The eIDAS Regulation was set out to enable convenient and secure digital transactions in all EU member states. Are you wondering how your company can adhere to the eIDAS Regulation? We will guide you through the eIDAS Regulation in eight bullet points.
The eIDAS Regulation No 910/2014 went into force on 1 July 2016, having ‘direct effect’, thus being mandatory with precedent over any conflicting national laws. It replaces the older eSignature Directive and paves the way for a legal framework for electronic signatures and other newly defined qualified trust services. The eIDAS Regulations applies to all secure electronic interactions between citizens, businesses and public sector institutions in the EU market.
The following bullet points will tell you everything you need to know to comply with the eIDAS Regulation:
1. Mutual recognition across borders
The online services of a public-sector body from an EU Member State should be secured with an electronic authentication process that is in compliance with the relevant country’s laws and administrative practices. The identification process will be recognized by any other EU Member State if the following criteria are met:
- The identification process has been provided by a system that has been publicly listed by the European Commission and complies with Article 9 of the eIDAS Regulation.
- The security level of the identification process is equal or higher compared to the specifications required by the public-sector body.
- The relevant public-sector body uses a significant level of security.
2. Cooperation and interoperability
The electronic identification process used by each Member State will be considered interoperable when:
- The identification process is technologically neutral and will not exclude the technical solutions for electronic identification of any other Member State.
- The identification process follows international and European standards, where possible.
- The identification process supports the principle of ‘privacy by design’ and processes personal data as stipulated in Directive 95/46/CE.
3. Obligations of trust service providers
Providers of certification services are considered as ‘trust service providers’ offering services such as electronic signatures, digital seals, certification and timestamps. The eIDAS regulation states that the trust service providers are obliged to:
- Avoid and minimize the impact of security breaches and inform the affected parties of possible negative effects.
- Notify the supervisory body and other national bodies responsible for information security and data protection if a security incident occurs.
4. Legal value of electronic signatures
An electronic signature has the same legal value as a handwritten signature and has to be equally accepted. Therefore, an electronic signature shall not be denied as acceptable evidence in legal proceedings just because it is in a digital form.
An accredited digital signature based on a licensed certificate issued in one Member state shall be accepted as a qualified electronic signature in any other Member State.
The eIDAS Regulation does not specify when a signature is actually needed for a transaction or what type of signature is necessary. For the majority of corporate, commercial, consumer and financial transactions there is no need for an electronic signature.
5. Legal value of digital seals
Equal to the electronic signature, eIDAS states that the legal effect and acceptability of digital seals and data sent and received using an electronic registered delivery service cannot be denied legal effect and admissibility as evidence in legal proceedings just because it is in an electronic form. The date, time and data of a document with a qualified digital seal enjoys the presumption of accuracy.
With a digital seal, you can protect your business against fraud. The receiver of such a digitally sealed document can trust that the document has not been altered and that its source is identified. Whereas for paper documents, we often readily accept that its content is untampered and its source the proclaimed one, even though fraud with paper documents remains quite problematic, e.g. invoice fraud where bank numbers are changed and then resent to their original recipients.
Do you want to ensure your documents are eIDAS compliant and contain a qualified digital seal from a qualified trust service provider? Here are 8 advantages the DocShifter solution has to offer for digital sealing.
6. Legal value of digital time stamps and registered delivery services
A digital time stamp represents the date and time of the computer on which a digital document was signed and/or sealed. The date and time of this computer are taken to time stamp the event. A certified time stamp eliminates possible fraud to the date and time on which a digital seal was created. Examples based on time-fraud are numerous and include Enron (falsification of financial statements), Parmalat (bogus letters from Bank of America backdated).
Similar to digital time stamps, qualified delivery services enjoy the presumption of data integrity. The quality of service of an electronic registered delivery certificate is guaranteed by the identified sender, the receipt by the recipient and the record of the sending and receiving time and data.
7. Standards for website authentication services
Following the eIDAS regulation, Qualified authentication websites should meet up to the following standards:
- There must be an indication that the certificate has been validated as a qualified certificate for website authentication.
- There is need of a set of data that represents the qualified trust service provider, including the Member State in which that provider is established and in case of a natural person, the person’s name.
- The certificate should contain elements like the address of the entity to whom the certificate is issued.
- Details like the certificate’s period of validity should be added.
- The certificate must mention an identity code which is unique for the qualified trust service provider.
8. EU trust mark for qualified trust service providers
Trust service providers can acquire an EU trust mark for qualified providers that indicates that their trust services appear on the trusted list as mentioned in Article 22.
The intention of the eIDAS Regulation is to allow qualified trust services and transactions between EU Member States. The regulation establishes guidelines and mechanisms that streamline digital transactions between Member States, thereby securing the future of the Digital Single Market.
If you should have more questions about the DocShifter Solution for eIDAS, you can contact our eIDAS experts for a personal chat.