What is a Digital Signature?
Digital certificate-based signatures (digital signatures) support your efforts to comply with current e-signature laws, local laws and technology preferences.
Electronic signatures and digital signatures are often used interchangeably, but digital signatures are actually a specific type of e-signature that offers additional verification of the identities of the parties involved in a transaction compared to simple electronic signatures.
So when do you need to use a digital signature instead of a standard electronic signature? For most use cases, customers, and locations, an electronic signature is sufficient. However, transactions in heavily regulated industries, in foreign countries or with governmental entities, may require or prefer digital signatures, which offer a heightened level of signer identity assurance compared to electronic signatures.
Digital signatures are based on a technology standard called Public Key Infrastructure (PKI), a widely accepted format that provides the highest levels of security. PKI is used to create a unique, tamper-evident “digital certificate” that associates a signer with a document and guarantees that the electronic document is authentic. Digital certificates indicate that the signers have completed extra steps to confirm their identities. A signer’s digital certificate is used to create the signature and then attach it to the signed document.
In the U.S., digital signatures are typically used in regulated industries like life sciences for compliance with the FDA’s requirements for electronic signatures, often referred to as 21 CFR Part 11. Another example is the US Federal Government, where federal employees can be issued a personal identity verification (PIV) card that contains a PKI digital certificate for signing that complies with the US Federal Processing Standards.
Around the world, there are international standards that specify requirements for digital signatures and the methods used to authenticate a signer. For example, in the Americas, it’s the Code of Civil Procedure in Brazil and Section 1803 of the Civil Code in Mexico. In Europe, it’s the European Union’s Electronic Identification, Authentication and Trust Services regulation (eIDAS). In Australia, it’s the Electronic Transactions Acts.
You can learn more about current e-signature laws, local laws, and electronic signature technology preferences for different countries in the Docusign E-Signature Legality Guide.
How does Docusign support signing around the world with digital signatures?
Docusign digital signatures support your efforts to comply with these regulations. Around the world, local regulation defines tiers of signatures and the terms Simple Electronic Signatures (SES), Advanced Electronic Signatures (AES) and Qualified Electronic Signatures (QES) are often used. There may be different names around the world but in general:
Simple Electronic Signatures (SES) are the most common form of electronic signature. They are traditionally used for everyday transactions where additional signer identity verification is not required. Docusign eSignature can largely address these requirements.
Advanced Electronic Signature (AES) adds an identity verification requirement, such as requiring the signer to upload a copy of their government-issued identity document. Signatures must be uniquely linked to, and capable of identifying, the signer. In the event of a dispute involving an AES, the burden of proving the validity of the signature lies with the signer.
Qualified Electronic Signature (QES) requires face-to-face, or equivalent, identity verification. The face-to-face identification can be live, in-person or via an audio/video connection. A QES is unique in that it’s considered legally equivalent to a handwritten signature under the European Union’s electronic trust services and Identification (eIDAS) regulation. A QES also shifts the burden of proof. The burden of proving the invalidity of the signature lies with the challenging party. Finally, the law on QES requires that every European member state accept the validity of a QES, even if it was executed in another member state of the EU.
Docusign is a Qualified Trust Service Provider (QTSP) in Europe, which means Docusign is authorized to issue Advanced and Qualified signatures across the European Union. In areas where its coverage does not extend, or to assist with region-specific regulations, through our global network of tightly integrated Trust Service Providers, we accept certificates issued by leading TSPs and Certificate Authorities (CA).
A closer look at compliance with eIDAS in the EU
In the European Union, eIDAS regulation defines the technical standard for electronic signature in three levels: electronic signature (sometimes referred to as Simple Electronic Signatures) and two digital signature levels called Advanced Electronic Signature (AES) and Qualified Electronic Signature (QES). Under eIDAS, both AES and QES include an element of signer identity verification, with QES meeting the strictest requirements.
Let’s look at the difference between the three levels of signatures under eIDAS in more detail:
Electronic signature
According to Article 3 in eIDAS, an electronic signature is data in electronic form that is attached to or logically associated with other data in electronic form and which is used by the signatory to sign. Article 25 of the same law makes clear that electronic signatures shall not be denied legal effect simply because they are electronic.
Docusign eSignature meets the eIDAS requirement for electronic signature along with additional benefits such as powerful workflows, a comprehensive audit trail, over 400 pre-built integrations with commonly used business systems and support for 44 signing languages.
Advanced Electronic Signatures (AES)
According to eIDAS, an AES must meet the following requirements:
Be uniquely linked to the signatory
Be capable of identifying the signatory
Be created using electronic signature creation data that the signatory can, with a high level of confidence, use under his or her sole control.
Be linked to the data signed in such a way that any subsequent change in the data is detectable.
Docusign issues AES PKI digital signatures to satisfy the above requirements and provides flexible options to verify the identity of signers using Docusign ID Verification or using your established identification processes. Alternatively, Docusign connects to other TSPs you already work with.
Take Swedish law firm Cederquist, for example. Under Swedish law, certain transactions or processes require an advanced level of electronic signature in compliance with Europe’s eIDAS regulation. This level of signature can be achieved when combining a digital signature with the online Swedish Bank Verification. Integrating Docusign eSignatures with online ID verification has given Cederquist an edge in the legal sector.
Qualified Electronic Signatures (QES)
QES are an even more secure version of an advanced electronic signature. Each QES includes a qualified digital certificate issued by a qualified trust service provider (QTSP). And since this requires a face-to-face or equivalent, identity verification of the signatory, QES is the only signature type in the EU that’s deemed legally identical to a wet signature. As a result, these types of signatures are often encouraged or required for high-value or highly sensitive transactions.
As a qualified TSP on the EU Trust List, Docusign offers multiple options for QES. For example, Docusign ID Verification Premier enables businesses to attain UK and EU eIDAS-compliant Qualified Electronic Signatures in minutes, by leveraging the latest in artificial intelligence technologies. Docusign accepts all qualified certificates issued by TSPs on the EU Trust List that your signer already possesses. Alternatively, Docusign integrates with several qualified TSPs of choice.
For example, KARIMI.Legal, a Law firm based in Germany, chose to digitize certain paper-based processes to help reduce expenditure. By leveraging Docusign ID Verification Premier, the office is able to streamline processes while also remaining compliant with industry standards. This saves the commercial law firm hundreds of hours that were previously being used for collecting signatures by post. In addition, clients no longer have to come to the solicitor’s office for identification purposes.
While eIDAS and other regulations across the world clearly articulate the definition for electronic signatures, AES and QES, they don’t prescribe when to use each signature type. That’s why Docusign maintains a Docusign Legality Guide to highlight common use cases for 60+ countries.
Wondering whether your organization has the right digital signature types in place? Learn more in our whitepaper, Implementing Electronic and Digital Signatures with Docusign.
Related:
Yasamin Yousefi is a director of product marketing for Sign products at Docusign.