Guide to the eIDAS Regulation and Compliance

What is the eIDAS Regulation?

eIDAS stands for "electronic identification, authentication, and trust services" and is the name for a European Union (EU) regulation for electronic signatures and transactions in the EU internal market, replacing directive 1999/93/EC. The eIDAS regulation and its implementing acts are law in all EU member states. Under the law, citizens and businesses can use their national electronic identification schemes (eIDS) when accessing online public services within other member states that use eIDS. This creates a European internal market for trust services by ensuring that they will work across borders.

Beyond the EU, the eIDAS Regulation was adopted into UK law post-Brexit. Although it may not be instituted as law in other legal jurisdictions, it is not uncommon for non-European businesses or citizens to utilize eIDAS infrastructure if they have significant business or operations within participatory countries.

The eIDAS regulation establishes a legal framework for the provision and effect of many different electronic identification methods. It implements standards for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services, and certificate services for website authentication. It gives those electronic transactions the same legal status as if they were conducted on paper with a handwritten signature and allows them to be included within legal proceedings.

Through the eIDAS Regulation, the European Commission provides for a broad standard of an electronic signature without any reference to a specific technology. This is a practice used to prevent limiting the development of technology. eIDAS sets minimum standards that can be updated as new practices are discovered and others are found to be insecure.

Another important regulatory framework enacted by the EU is the revised Payment Services Directive (PSD2).

eIDAS Compliance

The eIDAS regulation was originally established in 2014 but has been enforceable across the EU since July 1, 2016. As mentioned previously, it sets standards across various areas, and one commonly encountered standard is its framework for electronic signatures.

Difference Between Digital and Electronic Signatures

First, it is important to note that there is a difference between a digital and an electronic signature, even though the two terms are commonly used interchangeably.

A digital signature always relies on cryptology-based technology. The content of the document will always be locked and secured when using this type of signature, and the content of the document cannot be changed after signing.

An electronic signature can be the image of a manually drawn signature pasted for example in a Word document. You do not always secure the contents of a document with this type of signature. A digital signature can be an electronic signature, but an electronic signature is not always a digital one.

eIDAS’ framework specifically applies to electronic signatures and defines three types – simple, advanced, and qualified electronic signatures. Each type has different standards for validation.

Simple Electronic Signature (SES)

As defined by eIDAS, simple electronic signatures (or e-signatures) cover all the broad types of electronic signatures as data in electronic form, which are attached to or logically associated with other electronic data and which serve as a method of authentication.

This is technology-neutral, which means any electronic form or technology is generally accepted. The resulting signature should demonstrate the intent of the signer, be made by the person associated with it, and be associated with the document the signer intended to sign.

Advanced Electronic Signature (AES)

An advanced electronic signature attaches authentication to the signature and the document. An AES must meet certain requirements on signer identity, security, and sanctity of the signed document. The requirements specified under eIDAS are:

• It is uniquely linked to the signatory
• It is capable of identifying the signatory
• It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control

It is linked to the data signed in such a way that any subsequent change in the data is detectable

Qualified Electronic Signature (QES)

A Qualified Electronic Signature, like an AES, is uniquely linked to the signer and is based on Qualified Certificates. This type is the most valued kind and is automatically considered the legal equivalent of a handwritten signature if properly implemented.

Qualified Certificates can only be issued by a Certificate Authority (CA), like Sectigo, that has been accredited and supervised by authorities designated by the EU member states and meets the requirements of eIDAS. Qualified Certificates must also be stored on a qualified signature creation device such as a smart card, a USB token, or a cloud-based trust service that can provide an EU trust mark. Qualified certificates typically contain electronic time stamps and other verification methods.

There are different types of qualified certificates, including qualified website authentication certificates (QWACs).

Why is eIDAS Important?

eIDAS provided a consistent legal framework for accepting electronic identities and signatures and established the legal effect of using these methods as well as their admissibility in legal contexts, which has become increasingly necessary in a digital world.

It provides many benefits to security and user experience including:

• Decreased processes and overhead for EU member state businesses
• Establishment of a degree of trustworthiness and security for cross-border transactions
• Increased flexibility and convenience of EU online services
• Forced transparency and standardization on the EU market
• Assurance of accountability by enacting a framework for identifying a legal person in the digital realm

As European organizations comply with eIDAS, effects will be seen outside Europe. Any organization that has a European presence or does business with an organization within a European member state will find themselves forced to comply with the EU regulation on electronic identification and trust services.

How Do I Get an eIDAS Certificate?

A QES must be created using a Digital Certificate purchased from a trust services provider, often a Certificate Authority (CA) such as Sectigo. See Sectigo’s eIDAS certificate options.

The trust service provider is responsible for a variety of duties before issuing the certificate. Its main responsibility is to verify and validate the identity of the person that is requesting a certificate. This can be accomplished through several methods. Trust service providers must also be able to securely store the data and certificates that they collect during their issuance process so that they can be verified later.

Additionally, they must constantly improve their cryptographic processes and practices to prevent any type of forgery or issuance of their certificates. Due to this, trust service providers must have data on the certificates they revoke or deem invalid so that they can keep track of how all of their certificates are used, identifying the appropriate supervisory body of any changes.