Electronic Signature Laws & Regulations - The European Union

Adobe is a global leader for digitization with over 20 years of leadership in digital document standards and electronic signatures. We invented the PDF standard – now an open standard maintained by the International Organisation for Standardisation – and more than 250 billion PDF documents were opened in Adobe apps in the last year. We are well-versed in local rules and regulations and have addressed compliance and legal outcomes through our AATL and EUTL integrations in Acrobat. Acrobat Sign is a global leader in secure digital document transactions and standards-based electronic signatures, addressing the needs of businesses of all sizes across international borders.

Acrobat Sign can propel your company into the world of globally compliant signatures with ease. Acrobat Sign is uniquely designed to support a broad range of electronic and digital signature requirements so that you can do business locally or internationally – and choose the best approach for each of your business processes. Acrobat Sign delivers a fast, simple, and modern signing experience on any device. There is no longer any requirement to download certificates to your device for local signing. It is now possible to sign remotely using cloud technologies, enabling you to complete signature processes quickly and efficiently, and meeting your compliance obligations.

This flexibility is made possible by relying on cloud digital signatures, which provide all the benefits of traditional digital signatures with the convenience of working on any device – including mobile – without the need for software or external security tokens. Our cloud digital signatures are powered by technology developed from a revolutionary open standard platform pioneered by Adobe in 2016, the Cloud Signature Consortium (CSC). The CSC is a group of industry and academic organizations committed to building a new, open standard for cloud-based digital signatures that will support web and mobile applications and comply with the most demanding digital signature regulations in the world.

European Union regulations and compliance

Electronic signatures are used extensively throughout the European Union in the public and private sectors. EU Regulation (No 910/2014) of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (eIDAS) came into effect on 1 July 2016. It has established an EU-wide legal framework for electronic signatures and other trust services such as electronic seals and time stamps.

In 2021, the European Commission proposed a revision to eIDAS. This led to a new regulation in May 2024 which has amended eIDAS to establish the “European Digital Identity Framework” (eIDAS Amendment). The centerpiece of the European Digital Identity Framework is the EU digital identity wallet (EUDI wallet). The EUDI wallet will be made available to EU citizens and residents by November 2026. It will be stored as an app on a smartphone and enable users to prove their age and identity in online and in-person transactions. It will make it simple for users to share a wealth of digital documents such as mobile driving licences, diplomas or medical prescriptions in full compliance with EU data privacy and security standards.

A key innovation of the EU wallet – and why it is relevant to this guide – is that it will give EU citizens and residents the ability to sign documents with the “gold standard” of a qualified electronic signature.

In this guide, a reference to “eIDAS” is a reference to the eIDAS text, as revised and updated by the eIDAS Amendment.

Electronic signatures under eIDAS

eIDAS is directly applicable in all 27 EU Member States without any need for national implementation.

eIDAS recognises three types of electronic signature:

1. An electronic signature (sometimes called a “simple” electronic signature) is defined broadly as “any data in electronic form which is attached to or logically associated with other data in electronic form, and which is used by the signatory to sign.” (Article 3(10), eIDAS).
   
   A signatory is defined as a natural person who creates an electronic signature (Article 3(9), eIDAS).
   
   An electronic signature may take many different forms ranging from a signatory typing their name into an electronic document or email to using an online e-signing platform. The standard signature in Acrobat Sign - which allows the signatory to select a computer-generated signature from a variety of fonts and styles - is an electronic signature within the meaning of Article 3(10) eIDAS.
2. An advanced electronic signature (AdES) is an electronic signature that fulfils additional requirements. Article 26 of eIDAS provides that an AdES must also be:
   • uniquely linked to the signatory;
   • capable of identifying the signatory;
   • created using electronic signature creation data (a private key) that the signatory can, with a high level of confidence, use under his sole control; and
   • linked to the signed data in such a way that any subsequent change in the data is detectable.
3. A qualified electronic signature (QES) is an AdES that:
   • is created by a qualified electronic signature creation device (QSCD) (Article 3(23), eIDAS). The QSCD may be a physical smartcard held by the signatory with an associated pin code or a hardware security module operated remotely by a qualified trust service provider (QTSP) in the cloud;
   • is based on a qualified certificate for electronic signatures issued by a QTSP (Article 3(15), eIDAS); and
   • meets strict technical and security requirements set out in Annexes I and II of eIDAS.

AdES and QES are available from Acrobat Sign and Adobe’s network of QTSPs. AdES and QES are commonly known as “digital signatures”. A digital signature provides a higher level of identity proofing, document integrity and more support for signatory non-repudiation1 than a simple electronic signature. A digital signature relies on public key infrastructure (PKI) technology and digital certificates issued by (qualified) trust service providers ((Q)TSPs) to confirm the link between the signatory and their public and private keys. PKI is explained below.

1Protection against a signatory falsely denying they signed the document.

