Q&A: What is eIDAS, anyway?

On 1st July, new regulations came into force that will affect the way digital transactions are conducted across Europe. The eIDAS legislation aims to make transactions across borders easier to complete. We spoke to Richard Oliphant, General Counsel EMEA at DocuSign, to hear his thoughts on how eIDAS will affect the public and private sectors, as well as EU citizens.

Why has the legislation around electronic signatures been updated?

The eIDAS Regulation has been introduced because the European Commission was dissatisfied with its predecessor, the E-signature Directive (1999).

The Directive was intended to establish a legal framework for electronic signatures and contribute to their cross-border recognition throughout the EU. However, the Directive was long on ambition and short on achievement. As a Directive, it gave EU Member States discretion over how they implemented its provisions into national law. This inevitably led to a disparity between national laws and a failure to agree upon common technical standards for electronic signatures made it difficult to do cross-border business.

Ultimately, the Commission concluded that the Directive was a barrier to fulfilling its flagship Digital Single Market (DSM) strategy. The DSM strategy is all about boosting cross-border e-commerce and enabling the digital economy to flourish. The Commission hopes that by creating a more predictable regulatory framework for what we must now call 'trust services' – including electronic signatures – it will advance the DSM.

It is also worth noting that technology has moved on since the Directive was enacted in 1999. Mobile and cloud technologies have emerged and the Directive had frankly become a bit dated. For example, it required that an 'advanced electronic signature' be created using means that the signatory can maintain under their sole control. Although the Directive was ostensibly 'technology neutral', the requirement for sole control was interpreted to mean a smart card or physical token. Now the Regulation offers the possibility for providers to use cloud technology and enable customers to generate and validate electronic signatures with a mobile device.

What is the key focus of the new eIDAS Regulation?

The aim of the eIDAS Regulation is to enable citizens, businesses, and public sector bodies to carry out convenient and secure electronic transactions across EU borders. This has two components: firstly, the Regulation will enable mutual recognition and acceptance of electronic identification schemes across EU borders; secondly, it will establish a common legal framework for an array of 'trust services' including electronic signatures, electronic seals, time stamping, electronic registered delivery services, and website authentication.

Unlike the Directive, the Regulation has direct effect in all 28 EU Member States. From 1 July 2016, it automatically replaced the Directive and will take precedence over any conflicting national e-signature laws. A new law, the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016, will also come into force on 22 July to revoke the Electronic Signature Regulations 2002 and modify the Electronic Communications Act 2000. This ensures that UK law is fully aligned with the Regulation.

Can you tell us a bit more about the different types of signatures that can be used and when they are applicable?

The Regulation defines three types of electronic signature – simple, advanced, and qualified.

A 'simple' electronic signature is defined as 'any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign'. In layman’s language, it is the electronic equivalent of a written signature that a signatory can apply to a document to signify his acceptance or approval. A typed name at the bottom of an email, a scanned PDF signature, the click of an 'I accept' button on a website and the standard signature generated via the DocuSign platform are all examples of a 'simple' electronic signature.

An 'advanced electronic signature' is a more sophisticated and secure form of electronic signature produced using encryption technology. The Regulation requires that it is: uniquely linked to the signatory; capable of identifying the signatory; created using signature creation data (i.e a private encryption key), that the signatory can use under their sole control; and linked to the signed data in such a way that any subsequent change in the data is detectable.

The final type of signature is a 'qualified electronic signature'. This is the gold standard and provides the highest level of admissibility and legal effect in the EU. Essentially, it is an 'advanced electronic signature' backed by a 'qualified certificate' issued by a trust service provider whose credentials appear in the EU Trusted List. The trust service provider must verify the identity of the signatory and issues the qualified certificate to provide assurance that the signatory is who it claims to be.

The vast majority of business and consumer transactions in the EU may be authenticated with a simple electronic signature. Nevertheless, there are some transactions which – as a matter of national law – may require an advanced or qualified electronic signature or the parties may choose these signatures because they afford more security and a higher level of authentication.

Who will be affected by the implementation?

The Regulation is to be welcomed. Although the Regulation is championing digital signatures (advanced and qualified electronic signatures), I do not think this will have a profound impact on the current market practice in the UK. The business community favours – and UK jurisprudence supports – the use of simple electronic signatures for transactions under UK law. Having said that, there are some industry sectors – notably banking and healthcare – where we have seen a marked preference for digital signatures and the Regulation may reinforce this trend.

I also think that the Regulation could potentially spur greater adoption of electronic and digital signatures by public sector bodies offering online services.

How do you think eIDAS will be beneficial from a business perspective?

The Regulation will establish a more predictable regulatory framework for electronic transactions. This will galvanise cross-border e-commerce and the digital economy, and further the DSM.

I anticipate rising demand from businesses for trust services and for secure electronic signature platforms like DocuSign. As I mentioned above, one of the innovations of the Regulation is that it opens the door for trust service providers to use cloud technology so customers can generate and validate electronic and digital signatures on the move using their smartphone or tablet. I think this can play a big role in driving the digital transformation of business in the UK and across the EU.

How has DocuSign prepared for the introduction of eIDAS?

In November 2015, DocuSign acquired the digital signature business of OpenTrust (now known as IDnomic). This gave us the ability to provide all three forms of electronic signature (basic, advanced, and qualified) to customers transacting business in the EU.

We have also launched our 'standards-based signature' initiative so that our electronic signatures are underpinned by best-in-class digital technology standards (X.509 PKI and ETSI among others).

Does eIDAS mean that organisations will be able to conduct all of their transactions electronically?

No. It is important to understand that the Regulation does not standardise EU laws on what form of signature is necessary for valid execution of an electronic contract.

The Regulation provides that a qualified electronic signature has the equivalent effect of a handwritten signature but otherwise leaves it to national law to define the legal effect of electronic signatures. This means that an EU Member State (or its courts) may prohibit use of electronic contracts for certain transactions and require a paper-process. In the UK, for example, a land transfer can only be registered with HM Land Registry if it is signed by hand. And, of course, in civil law countries such as Germany and Italy, some documents must be formally notarised in the presence of a public notary.

The exceptions are rare. Electronic signatures are valid for the vast majority of corporate, commercial, consumer, financial and HR transactions in the EU. For further guidance, readers may be interested in the e-signature legality guides on the DocuSign website which have been prepared by local lawyers covering EU Member States and other key jurisdictions including the US, China, India, Australia here.

Richard Oliphant, General Counsel EMEA at DocuSign

Image source: Shutterstock/iCreative3D