The eIDAS regulation No. 910/2014) defines three primary levels of e-signatures: Basic, advanced and qualified electronic signature.
1. Basic level of e-signature with eIDAS compliance
The basic level of e-signature according to eIDAS can be described as Data in electronic format, which is linked to or logically allied to other data appearing in electronic form and which is used to execute a signature.
The basic level of e-signature is technologically neutral. Thus, something as straightforward as ticking a checkbox on a digital form or writing your name under an email can amount to an electronic signature.
2. Advanced Electronic Signature
An advanced e-sign is an electronic signature that is additionally:
· Uniquely linked to and clearly capable of identifying the signee;
· Created so that, it allows the signee or relevant party to retain full control;
· Linked to the document being signed in a manner that, any subsequent alteration of the data is visible and detectable. Any alteration makes the document invalid.
· Backed up by a digital certificate that authenticates the identity of the signee and links the validation data to that very same person.
To completely satisfy the above requirements for eIDAS compliance, use digital signatures that are based on Public-Key Infrastructure (PKI) system. With this kind of technology, each user has a unique and inimitable PKI signing key and a digital certificate. Usually, the certificate acts as the user’s “digital identity” and is entrenched in every signature they create – in that way, binding the signatory’s identity securely, to their signed documents. Most notably, digital signatures are unique to the user and nearly impossible to forge or tamper.
3. Qualified electronic signatures
A qualified e-signature is a superior kind of e-sign with a qualified certificate, which has been encrypted by a qualified signature creation device. According to eIDAS,
1. A Qualified Electronic Signature Creation Device (QSCD), must guarantee:
a) The confidentiality of the user’s private signing key which is used to create the signature.
b) The data used for creating the electronic signature is inimitable and can only be used once.
c) Protection against forgery and duplication of signatures through current and most up-to-date technology
d) The data used must remain solely under the control of the signee to prevent illegal and unauthorized use by others.
2. The signature creation device shall not alter or modify in any way the data meant to be signed
3. The signature creation data which is created must be managed or overseen by a qualified trust provider.
4. Without disregarding the significance of point 1(d) above, qualified trust service providers can duplicate or produce a copy of the e-signature creation data but just for backup reasons, and only, if the below-provided requirements are observed;
a) The security of the datasets which have been duplicated must equal that of the original data sets.
b) The number of datasets that have been duplicated should not surpass the minimum needed to guarantee continuity of the service.
eIDAS Compliance Summary
Bottom-line, you must have the e-signature creation data stored on a highly reliable, secure and assured device.
Also, as we mentioned above, qualified e-signs are created by qualified e-signature creation devices, based on qualified certificates. Usually, qualified certificates can only be issued by a qualified CA that has been recognized and managed by authorities endorsed by the European Member states and conform to the requirements of eIDAS.
This is the most significant and stringent requirement.
eSign Genie conforms to most of the prerequisites set by both Advanced and Qualified electronic signatures however, eSign Genie is not a Qualified Signature Provider.
So, which signature level is best for you? That remains subjective; however, your legal advisor can give you more guidance around eIDAS compliance.