Tasked with harmonising the disparate member state legislation that implemented the eSignatures Directive (Directive 1999/93/EC), Regulation (EU) N°910/2014 (the “eIDAS” Regulation) became effective 1 July this year.
The eIDAS Regulation repeals the eSignatures Directive and contains specific provisions governing electronic identification, trust services, and a range of online authentication methods, including electronic signatures, seals, time stamps, and registered delivery services. The new rules are a step in furthering the development of the Digital Single Market, improving trust in digital authentication methods, and breaking down the barriers to online trade and the provision of digital goods and services.
The eIDAS Regulation distinguishes between three types of eSignature:
- Electronic signatures
These shall not be denied legal effect or admissibility as evidence in legal proceedings based purely on the fact that they are in electronic form.
- Advanced electronic signatures
These allow unique identification of the person who signs the document, and act as a tamper-evident seal which can reveal any unauthorised changes to its content. Such signatures can now be provided on mobile devices, as well as on traditional desktop computers.
- Qualified electronic signatures
Similar to advanced electronic signatures but with increased security, these are based on ‘Qualified Certificates’ which can only be issued by a Certificate Authority duly accredited and supervised by EU member state designated authorities, tasked with ensuring that the requirements of eIDAS are met. Qualified Certificates must be stored on a qualified signature creation device (such as a USB token, a cloud-based trust service, or similar). This is the only type of signature which has the equivalent legal effect of a handwritten ‘wet ink’ signature, and ensures mutual recognition across the EU.
Qualified electronic signatures provide a higher level of security (e.g., the signing process creates a tamper-evident seal), and combined with its mutual recognition across the EU, gives rise to a variety of different applications. For example, it could be particularly beneficial in the mHealth and FinTech industries; it provides a secure method of obtaining the consent of mobile app users for processing their sensitive personal data.
The eIDAS Regulation is a welcome update to the 17-year-old eSignatures Directive, which struggled to cater to the demands of an increasingly digital European economy.