There is a big change coming in terms of the legal recognition of electronic signatures in Europe. It's the new eIDAS Regulations, which will replace the old 1999 EU Directive on Electronic Signatures. To help you understand the new landscape we have put together a summary of what the new regulations promise in terms of making cross-border trusted communication easier and how we are ensuring our SigningHub platform remains the ideal vehicle for providing trusted online signing services.
Why eIDAS was needed?
Electronic identification (eID) and electronic Trust Services (eTS) are recognised by the European Parliament leaders as essential building blocks for the Digital Single Market.
For several years the European Parliament has been working on a replacement for the original EU Directive on Electronic Signatures (eSignatures Directive 1999/93/EC). Although this original Directive recognised e-signatures as legally-binding and promoted a certain class of signatures (referred popularly as Qualified Signatures) as being equivalent to hand-written ink signatures in a court of law; the issue was that each EU Member interpreted the regulations differently. This led to a confusing situation where end-users needed to support multiple different signature creation and verification techniques in order to interoperate with parties in each EU Member State.
This went against the whole premise of e-signing, which was to cut red tape and make business easier. The EU’s goal has always been for citizens to be able to conduct secure cross-border electronic transactions and take full advantage of their rights across the EU, from the enrolment in a foreign university to the access to electronic health records.
The main problem in the original eSignatures Directive was the gap in the area of e-identification services. Each member had its only mechanisms and levels of assurance for identifying users online, which were not mutually recognised across Europe.
What does eIDAS promise?
The new Regulation on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market (referred to as the eIDAS - electronic IDentification and Authentication Services) was published as Regulation (EU) No 910/2014 on 28 August 2014. Most of its provisions will take effect from 1 July 2016, at this stage it will repeal the existing eSignatures Directive and will also automatically replace any inconsistent national laws in Europe.
The objective of the Regulation is to:
- allow both natural and legal persons (e.g. companies) to use their nationally-recognised electronic identities (eIDs) in other EU countries to access e-gov services – with also the possibility of private sector take up on a voluntary basis.
- create a single digital market within the EU for e-Trust Services, by ensuring that such services will work across borders and have same legal effect as traditional paper based processes. Legal certainty is an important prerequisite for businesses and citizens before they start interacting digitally.
The new eIDAS Regulation provide a legal framework to support the EU-wide recognition of eIDs used by Member States. Each member can identify the preferred methods of eIDs that it uses internally and the associated assurance levels associated with these electronic identities. This means if you hold a government issued/recognised eID card (e.g. the Belgian eID card) then under the new eIDAS regulations you will be able to use your card as a formal method of online authentication in other Member States. Initially this will be for other e-government services but surely if successful the private sector will also come on board voluntarily – especially if it delivers on the promise of making business deals more efficient, faster and lower cost as well as opening up the business services to users across the EU.
In addition to plugging the cross-border eID recognition gap, the eIDAS Regulations build on the definition of Qualified Electronic Signatures from the original EU Directive. It now allows the use of server-side signatures (i.e. where the signer's key is held securely on a trusted server rather than locally under the sole control of the owner) and also mobile-based signatures. The security requirements are essentially similar to before although clarified and in more detail to before.
The Regulations also introduce a set of new e-Trust Services (eTS), namely:
- E-Seals: these are digital signatures which can be applied by legal persons e.g. companies (as opposed to e-signatures which are just for natural persons). This leads to concept of Qualified e-Seals applied automatically by companies for example for e-invoice, e-statement or e-bills signing
- Time-stamping service: to bind data with trusted timestamp to independently prove when a particular transaction took place
- Electronic Registered Delivery service: to prove that an identified sender sent an electronic document at a particular date and time and that it was received without change by the identified recipient at a particular date and time
Download eIDAS eSignatures & eSeals eBook
How SigningHub Complies with eIDAS
The power of SigningHub's flexible and open architecture is that it can incorporate multiple external e-Identity Providers (IdPs) - therefore rather than relying on us as the identity provider, you can rely on trusted government issuers of electronic identity for your e-signatories.
Using this approach the EU Member State notified eID providers can be registered on SigningHub as trusted authorities. SigningHub not only recognises multiple X.509 based identity providers in the form of Certificate Authorities (CAs) but also supports the SAML v2 protocol for connecting with external IdPs. Where the user already holds a Qualified digital certificate from a CA this can be used within SigningHub, alternatively a certificate can be created automatically as part of the user registration process. SigningHub can connect with multiple trusted CAs for this user certification process.
Furthermore identifying and registering each Member's State's list of trusted identity providers could be a slow and cumbersome process if done manually, to avoid this eIDAS makes use of the EU STORK project which provides a framework for cross-border eIDs by identifying a primary source of information within the country which can then act as a proxy to other EU Member States. It is possible for SigningHub to connect with one or more STORK v2 Pan Europe Proxy Servers (PEPS) to gain automatic recognition of any trusted eID across the EU.
In terms of the actual e-signing process, SigningHub supports advanced long-term digital signatures using unique keys for every single of its users. Additionally SigningHub is the only global digital signature platform which supports Qualified Signatures across all the following devices:
- Server-side signing: the user’s keys are held securely inside a trusted tamper-resistant Hardware Security Module (HSM) attached to the SigningHub service. Access to the signing key is only given after strong two-factor authentication of the user and conducted in a secure environment.
- Local signing: the user’s keys are held on a Qualified Signature Creation Devices (QSCDs) in the form of trusted smartcards or USB tokens
- Mobile signing: the user’s keys are held on a mobile device in the software or a secure tamper-resistant hardware.
The new eIDAS Regulations has the capability to remove the previous hurdles to cross-border recognition of eID and e-signatures. It provides a framework for finding and sharing such information such that EU trusted Digital Single Market becomes a reality. Contact us to learn more about how we can help ensure your electronic signing of documents can remain secure, legally-compliant and interoperable across the EU.