Trust in electronic transactions and e-signatures: the new EU "eIDAS" regime

Published on 15th Jan 2016

Who needs to know about the EU’s new electronic signatures regime? 

For businesses already content with operating electronic signatures under the 1999 Directive on electronic signatures (the “E-Signature Directive”), the new e-signatures regime which comes into effect in July 2016 may not make a great deal of difference. But for those companies which have not moved to e-signatures – perhaps because of perceived difficulties in operating a single solution across borders – then the 2014 Regulation on electronic identification and trust services for electronic transaction in the internal market (“eIDAS”) could make a difference.

Background: eIDAS will replace the E-Signature Directive

On 1 July 2016, eIDAS will come into effect throughout the European Union, replacing the E-Signature Directive. Being a Regulation rather than a Directive, eIDAS will be directly effective in Member States’ national laws without further implementing actions. 

Despite the extensive research and debate which went into the E-Signature Directive, it has been less effective than the European Commission hoped in harmonising the Member States’ approach to electronic signatures. 

There are various reasons for this. One is the complexity of the technical requirements it imposed in order for a signature to have guaranteed legal efficacy equal to that of a handwritten signature. Given that most Member States’ laws require very few documents to carry any form of signature at all, the infrastructure of advanced electronic signatures supported by a qualified certificate was simply too costly and unwieldy to achieve widespread uptake. 

The flaws in the E-Signature Directive have not noticeably held up the development of cross-border commerce in the EU. Since few documents are subject to a legal requirement of signature, and the Court of Justice of the EU (“CJEU”) has ruled that a ‘click-wrap’ agreement may be effective even if the clicker/signatory has not read the terms to which it purports to agree, most B2C transactions can perfectly well be completed without any of the complexity of handwriting-equivalent signatures. Meanwhile, large B2B transactions continue to be negotiated over a round or more of face-to-face meetings and can satisfactorily be completed by an exchange of signed physical counterparts of a paper agreement. 

But another contributor to the E-Signature Directive’s limited effect may have been the reluctance of individual Member States to recognise the legitimacy of electronic signatures produced using technology approved in other Member States. This lack of cross-border recognition in a world of increasingly common cross-border transactions, including interactions between citizens and public services, plays into the Commission’s agenda of establishing a single online market (now collected under the project for a Digital Single Market). As a result, the Commission decided to attempt to improve the e-signatures regime. 

What does eIDAS do?

A mandatory regime for cross-border recognition of e-signatures… 

The Commission has introduced a mandatory provision for cross-border recognition of one category of e-signature. It has at the same time taken the opportunity to regulate a range of related issues such as: 

  • website authentication; 
  • regulation of trust service providers (the eIDAS jargon for any business providing e-signatures or related services); 
  • electronic seals (still necessary for legal persons to conclude transactions in some jurisdictions), time stamps and archiving; and 
  • interoperability and mutual recognition of electronic identification (“eID”) of citizens to government agencies, for a range of purposes such as e-health. Notably, it does not impose a requirement for Member States to have such eID schemes, or to notify them for mutual recognition. It merely prescribes criteria for mutual recognition where a Member State has introduced a scheme and that Member State wishes to have it recognised elsewhere.

The result is a Regulation weighing in at 52 Articles (compared to the E-Signature Directive’s 13). 

…but no harmonisation of laws 

Fortunately, although it continues to favour electronic signatures supported by the armoury of secure-signature-creation-devices and qualified certificates, eIDAS (like its predecessor) does not attempt to harmonise Member States’ laws on whether or not a signature is needed to conclude a document. Nor does it prohibit simpler forms of e-signature. 

What does this all mean for companies doing business electronically in the EU? 

Increasing acceptance of the principle of e-signatures?

Probably the most important effect eIDAS will have will be to make it easier to convince counterparties across the entire EU that, no matter how reluctant their domestic legal culture may be to accept electronic signatures, the time has come when local courts and legislators can no longer exclude them. 

It will, however, take some years before any cases reach the CJEU to clarify issues such as precisely how trust service providers are to be supervised, or when a website authentication does or does not meet the requirements. Indeed, no cases ever did reach the CJEU on the E-Signature Directive, since in any jurisdiction cases where enforcement of a contract depends on the form of signature are very few and far between. So ambiguity as to detail will persist; but the principle is now directly effective in all Member States’ laws. 

