Electronic signatures present a huge potential for businesses to improve their operations, create better customer experiences, improve security, and increase potential revenue. E-signature technology now offers cross-border recognition of electronically-signed documents, and instant verification of signer identities and document authenticity – which are essential for businesses operating in increasingly digital and mobile environments.
However, transitioning to e-signatures brings a number of challenges —both regulatory and operational— that businesses need to be aware of. With e-signature adoption increasing, and it becoming mandatory for businesses to recognise electronic identities (eIDs) from mid-2018, it is crucial organisations prepare themselves now.
The changing e-signature landscape
Adoption of e-signatures is still uneven across different industries. A lack of technology standards has been an issue, as has the fact that e-signatures historically have not had the same legal standing as handwritten signatures.
Major changes are underway: this year the EU’s new regulation on electronic identification (eIDAS) became legally binding. The regulation provides a common legal framework for understanding and categorizing e-signature processes; makes it easier for citizens and businesses within EU member states to understand and use e-signatures; and gives e-transactions and other e-signed documents the same legal status as paper documents.
What’s more, this summer also saw Adobe help launch the Cloud Signature Consortium, a group of leading industry and academic organisations brought together to build a new open standard for cloud-based digital signatures across mobile and web. The aim of the initiative is to make electronic signing consistent, secure and scalable, so that anyone can sign digital documents from any digital channel or device.
Under eIDAS, only certain business entities, called Trust Service Providers (TSPs), will be able to issue digital IDs that can be used to create legally verifiable “qualified electronic signatures”. eIDAS establishes a common foundation for mutual recognition of electronic signatures across EU member states, making qualified electronic signatures compatible across all 28 participating EU countries and within the 236 trust providers recognized by the EU.
By providing legal and regulatory standardisation around e-signatures, the eIDAS regulation lays down a predictable legal structure for individuals, companies (in particular SMEs), and public entities to safely access services and conduct transactions online and across borders in just “one click”. With this framework, businesses across Europe can finally and confidently embrace digital transformation with electronic signatures.
Classification of e-signatures
Any business that utilises e-signatures will have to be eIDAS-compliant, and so it is crucial that owners become familiar with the new legislation, and review and identify which business processes need to be updated for compliance.
eIDAS considers three categories of e-signatures, and defines a class of providers—called Trust Service Providers (TSPs)—who offer electronic IDs, time stamping, and other services that support electronic signatures. It goes into significant detail about security requirements, burden of proof, rules for mutual recognition, and supervision of TSPs. eIDAS offers a standardised mechanism for a business or corporate entity to understand the legal standing of the signatory, based on the following signature categories:
- Electronic Signatures
An electronic signature under eIDAS is data in electronic form attached to or logically associated with other data, and which is used by the signatory to sign a document. eIDAS provides that an electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely based on the fact that it is in electronic form. In other words, courts cannot discard them as evidence only because they are electronic, with a legal principle called non-discrimination.
- Advanced Electronic Signatures
Advanced signatures are a specific type, or a subset of, the larger category of electronic signatures. They are: uniquely linked to the signatory; capable of identifying the signatory; created using data that the signatory can use under his sole control; and are linked to the signed document in a way that any subsequent change is detectable. This requirement can be met with a specific type of digital ID, called a “certificate”, which is typically issued by a Trust Service Provider.
- Qualified Electronic Signatures
Qualified signatures are a very specific form of an advanced signature, and they are the only signatures defined in eIDAS that have the equivalent legal effect as a handwritten signature. They’re also the only type that will be automatically recognized by other member states. For businesses to work with Qualified Electronic Signatures, the signer needs to work with a certificate-based digital ID issued by a Trust Service Provider that has been specifically accredited in a member state. In addition, qualified signatures require the use of a qualified signature creation device. For example, the certificate is stored on a smart card, and the signer uses a smart card reader when signing the document.
When it comes to e-signatures, qualified electronic signatures really are the gold standard. These tend to apply to document processes that have high monetary value or where the risk associated with identity fraud is too high to bear. Processes related to government benefits or clinical research are good examples. This category also applies to any business process where applicable law requires, exceptionally, a specific form with a handwritten signature. Example of these types of exceptions are employment termination proceedings in Germany or the transfer of real estate in some countries.
The majority of the use cases, however, don’t require written forms, with businesses typically having the flexibility to utilize Advanced Signatures. These require that each signer have a certificate-based digital ID, which may be practical for employees or favoured business partners, but is more difficult to implement when working with new customers, partners, or the public at large.
The eIDAS legislation also introduces the idea of “electronic seals”: With eIDAS, only an individual person can use an electronic signature. A legal entity, such as a business, cannot. The business can, however “seal” a document to ensure certainty of a document’s origin and integrity.
Preparing for the future of e-signatures
It will be mandatory for businesses to recognise electronic identities (eIDs) from mid-2018. A business that is unprepared for the eIDAS regulation may find that it risks restricting potential customers and partners, as it will not be able to facilitate long distance digital signing or legally verify a documentation due to the absence of the right technical infrastructure. And beyond the potential loss of new trade, a business may face legal repercussions for failing to comply with eIDAS adequately.
Any business using e-signatures will, naturally, also have to be compliant with the Data Protection act, which governs data security and compliance for a new breed of businesses services which are increasingly based on the Cloud. Regardless of its size, any business handling personal data is responsible for its protections.
Besides regulatory concerns, business owners will also have to evaluate which technologies can best advance this transition by engaging with the specialist vendor community, which can provide expert counsel on compliant solutions. Doing so will enable them to test their in-house expertise and verify that their current and planned technologies will continue to operate within regulatory boundaries.
With the arrival of eIDAS, businesses have been given the flexibility to deploy electronic signature solutions that meet their specific requirements. The use of e-signatures is only set to grow, as businesses continue to operate in an increasingly connected environment. By ensuring compliance as early as possible, businesses can better guarantee that they won’t be superseded by more agile, technologically savvy competitors, while having the capability to conduct cross-border business securely and safely.