Legal effect and admissibility

Our starting point in determining the legal effect of electronic signatures is Article 24 and 25 of eIDAS:

• An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for QES (Article 25(1), eIDAS).
• A QES shall have the equivalent legal effect of a handwritten signature (Article 25(2), eIDAS).
• A QES based on a qualified certificate issued in one EU Member State shall be recognised as a QES in every other EU Member State (Article 24a(1), eIDAS).
• A QSCD certified in one EU Member State is recognised as a QSCD in every other EU member state (Article 24a(3), eIDAS).

A QES benefits from mutual recognition in every EU Member State and, following Brexit, in the UK too. A qualified certificate issued by a European QTSP is also recognised as a qualified certificate in every EU Member State and in the UK. A QES based on a qualified certificate is presumed to be authentic and is therefore the gold standard for electronic signatures.

A simple electronic signature and an AdES cannot be denied legal effect or admissibility in evidence solely because of their electronic nature. This is known as the non-discrimination principle. It means that a national or EU court may not discard the signature (or a document) on the grounds that it is in electronic form. However, the court must still verify whether there are any execution formalities under EU or national law that apply to the particular document. Execution formalities may, for example, mean that certain documents (such as wills or real estate documents) are not capable of electronic execution in some EU legal systems. Moreover, the governing law may prescribe the use of an AdES or QES in specific transactions.

The interaction between eIDAS and national law is considered below.

QES and the role of QTSPs

TSPs are natural or legal persons that provide one or more electronic services relating to activities such as the creation, validation and preservation of e-signatures, e-seals or electronic time stamps. TSPs can operate either as qualified or as non-qualified trust service providers. TSPs are essential to the trust services ecosystem established by eIDAS and are required for the provision of AdES and QES. Prior to the availability of cloud signatures, a user would use physical devices to apply digital signatures in Acrobat Sign. For an improved user experience, a user can now apply a digital signature by remotely (and securely) accessing a digital certificate that is stored in the cloud by a TSP on behalf of the user. This is known as “remote” or “cloud” signing.

Adobe works with a wide array of QTSPs who issue qualified certificates to Adobe customers and signatories for applying QES to documents within Acrobat Sign. eIDAS subjects QTSPs to a more rigorous regulatory and audit regime, which is designed to ensure that QTSPs observe strict security standards. This includes submitting a conformity assessment report to a supervisory body in an EU Member State and demonstrating that the QTSP and their QSCD comply with the requirements set out in eIDAS (Articles 20, 21 and 24, eIDAS). It is notable that the regulatory regime is more onerous for QTSPs than for TSPs who provide (simple) electronic signatures and AdESs. This enhances trust in QES and the qualified certificates that underpin them.

Each EU Member State publishes and maintains a national trusted list of QTSPs that are supervised in their jurisdictions, and the qualified trust services they provide (Article 22, eIDAS). Under eIDAS, national trusted lists have constitutive effect. This means that the electronic signature is only a QES if the QTSP appears in a trusted list. The European Commission operates a Trusted List Browser (https://esignature.ec.europa.eu/efda/tl-browser/#/screen/home) which enables customers to verify that a QTSP is listed in a national trusted list. More than 200 EU TSPs are listed in this EU Trusted List (EUTL) as QTSPs.

The circumstances in which customers might opt for a digital signature (AdES or QES) will depend on the specific use case, governing law, and the jurisdiction(s) in which the electronic document is to be recognised, registered or enforced. The industry sector is also a contributory factor: digital signatures are more prevalent in the pharmaceutical, healthcare, financial and government sectors which require greater legal certainty and more robust authentication of signatories.

eIDAS and Adobe Acrobat Sign

Acrobat Sign is a cloud-based electronic signature platform which allows users to manage document signature workflows.

Acrobat Sign supports several options for the identification of a signatory. As an outcome, it supports all three types of electronic signatures defined in eIDAS. It allows the creation of simple electronic signatures, and it also supports digital signatures using digital certificates issued by third-party TSPs, QTSPs and advanced cryptography and authentication that can be used to generate higher grade AdESs and QESs.

As mentioned above, Adobe has integrated with a wide array of QTSPs that issue qualified certificates. Adobe customers and signatories can use these certificates to create QESs on the Acrobat Sign platform. In collaboration with the Cloud Signature Consortium (CSC), Adobe is the first global vendor to support an open standard for cloud-based digital signatures. This has paved the way for technical interoperability between e-signing platforms and QTSPs (using the CSC API v2). Organizations around the world can use Acrobat Sign to execute documents remotely with QES using qualified certificates issued by QTSPs that support the CSC standard. This delivers eIDAS-compliant QES with a simple, convenient user experience.

Acrobat Sign allows the creation of remote QES using the trust services from the following QTSPs that are natively integrated via the CSC API: A-Trust (Austria), Asseco (Poland), Cleverbase (Netherlands), D-Trust (Germany), DigiCert (Belgium), Digidentity (Netherlands), Docaposte Certinomis (France), Entrust (Spain), GlobalSign (Belgium, Netherlands), InfoCert (Italy), Intesi Group (Italy), Itsme (Belgium, Luxembourg, Netherlands), PrimeSign (Austria, Germany), SK (Estonia, Latvia, Lithuania), Trans Sped (Romania), TrustPro (Ireland), Universign (France), ZealiD (Sweden). Each of these QTSPs, independent of their country of accreditation and supervision, provides qualified certificates for remote QES that satisfy the stringent standards laid down in eIDAS. Signatories can use these qualified certificates to generate QES that have the equivalent legal standing of a handwritten signature throughout the EU bloc and in the UK.