Delegated and cloud-based signatures should remove the need for complex IT solutions in-house 

Beyond the principle, the most interesting element in the Regulation are the possibilities of delegated and even cloud-based signature services. The E-Signature Directive insisted on advanced electronic signatures being created by means which the signatory could maintain under his or her own control, which was widely understood to mean a physical token which the signatory used to authenticate him or herself to the signing software. 

By contrast, eIDAS recognises that the electronic signature environment can be managed by a trust service provider remotely on the signatory’s behalf, as long as adequate management and administrative security procedures are in place to guarantee that the signatory remains in sole control. And of course, as smartphones able to function as tokens in themselves are now ubiquitous, this should enable electronic signature ‘on the move’ to be exactly as simple and secure as at desk. 

Similarly, signature validation will now be possible on a cloud basis. Consequently, the need for every enterprise to invest in complex IT in order to be able to execute documents electronically has been removed. 

Website authentication 

Website authentication – enabling users to verify that the website represents a credible legal entity – is also a new addition. eIDAS will not mandate that websites must use any authentication service, but by providing recognition for such services where they meet necessary security and liability provisions the Commission hopes such authentication will become an important factor in building trust in online services. 

Regulation of trust service providers 

For businesses engaged in trust services – electronic signatures, time-stamping and archiving, for instance – eIDAS also introduces an EU trust mark, for qualified trust services. 

These are trust service providers which have demonstrated through an independent audit (by a government-designated body) that they meet a set of requirements laid down in eIDAS and, consequently, appear on a list of qualified trust services providers maintained by the relevant national supervisory body. 

The mark must be used in a way that enables users clearly to identify what trust services it relates to, since one service provider could, in principle, be qualified for some services but not for others.

Whether qualified or not, trust service providers will have to meet minimum security requirements and will be liable for any intentional or negligently caused damage arising from failing to meet them. As the E-Signature Directive provided for certification services, so too here the burden of proof is on the trust service provider – to show it was neither intentional nor negligent – rather than the allegedly injured party. But where limitations on the use of services have been communicated to customers in advance, then the service provider will not be liable for damage caused by use outside those limitations. 

Accordingly, clear upfront communication will be essential for any business providing trust services. 

And the signatures themselves? 

Little has changed in practice as regards signatures under eIDAS compared to signatures under the E-Signature Directive. The terminology has been amended – a secure signature creation device becomes a qualified signature creation device – but the definitions largely match. 

A new provision introduces a Europe-wide list of certified qualified signature creation devices, so that potential users will have a definitive information source in choosing the products to use. More technical standards relating to each and every aspect of the certification and qualification processes, including preservation (archiving) services, are being introduced.

Key question on e-signatures in everyday commerce 

But as to the key questions in everyday commerce, the answers remain the same: 

  • Can I use an electronic signature to create a legally binding contract? 

Answer: almost certainly unless your contract is one of the very limited categories, such as transfer of land, for which the governing national law both requires a signature at all and also prohibits the use of electronic signatures. 

  •  Do I have to use a qualified electronic signature? 

Answer: almost certainly not, unless the courts of your jurisdiction have ruled that this is necessary. I am aware of no such ruling in any European Member State at the time of writing. However, some civil law countries place considerable emphasis on the formality of signature, and you may find that local lawyers believe that only qualified electronic signatures will be accepted by their courts as sufficient evidence of the parties’ agreement. The question to be assessed is: is the cost and effort of executing by qualified electronic signature greater or less than the cost and effort of persuading your counterpart to commit to a non-qualified form of signature and trust that in the unlikely event of a relevant dispute arising, the courts will be persuaded to accept it and/ or surrounding evidence instead? 

  • What issues should I be aware of if I am going to agree to have a contract signed electronically?

Answer: this is the fundamental question. It matters only in those rare cases where a contract is challenged on the basis of the signature – someone claims that the signature is not theirs, or that the document on which their signature appears is not the one they believed they were signing. So the question to ask is: how would this e-signature process capture information to allow me to prove that the signatory was, indeed, the person I thought was signing, and what document was presented to them to sign? If the process provides durable evidence of the screens displayed, the actions taken by the signatory and the identity of the person taking those actions, then it will normally be good enough. 

Share
Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up

* This article is current as of the date of its publication and does not necessarily reflect the present state of the law or relevant regulation.

Interested in hearing more from Osborne Clarke?
Register now for more insights, news and events from across Osborne Clarke
Sign up