Guide to the EU eIDAS Regulation and Ensuring Compliance

Whether you’re a business operating within the EU or interacting with EU entities, mastering eIDAS can help ensure your digital identities are secured and keep you fully compliant.

What is the eIDAS Regulation?

eIDAS stands for "electronic identification, authentication, and trust services" and is the name for a European Union (EU) regulation for electronic signatures and transactions in the EU internal market, replacing directive 1999/93/EC. The eIDAS regulation and its implementing acts are law in all EU member states. Under the law, EU citizens and businesses can use their national electronic identification schemes (eIDS) when accessing online public services within other member states that use eIDS, promoting interoperability. This creates a European internal market for qualified trust service providers, increasing assurance levels by ensuring they will work across borders.

Beyond the EU, the eIDAS Regulation was adopted into UK law post-Brexit. Although it may not be instituted as law in other legal jurisdictions, it is not uncommon for non-European businesses or citizens to utilize eIDAS infrastructure if they have significant business or operations within participatory countries.

The eIDAS regulation establishes a legal framework for the provision and effect of many different electronic identification methods. It implements standards for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services, and certificate services for website authentication. It gives those electronic transactions the same legal status as if they were conducted on paper with a handwritten signature and allows them to be included in legal proceedings.

Through the eIDAS Regulation, the European Commission provides for a broad electronic signature standard without any reference to a specific technology. This is a practice used to prevent limiting the development of technology. eIDAS sets minimum standards that can be updated as new practices are discovered and others are found to be insecure.

Another important regulatory framework enacted by the EU is the revised Payment Services Directive (PSD2). This directive, adopted in 2015, is a regulatory framework that ensures payment systems in the European Union are easy, efficient, and meet security requirements. It affects consumers, the private sector, and public administrations, and aims to create efficiency and innovation in an industry that has become stagnant.

eIDAS Compliance

The eIDAS regulation was originally established in 2014 but has been enforceable across the EU since July 1, 2016. The upcoming eIDAS 2.0 regulation aims to enhance the framework for electronic identification and trust services in the EU. It introduces the European Digital Identity (EUDI) Wallet, enabling streamlined digital transactions and identity verification across member states. While promising more secure and efficient online transactions, eIDAS 2.0 raises concerns about privacy, centralization, and potential government overreach in digital identity management.

Though the eIDAS regulation sets standards across various areas, and one commonly encountered standard is its framework for electronic signatures.

Difference Between Digital and Electronic Signatures

First, it is important to note that there is a difference between a digital and an electronic signature, even though the two terms are commonly used interchangeably.

A digital signature always relies on cryptology-based technology. A document's contents will always be locked and secured when using this type of signature, and the content cannot be changed after signing.

An electronic signature can be the image of a manually drawn signature pasted for example in a Word document. The contents of a document are not always secure with this type of signature. In other words, a digital signature can be an electronic signature, but an electronic signature is not always a digital one.

The eIDAS’ framework specifically applies to electronic signatures and defines three types – simple, advanced, and qualified electronic signatures. Each type has different standards for validation.

Simple Electronic Signature (SES)

As defined by eIDAS, simple electronic signatures (or e-signatures) cover all the broad types of electronic signatures as data in electronic form, which are attached to or logically associated with other electronic data and serve as a method of authentication.

This is technology-neutral, which means any electronic form or technology has mutual recognition and is generally accepted. The resulting signature should demonstrate the intent of the signer, be made by the person associated with it, and be associated with the document the signer intended to sign.

Advanced Electronic Signature (AES)

An advanced electronic signature attaches authentication to the signature and the document. An AES must meet certain requirements on signer identity, security, and sanctity of the signed document. The requirements specified under eIDAS are:

• It is uniquely linked to the signatory
• It is capable of identifying the signatory
• It is created using electronic signature creation data that the signatory can, with a high level of confidence, use under their sole control

It is linked to the data signed in such a way that any subsequent change in the data is detectable

Qualified Electronic Signature (QES)

A Qualified Electronic Signature, like an AES, is uniquely linked to the signer and is based on Qualified Certificates. This type is the most valued kind and is automatically considered the legal equivalent of a handwritten signature if properly implemented.

Qualified Certificates can only be issued by a Certificate Authority (CA), like Sectigo, that has been accredited and supervised by authorities designated by the EU member states and meets the requirements of eIDAS. Qualified Certificates must also be stored on a qualified signature creation device such as a smart card, a USB token, or a cloud-based trust service that can provide an EU trust mark. Qualified certificates typically contain electronic time stamps and other verification methods.

When discussing QES, you may hear it also referred to as Qualified Electronic Seals. This is a different type of electronic authentication tool that serves a separate purpose. While a Qualified Electronic Signature is used to authenticate the identity of an individual, providing a legal equivalent to a handwritten signature, a Qualified Electronic Seal is intended to verify the integrity, authenticity, and legal validity of electronic documents companies and organizations issue or produce. Sectigo offers Certificates for Qualified Seals and PSD2 Seals for organizations that ensure compliance.

There is another type of qualified certificate, called a qualified website authentication certificate (QWAC), which is a SSL/TLS certificate that provides end-to-end data encryption between servers and clients, showing that behind a website or server, there is a natural or legal person identifiable by trustworthy information. QWACs can be used by individuals as well as businesses or enterprises.

Why is eIDAS Important?

eIDAS provided a consistent legal framework for accepting electronic identities and signatures and established the legal effect of using these methods as well as their admissibility in legal contexts, which has become increasingly necessary in a digital world.

It provides many benefits to data protection and user experience including:

• Decreased processes and overhead for EU member state businesses

• Establishment of a degree of trustworthiness and security for cross-border transactions

• Increased flexibility and convenience of EU online services

• Forced transparency and standardization on the EU market

• Assurance of accountability by enacting a framework for identifying a legal person in the digital realm

As European organizations comply with eIDAS, effects will be seen outside Europe. Any organization that has a European presence or does business with an organization within a European member state will find themselves forced to comply with the EU regulation on electronic identification and trust services.

How Do I Get an eIDAS Certificate?

For proper functionality, a QES must be created using a Digital Certificate purchased from a trust services provider, often a Certificate Authority (CA) such as Sectigo.

The trust service provider is responsible for a variety of duties before issuing the certificate. Its main responsibility is to verify and validate the identity of the person who is requesting a certificate. This can be accomplished through several methods. Trust service providers must also be able to securely store the data and certificates that they collect during their issuance process so that they can be verified later.

Additionally, they must constantly improve their cryptographic processes and practices to prevent any type of forgery or issuance of their certificates. Due to this, trust service providers must have data on the certificates they revoke or deem invalid so that they can keep track of how all of their certificates are used, identifying the appropriate supervisory body for any changes.

For Proper eIDAS Compliance, Choose Sectigo’s Trusted Solutions

Ensure your digital interactions are secure and legally compliant with Sectigo’s eIDAS compliant certificate solutions. Whether you're an individual needing secure personal identification or a business requiring robust document authentication, our range of qualified certificates keeps you compliant with all eIDAS regulations.