eIDAS: changing landscape for eSignature regulations

Posted by Liaquat Khan on 15-Jul-2015 11:01:00

The eSignature landscape is changing with the introduction of eIDAS, including the legal recognition of electronic signatures in Europe. 

The new eIDAS Regulation will replace the old 1999 EU Directive on Electronic Signatures.  To help you understand the new landscape we have put together a summary of what the new regulations promise in terms of making cross-border trusted communication easier and how we are ensuring our SigningHub platform remains the ideal vehicle for providing trusted online signing services.

eIDAS

Understanding the new eIDAS eSignature regulations


Why eIDAS was needed?

Electronic identification (eID) and electronic Trust Services (eTS) are recognised by the European Parliament leaders as essential building blocks for the Digital Single Market. 

For several years, the European Parliament has worked on replacing the original EU Directive on Electronic Signatures (eSignatures Directive 1999/93/EC). 

Although the original Directive recognised eSignatures as legally-binding and promoted a certain class of signatures (referred popularly as Qualified Signatures) as being equivalent to hand-written ink signatures in a court of law; the issue was that each EU Member State interpreted the regulations differently. It led to a confusing situation where end-users needed to support multiple different signature creation and verification techniques to interoperate with parties in differing EU Member States.

It went against the whole premise of e-signing, which was to cut red tape and make business easier. The EU’s goal has always been for citizens to be able to conduct secure cross-border electronic transactions and take full advantage of their rights across the EU, from the enrolment in a foreign university to the access to electronic health records.

The main problem in the original eSignatures Directive was the gap in the area of e-identification services. Each Member State had differing mechanisms and levels of assurance for identifying users online, which were not mutually recognised across Europe.

 

What does eIDAS promise?

The new Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (referred to as the eIDAS - electronic IDentification and Authentication Services) was published as Regulation (EU) No 910/2014 on 28 August 2014.

Most of its provisions will take effect from 1 July 2016. At this stage, it will repeal the existing eSignatures Directive and will automatically replace any inconsistent national laws in Europe.

The objective of the Regulation is to:

  • Allow both natural and legal persons (e.g. companies) to use their nationally-recognised electronic identities (eIDs) in other EU countries to access e-gov services – with the possibility of private sector take up on a voluntary basis.
  • Create a single digital market within the EU for e-Trust Services, by ensuring that such services will work across borders and have same legal effect as traditional paper based processes. Legal certainty is an important prerequisite for businesses and citizens before they start interacting digitally. 

The new eIDAS Regulation provides a legal framework to support the EU-wide recognition of eIDs used by Member States. Each Member State can identify the preferred methods of eIDs that it uses internally and the associated assurance levels associated with these electronic identities.

This means if you hold a government issued/recognised eID card (e.g. the Belgian eID card) then under the new eIDAS regulations you will be able to use your card as a formal method of online authentication in other Member States.

Initially this will be for other e-government services, but surely, if successful, the private sector will also come on board voluntarily – especially if it delivers on the promise of making business deals more efficient, faster and lower cost as well as opening up the business services to users across the EU.

In addition to plugging the cross-border eID recognition gap, the eIDAS Regulations build on the definition of Qualified Electronic Signatures (QES) from the original EU Directive.

It now allows the use of server-side signatures (i.e. where the signer's key is held securely on a trusted server rather than locally under the sole control of the owner) and also mobile-based signatures.  The security requirements are essentially similar to before although clarified and in more detail to before. 

The Regulations also introduce a set of new e-Trust Services (eTS), namely:

  • eSeals: these are digital signatures which can be applied by legal persons e.g. companies (as opposed to e-signatures which are just for natural persons). This leads to concept of Qualified e-Seals applied automatically by companies for example for e-invoice, e-statement or e-bills signing
  • Time-stamping service: to bind data with trusted timestamp to independently prove when a particular transaction took place
  • Electronic registered delivery service: to prove that an identified sender sent an electronic document at a particular date and time and that it was received without change by the identified recipient at a particular date and time

 

Download eIDAS eSignatures & eSeals eBook

 

Download eBook

 




How SigningHub Complies with eIDAS

The power of SigningHub's flexible and open architecture is that it can incorporate multiple external e-Identity Providers (IdPs). Therefore, rather than relying on us as the identity provider, you rely on trusted government issuers of electronic identity for your e-signatories.

Using this approach, the EU Member State notified eID providers can be registered on SigningHub as trusted authorities. SigningHub not only recognises multiple X.509 based identity providers in the form of Certificate Authorities (CAs) but also supports the SAML v2 protocol for connecting with external IdPs.

Where the user already holds a Qualified digital certificate from a Certificate Authority (CA), it can be used within SigningHub. Alternatively, a certificate can be created automatically, as part of the user registration process. SigningHub can connect with multiple trusted CAs for this user certification process. 

Furthermore, identifying and registering each Member's State's list of trusted identity providers could be a slow and cumbersome process if done manually. To avoid this, eIDAS makes use of the EU STORK project.

It provides a framework for cross-border eIDs by identifying a primary source of information within the country which can then act as a proxy to other EU Member States. It is possible for SigningHub to connect with one or more STORK v2 Pan Europe Proxy Servers (PEPS) to gain automatic recognition of any trusted eID across the EU.

SigningHub's eSignature process

In terms of the actual e-signing process, SigningHub supports advanced long-term digital signatures using unique keys for every single one of its users. Additionally, SigningHub is the only global digital signature platform which supports Qualified Signatures across all the following devices:

  • Server-side signing: the user’s keys are held securely inside a trusted tamper-resistant Hardware Security Module (HSM) attached to the SigningHub service. Access to the signing key is only given after strong two-factor authentication of the user and conducted in a secure environment.
  • Local signing: the user’s keys are held on a Qualified Signature Creation Devices (QSCDs) in the form of trusted smartcards or USB tokens
  • Mobile signing: the user’s keys are held on a mobile device in the software or a secure tamper-resistant hardware.

Click on the following to learn more about the SigningHub legalitysecurity and interoperability capabilities. A full set of features is described here


The new eIDAS Regulations have the capability to remove the previous hurdles to cross-border recognition of eID and eSignatures.  It provides a framework for finding and sharing such information such that EU-trusted Digital Single Market becomes a reality. 

Contact us to learn more about how we can help ensure your electronic signing of documents can remain secure, legally-compliant and interoperable across the EU.

 

Recent Posts

Download this essential eBook

Choosing the right type of e-signature
for your business

Download your eBook