OneSpan has published a whitepaper that details how the eIDAS Regulation offers a range of possibilities for electronic signatures in the European Union.
eIDAS – also known as the 2014 Regulation on Electronic Identification and Trust Services for Electronic Transaction in the Internal Market – oversees electronic identification and trust services for electronic transactions in the EU’s internal market. It regulates electronic signatures and offers a safe way for users to conduct business online.
OneSpan highlighted eIDAS was one of the first successes of bolstering qualified electronic signature uptake after it replaced the 1999 Directive on Electronic Signatures when it came into existence in 2016. eIDAS defines the same three categories of e-signatures as the Directive did – including electronic signatures, advanced electronic signatures (AES) and qualified electronic signatures (QES).
According to OneSpan, while the original directive had not been the subject of any disputes, neither had it been a success – and its objective to enable the widespread of use of electronic signatures was not met.
In the whitepaper, the company highlights a key reason eIDAS changes the game on this matter is that while courts may accept any form of electronic signature as having legal effect, in the case of qualified electronic signature, the court has no choice but to accept it.
OneSpan mentioned that by introducing the eIDAS Regulation and leaving EU member states with no leeway for implementation or interpretation, they hope it will ensure that documents signed electronically will now be accepted throughout all member states regardless of national, legal or regulatory approaches.
OneSpan said, “Under eIDAS, an electronic signature includes any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signer to sign.
“Furthermore, an electronic signature cannot be denied admissibility in evidence or legal effect merely on the grounds that it is in electronic form or does not meet the requirements for qualified electronic signatures.”
Electronic identities
More than just supporting uptake of electronic signatures, OneSpan highlighted that eIDAS also addresses questions of electronic identities – even if it is only in the limited context of eIDs used for citizens interactions with public administration, such as accessing healthcare or paying taxes.
The whitepaper said, “No system of eIDs is mandated, since not all member states have any form of national ID card in place. Rather, for those member states that wish to have their eIDs recognized across borders, eIDAS seeks to ensure mutual recognition of existing eID schemes. To do this, it defines different identity assurance levels and obliges each member state to accept eIDs issued by another member state, provided that the eID meets the identity assurance level required for its service access.”
The company said this approach could be characterised as enabling rather than imposing harmonisation.
While the firm claims these solutions are therefore interoperable throughout the European community, it is likely to take some years before a majority of member states accept eIDS issued abroad as evidence of entitlement to access their public services.
OneSpan said, “Like the Directive, eIDAS does not affect the validity of existing signature arrangements within closed systems and is silent on the question of public administration. A number of member states carved electronic communications with public bodies out from their general laws implementing the Directive, but that will no longer be possible.
“Even in those member states that do not have eID schemes, it will be possible to sign official documents electronically.”
The whitepaper also discussed in detail that the proliferation of disparate national standards and systems for regulation and supervision of certification service providers was one reason why the original 1999 directive failed to encourage cross-border use of e-signatures – since member states devised widely divergent requirements for the sector.
OneSpan claims this particular finding is a key objective for eIDAS – to enable Trust Service Providers (TSP) of all forms to offer cross-border services, including suppliers of certificates, to support e-signatures.
OneSpan noted that it is considered necessary to prescribe legal and technical operation standards for all TSPs since they occupy a ‘unique’ position in any transaction in which consumers, citizens and businesses participate. The company also described there are two categories of TSPs – TSPs and QTSPs – the latter being a qualified trust service provider.
According to the company, a QTSP is a TSP that provides one or more qualified trust services, such as creation, verification and validation of qualified e-signatures and which is granted qualified status by a supervisory body nominated by a member state.
Alongside security requirements, the eIDAS regulation imposes liability of TSPs for any potential damage caused intentionally to any person through the TSPs failure to comply with its obligations.
However, OneSpan noted most member states already have national laws requiring particular categories of document to be signed, with legal requirements of signature for many corporate and banking documents – categories which are not in themselves harmonised under EU law and so will vary from country to country.
To manage this, the eIDAS regulation does harmonise the status of all documents in electronic form as admissible evidence – with OneSpan stating that no court can refuse to admit a document solely on that basis.
Copyright © 2021 RegTech Analyst
Copyright © 2018 RegTech Analyst
