eIDAS regulation: everything you need to know

Since 1 July 2016, the provisions on trust services under the eIDAS Regulation (Regulation (EU) N°910/2014) have applied directly in the 28 Member States. What novelties has this brought?

What has changed with regard to the eSignature Directive? How is it supposed to benefit users: citizens, businesses and public administrations?

Legal effect of electronic signature. Since 1st July 2016, when the trust services’ provisions under the eIDAS Regulation entered into application, an eSignature can only be used by a natural person to “sign”, i.e. mainly to express consent on the data the eSignature is put. This represents a significant difference from the eSignature Directive where the eSignature, which could also be used by legal persons, was defined as a means for authentication. Thus, under eIDAS, the “signatory” is a natural person who creates an eSignature. Therefore, certificates for eSignatures cannot be issued to legal persons anymore. Instead, legal persons can use certificates for eSeals the aim of which is not to sign but to ensure the integrity and origin of data.

Other trust services. eIDAS regulates at EU level additional trust services which have emerged in a number of Member States since the eSignature Directive was adopted in 1999.

  • Electronic seals. These can only be issued to and used by legal persons to ensure origin and integrity of data/documents. An eSeal is therefore not an eSignature of the legal person. When a legal entity makes use of eSeals, it is recommended to set up an internal control mechanism ensuring that only the natural persons entitled to act on behalf of the legal entity can make use of the electronic seals (push the button on behalf of the legal entity).
  • Time stamping. Electronic time stamps are issued to ensure the correctness of the time linked to data/documents.
  • Verification and validation. Validation is an ancillary service to eSignatures and eSeals. It is the process confirming the validity of a (qualified) eSignature or eSeal. Such a process entails the verification that the requirements of the Regulation are met by a (qualified) eSignature or eSeal in order to confirm its validity. The Regulation also covers the verification and validation of certificates for website authentication.
  • Preservation of eSignatures, eSeals or certificates related to trust services. The eIDAS Regulation sets rules for the preservation of eSignatures, eSeals or certificates related to trust services. Preservation is different from electronic archiving which is not a trust service under eIDAS. The objectives and targets of the process make a distinction between the two activities:
    • preservation under eIDAS aims at guaranteeing the trustworthiness of a qualified electronic signature or qualified electronic seal through time. The technology underpinning such trust service therefore targets the electronic signature or seal;
    • electronic archiving aims at ensuring that a document is stored in order to guarantee its integrity and other legal features. The technology underpinning electronic archiving therefore targets the document. Electronic archiving remains the competence of Member States.
    • In other words, electronic archiving of documents and preservation of eSignatures and eSeals are different in nature, are based on different technical solutions (attached to the document or to the eSignature/eSeal) and differ in their finality (conservation of the document vs preservation of eSignature/eSeal).
  • Electronic registered delivery service. This is a secure channel for the transmission of documents bringing evidence of (the time of) sending and receiving the message. Nevertheless, the Regulation does not make the equivalence between (qualified) electronic registered delivery services and registered postal mail (registered items) defined under the Postal Directive. Member States remain free to establish such equivalence at national level. In other words, when the law requires fulfilling a specific procedure by sending a registered postal mail, using (qualified) electronic registered delivery services would meet this requirement only if the national law has established the equivalence.

Rules on electronic documents. The eIDAS regulation sets the principle of non-discrimination of the legal effects and admissibility of electronic documents in legal proceedings. This is the first time that non-discrimination of electronic documents is regulated at EU level.

Differences between qualified and non-qualified trust services. From a legal point of view, both qualified and non-qualified trust services benefit from a non-discrimination clause as evidence in Courts. In other words, trust services cannot be discarded by the judge only on the ground that they are electronic. However, because of the more stringent requirements applicable to qualified trust service providers, qualified trust services provide a stronger specific legal effect than non-qualified ones as well as a higher technical security. Qualified trust services therefore provide higher legal certainty and higher security of electronic transactions.

Value, role and use of Trusted List. Under eIDAS Regulation, national Trusted Lists have a constitutive effect. In other words, a provider/service is qualified only if it appears in the Trusted Lists. Consequently, the users (citizens, businesses or public administrations) will benefit from the legal effect associated with a given qualified trust service only if the latter is listed (as qualified) in the Trusted Lists. Trusted Lists are essential in ensuring certainty and building trust among market operators as they indicate the status of the service provider and of the service at the moment of supervision, while aiming at fostering interoperability of qualified trust services by facilitating the validation of, among others, eSignatures and eSeals.

Information provided in the article is based on the EC official data