As well as enabling remote QES, Acrobat Sign supports “local signing” via many legacy personal digital signature devices (i.e., smart cards, USB tokens) using the native integration with Adobe Acrobat on desktop computers.

Adobe also has a unique role in the industry as the maintainer and publisher of the Adobe Approved Trust List (AATL). The AATL and EUTL are natively supported in Adobe Acrobat and Acrobat Sign to establish a network of TSPs and QTSPs that facilitates the automatic validation of AdES and QES. (Article 32, eIDAS).

Additional Considerations

Interaction between eIDAS and national law

It should be acknowledged that eIDAS has fallen short of fully harmonising electronic signature laws across the EU and the UK. Recital 49 of eIDAS is key to understanding if, and when, customers may use an electronic signature for their transactions. eIDAS states that – except for QES (which has the equivalent standing of a handwritten signature) – national law still defines the legal effect of electronic signatures. In practice, each EU Member State and the UK may prohibit the use of an electronic signature for specific categories of transaction (for example, wills or transfers of real estate), or prescribe that a higher form of signature (such as an AdES or QES) be used to approve that transaction.

Furthermore, public registries (such as real estate or probate registries) are at liberty to require a handwritten signature for registration purposes. This used to be very common. However, a byproduct of the COVID-19 pandemic is that public registries were forced to digitalise their services. It is now quite rare for a public registry to insist on a handwritten signature and the majority accept electronic and digital signatures.

eIDAS does not specify any documents that cannot be signed electronically. However, the E-Commerce Directive (2000/31/EC) gave EU Member States discretion to exclude certain categories of contract from the general rule that contracts may be concluded by electronic means (General Rule). The EU-UK Trade and Cooperation Agreement 2020 (TCA) has also sought to regulate the extent to which an EU Member State or the UK might choose to diverge from the General Rule. The TCA not only has a direct bearing on how to interpret eIDAS but reminds us of the centrality of national law when evaluating the use of electronic and digital signatures.

The TCA lists several categories of contracts which an EU Member State and/or the UK may unilaterally decide are exempt from the General Rule and may not be capable of electronic execution (Article DIGIT.10(2), Chapter 3 of Title III (Conclusion of contracts by electronic means)). The list includes:

• Legal representation services
• Services of notaries or equivalent professions
• Contracts requiring in-person witnessing
• Contracts that create or transfer rights in real estate
• Family law contracts such as wills

Thus, understanding the interaction between eIDAS and national law is vitally important when using electronic and digital signatures. It should be front of mind for in-house and external lawyers when they create e-signing policies and differentiate between signature requirements in domestic and cross-border transactions.

To assist in assessing specific national law requirements, please see the jurisdictional legality guides at https://www.adobe.com/trust/document-cloud-security/cloud-signatures-legality.html.

Example use case: public procurements in France

As an example, in March 2019, France issued a decree on the use of electronic signatures in public procurement contracts (2019 Decree). The effect of the decree is that when an electronic signature is used in public procurements, it has to be a a QES based on a qualified certificate from a QTSP. Simple electronic signatures and AdESs will not suffice.

Customers entering into a French public procurement contract may use a qualified certificate from any of the QTSPs in the EU Trusted List.

The National Cybersecurity Agency of France (Agence nationale de la sécurité des systèmes d’information or “ANSSI”) is the supervisory body for QTSPs on the French Trusted List. Certinomis^* whose qualified trust services, by ANSSI, are integrated with Acrobat Sign, in case engaging with a French QTSP is preferred. Nevertheless, it is explicit in Article 2 of the 2019 Decree and especially in Article 25 of the eIDAS Regulation that organizations entering a public procurement contract must rely on qualified electronic signatures based on qualified certificates issued by QTSPs listed on a Trusted List from any EU Member State.

^*Costs for QTSP services for QES creation and usage are subject to the business model of the QTSP. In this example a customer would contract directly with Certinomis to activate their services.

Public Key Infrastructure (PKI)

PKI is a set of hardware, software, policies and cryptography procedures used by e-signing platforms and their (Q)TSPs to create and validate digital signatures (AdES and QES). PKI technologies enable the creation, management, use, storage and revocation of digital certificates, as well as public and private encryption keys for digital signatures. The (Q)TSP verifies the identity of the signatory and issues a digital certificate (or, in the case of QES, a qualified certificate) confirming their name (or pseudonym) and linking the signatory’s identity to their public key. The public key is uniquely associated with the private key which the signatory uses to digitally sign a document on an e-signing platform. The digital certificate is embedded into the digital signature and provided to the recipient who uses the public key (taken from the certificate) to identify the signatory and validate the signature using Adobe Acrobat or Reader. This provides a higher level of identity assurance than a simple electronic signature in regard to the authenticity and integrity of an electronic document.