. This means that the document and signature are protected by cryptographic means.
The requirements of an AES are:
- The identity of the signer is verified, i.e. by a trust service provider.
- Nobody else can sign on behalf of a user. (Under sole control)
- Any changes to the document after signing will be flagged (Tamper evident)
A Qualified Electronic Signature (QES), however, is the most secure type of electronic signature. The official definition is that it is an AES using a QSCD (Qualified Secure Signature Creation Device) and is based on a qualified certificate. It allows you to sign documents with high-security assurances, making them recognized and legally valid across the European Union. A QES has the following requirements:
- It needs dedicated hardware/a special qualified signature creation device (QSCD) which only the user can use, for example, a card reader or mobile phone or the QSCD sits in a secure environment with a Qualified Trust Service Provider (QTSP)
- It requires the use of a Qualified Trust Service Provider (QTSP) for the actual signing process
It adds a certificate-based digital ID, which is issued by the QTSP
In Belgium qualified electronic signatures are required, while the nordics accept advanced electronic signatures as legally binding.
2. What are the main uses for Qualified Electronic Signatures?
The need for qualified electronic signatures depends on the legal framework of the country you are in. If advanced electronic signatures are considered binding, you do not need to use qualified electronic signatures. It may not even be available yet. If QES are available they should be used in any business where there is a high risk of fraud or scam, from financial institutions to telecommunications, to military and Government documents. Having a secure signing system is particularly vital today, as scams during the COVID-19 pandemic are at an all-time high.
Various sectors of the economy, for example finance, banking, insurance and health, are obligated by law to protect a customer’s identification and personal information. With more and more business now being done online, it’s more important than ever to invest in a secure signing solution. According to eIDAS (Electronic Identification, Authentication and Trust Services) regulation QES shall be recognised at the same level of assurance as the ‘wet signature’, i.e. a handwritten signature. However, it is up to the legal system of a country to decide whether an AES is accepted or not, but a QES shall always be undisputed.
QES can be used in circumstances involving the signing of contracts or loans where there are two or three various parties from different areas involved. Some relevant examples are bedrock agreements of life, such as labour contracts, corporate documents, tax returns and applications, consumer credit contracts, notaries, and inheritance documents.
For example in Belgium, the law requires QES for employment contracts or a will.
3. Why any electronic signature including qualified signatures means a faster turnaround time
Along with being a very safe form of electronic signing, a QES has many other benefits. In general, electronic signatures provide a faster turnaround time. However, with the high levels of assurance a QES provides, choosing this type of electronic signature can mean a quick turnaround of higher-risk documents or contracts. For example, when dealing with a leasing company for cars or other vehicles. During COVID-19, some car companies have halted production. Customers tend to visit dealers in person to do test drives and sign contracts. The faster you can order a car, the faster it can go into production. If a company has a number of documents that need to be signed by various parties, the usage of QES through a QTSP (Qualified Trust Service Provider) would accelerate that business at a high rate.
This is because dealers can send everything under the most secure electronic method, documents can be countersigned by both parties, sent to the bank for loan countersign. The transfer of documents is instantaneous and you won’t have to wait for days to complete the deal. This saves time and can help to avoid the delayed purchase of products. You can email a copy to everyone with the final signatures on it. It also leads to electronic archiving of your contracts, which in the future will be very important for using Artificial Intelligence into analysing the data, or for keeping a record of the contracts.
4. How do I determine if I need Qualified Electronic Signatures instead of the other types of electronic signatures?
In some countries, QES is a requirement in certain cases. For example, there are countries with their own State-sponsored QES methods, like Belgium.
Belgium has an eID (electronic identification) signature method. The eID card is essential in Belgium and it has two certificates: a certificate for authentication and a certificate for electronic signing. The eID card allows holders to sign documents electronically through a third party and the signature that is produced is a QES. It has the same legal validity as the traditional handwritten signature.
Simply put, when the cost or risk of a problem for you and your customer is high, you need Qualified Electronic Signatures. You need to assess the likelihood of:
- Having a problem – are you certain about the identity of a signee? Consider if there are areas where your business is vulnerable to fraud if you do not know the true identity of who you are dealing with.
- Impact of having that problem – can this lead to money laundering or other illegal activities that will impact both your business and your customers?
However, there are a lot of countries in Europe that do not have a QES method or believe they may not need one. In those cases advanced electronic signatures will be sufficient.
5. How is QES regulated?
Qualified Electronic Signatures are regulated through eIDAS (Electronic Identification, Authentication and Trust Services), which sets out EU regulations for electronic transactions in the internal market.
eIDAS defines trust services for supporting electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. It provides one common legal framework for all parties relying on, or providing those types of services.
This makes it much easier for you and your customers to conduct secure digital transactions in your own country, and across European Union (EU) member states.
6. Qualified Electronic Signatures provide the highest level of assurance from a legal perspective
Under eIDAS, a QES produced through qualified trust service providers (QTSPs), carries the highest value of identity evidence. QES does not need any additional proof in the case of a dispute.
As the digital equivalent of a handwritten signature, if a QES is used as evidence in a court of law, it cannot be easily disputed because of the non-repudiation nature of the QES. This means the signatory cannot deny they are responsible for the creation of the signature. Other forms of electronic signatures may need more information or supporting documents in the case of a dispute.
7. With QES, business critical information can not be tampered with
A QES is secure due to the fact that the actual signature process is usually done in dedicated hardware – even if the signature is distributed through a network later.
This dedicated hardware is known as a Qualified Signature Creation Device (QSCD) and it is a specific, complex hardware used to create a QES. The device must meet the requirements laid out under eIDAS. These are the following:
- The signatory must be linked and uniquely identified to the signature.
- The data used to create the signature must be under the control of the signatory only.
- The QSCD must have the ability to identify if the data that accompanies the signature has been tampered with since the signing of the message.
There is also a requirement for an electronic timestamp to be added. Anyone can look at their watch and tell time. It’s much harder to trust a time from the past when it is embedded into a document. Was it signed at that time? When a timestamp is added by a QTSP, however, it guarantees that the document was really signed at a the time specified. Just like a signature provides information about who signed the document, a timestamp provides information about when it was signed.