New eIDAS Regulation
It’s a new eIDAS whose time has come. On July 1, 2016, the all-new 910/2014 EU regulation on electronic identification and trust services (eIDAS) goes into effect. It replaces 28 national laws on e-signatures that are currently based on the 1999/93 EU directive on a Community framework for electronic signatures. eIDAS is more than just a replacement of these laws. It establishes a new, comprehensive, legal framework for e-signatures, as well as e-identification, e-seals, e-timestamp, e-documents, e-delivery services, and website authentication.
The Significance of the eIDAS Regulation for E-signing
eIDAS enables organizations to go digital for both identification and signing processes. It also creates an internal European market for secure cross-border electronic transactions. The ability to introduce, or expand the use of electronic signatures is particularly beneficial for businesses running multi-national operations across multiple channels. eIDAS impacts many industries, including banking, insurance and telco. All these industries seek options to execute trustworthy, remote transactions with their customers that allow them to verify their customers’ identities, based on the 849/2015 EU directive on anti-money laundering.
One primary objective of eIDAS is to legally allow new processes for remote signing based on electronic identities (eIDs), instead of traditional face-to-face identification methods that require physical government-issued identification, like passports. eIDAS also lowers barriers for the provision of certificates from trust service providers (TSPs) for signing with advanced or qualified electronic signatures. Identification can now be executed remotely and signature creation no longer requires hardware, like smart cards and card readers.
eIDAS is a catalyst for the adoption of remote (server-side) signing, making this approach simpler, as well as legally accepted. The traditional approach of signing locally will likely continue to struggle for broader acceptance, due to the investment required for specialized hardware, as well as not following the trend of going mobile with business transactions.
EU E-Signature terminology 2016
eIDAS comes with much-needed streamlining of e-Signing terminology, which makes it easier for businesses to identify elements of e-Signature use that relates to their specific business goals and practices. The regulation defines three levels of e-Signatures: e-Signature, advanced e-Signature, and qualified e-Signature in Article 3.
- E-Signature is defined as data in electronic form which are attached to, or logically associated with, other electronic data, which are used by the signatory to sign.
- Advanced electronic signature (AES) is defined as uniquely linked to the signatory, capable of identifying the signatory, and created using e-signature creation data that the signatory can, with a high level of confidence, use under his sole control. AES is linked to related data, so that any subsequent change to the data is detectable.
- Qualified electronic signature (QES) is defined as an advanced electronic signature created by a qualified electronic signature creation device. QES is based on a qualified certificate for electronic signatures, which is issued by a qualified trust service provider.
Note: Devices used for signing with qualified e-signatures (QES), must be certified as qualified signature creation devices (QSCDs) by national supervisory bodies in the EU.
How SignDoc complies with eIDAS
SignDoc can be easily combined with eIDs and certificates provided by TSPs to sign documents legally and in a trustworthy manner. SignDoc enables organizations to choose various identification methods. With SignDoc, businesses are no longer exclusively tied to a particular trust service provider. This flexibility permits organizations to tailor their processes to meet regional requirements and preferences. Solution architects may opt to integrate various ID verification solutions, such as video conferencing, IDs on SIM cards, or eIDs on smart cards.
Several barriers to adoption of on-demand e-signing with QES have fallen in some EU countries, making on-demand e-signing a reality. The result? The identification process is no longer limited to physical face-to-face identification, and the signing process no longer requires the use of additional hardware.
SignDoc supports eIDAS-compliant signing on both server-side and client-side.
- Server-side (remote) signing: A User’s keys are held securely inside a Hardware Security Module (HSM) or cloud-based service connected to SignDoc server. Multi-factor authentication methods provide additional security when using server-side signing, e.g., one-time-passwords (OTP) provided via SMS on mobile devices, or leveraging Fido-Tokens.
- Client-side (local) signing: A User’s keys/certificates are typically stored on hardware, like a token. For example, smartcards operated with card readers. Alternatively, certificates are sometimes stored on a User’s PC, for example, in the Windows Certificate Store. All these certificates can be used for signing documents with Kofax SignDoc.
A typical use case where SignDoc may be operated in combination with eIDs and TSPs under eIDAS is the on-boarding of a new customer applying for a consumer loan.
Civil or commercial law in some EU countries limit the usage of e-signatures for this particular business process to QES.
Interested in building e-signature best practices for your organization? Get your copy of Global E-Signature Law, Best Practices for Assessing Risk eBook now.