The eIDAS Regulation: A primer
What is the eIDAS Regulation?
Regulation (EU) No 910/2014 (the eIDAS Regulation) went into force on 1 July, 2016 having ‘direct effect’—in other words, being mandatory and wholly adopted in all EU member states, with precedent over any conflicting national laws. It replaces the eSignature Directive (1999/93/EC) and establishes an EU-wide legal framework for electronic signatures and a range of newly defined electronic “trust services”.
The eIDAS Regulation’s intent is to enable convenient and secure electronic transactions across EU borders for citizens, businesses, and public sector institutions.
Frequently asked questions about eIDAS
Electronic signature definitions in the EU
The eIDAS Regulation defines three types of electronic signature – electronic signature as a type of signature, and advanced and qualified electronic signatures:
-
Electronic signature, as defined under eIDAS, covers the broad category of all electronic signatures’ including “any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.” In other words, it is an electronic form of signature that a signer can apply to a document as evidence of their acceptance or approval. This could include a scanned signature image or the click of an “I accept” button on a website or a DocuSign electronic signature.
-
An advanced electronic signature is a type of electronic signature that must meet specific requirements providing a higher level of signer ID verification, security, and tamper-sealing. The Regulation requires that it is:
-
Uniquely linked to the signer
-
Capable of identifying the signer
-
Created using signature creation data that the signer can use under their sole control
-
Linked to the signed data in such a way that any subsequent change in the data is detectable
-
-
Finally, a qualified electronic signature is the only electronic signature type to have special legal status in EU member states, being the legal equivalent of a written signature. It is a specific type of electronic signature that must meet advanced electronic signature requirements and be backed by a qualified certificate, meaning a certificate issued by a trust service provider that is on the EU Trusted List (ETL) and certified by an EU member state. The trust service provider must verify the identity of the signer and vouch for the authenticity of the resulting signature. Stringent signer identification and signer certificate requirements can make qualified electronic signatures impractical for many business transactions.
The eIDAS Regulation also regulates the creation and verification of electronic seals. These may only be issued to and used by legal persons (e.g. corporations).
Admissibility and legal effect of electronic signatures under eIDAS
eIDAS ensures that each form of electronic signature is admissible as evidence in EU courts and shall not be denied legal effect solely because it is in electronic form.
The enforceability of a transaction concluded using electronic signatures will depend on a variety of factors, including the type of signature used and the evidence embedded in it. As an example, a typed name at the bottom of an email is more likely to be successfully challenged than a qualified electronic signature meeting multiple EU technical standards, including being backed by a Trust Service Provider (TSP), regulated by an EU member state, and containing significant embedded signer information.
The eIDAS Regulation does not dictate when a signature is actually needed for a transaction or what type of signature is necessary. This means that each EU member state must specify in its laws when a particular transaction (i) cannot be signed electronically or (ii) needs a higher form of electronic signature such as an advanced or qualified electronic signature.
A qualified electronic signature has the equivalent legal effect of a handwritten signature and enjoys mutual recognition in every EU member state. But, in fact, it is uncommon that a member state (or its courts) will use a qualified electronic signature to authenticate a transaction. Legal restrictions requiring other specific types of signature or preventing the use of electronic signature are equally uncommon.
Here’s the good news: no specific type of electronic signature is legally required for the overwhelming majority of corporate, commercial, consumer, HR, and financial transactions under EU law. An exemplary list of transaction types that require Qualified or Advanced electronic signatures, along with electronic signature exclusions is available in DocuSign’s eSignature Legality Guide.
eIDAS and European electronic signature technology standards
Like its predecessor, the eIDAS Regulation is technology neutral. However, trust service providers certified against European Commission-recommended technical standards for electronic signature are ‘presumed compliant’ with eIDAS. In practice, the majority, if not all member states, require their qualified trust service providers to meet these technical standards before inclusion on the EU Trusted List.
These technical standards provide the foundation for regulating and certifying EU trust service providers, including standards for:
-
Specifications for the different eIDAS-defined electronic signature types, including Advanced and Qualified Electronic Signatures
-
Specifications for the certification and management of Trust Service Providers, as well as the EU Trusted Lists
-
Technical specifications for electronic ID and their assurance levels
eIDAS and European electronic signature technology standards
DocuSign’s standards-based signatures portfolio offers a range of methods to verify signer identities of signatories and is independently certified against European Commission-recommended technology standards. It provides a one-stop shop for all types of electronic signatures defined under eIDAS, including advanced and qualified electronic signatures.