Electronic Signature Laws & Regulations - The European Union

Electronic signatures are used extensively throughout the European Union in the public and private sector. EU Regulation (No 910/2014) of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS) came into effect on 1 July 2016 and established an EU-wide legal framework for electronic signatures and other trust services.

Electronic signatures under eIDAS

eIDAS is directly applicable in all 27 EU Member States without any need for national implementation. Following the UK’s departure from the European Union (Brexit), the essence of eIDAS has been retained – with some minor changes - in UK law.

 eIDAS distinguishes between three categories of electronic signature:

• An electronic signature (sometimes called a “simple” electronic signature) is defined broadly as “any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.” (Article 3(10), eIDAS).

A signatory is defined as a natural person who creates an electronic signature (Article 3(9), eIDAS).

An electronic signature takes several forms ranging from a signatory typing their name into an electronic document or email to using an online e-signing platform. The baseline signature in Adobe Acrobat Sign - which allows the signatory to select a computer-generated signature from a variety of fonts and styles - is an electronic signature under eIDAS.

• An advanced electronic signature (AdES) is an electronic signature that fulfils additional requirements. Article 26 of eIDAS provides that an AdES must also be:
  1. uniquely linked to the signatory;
  2. capable of identifying the signatory;
  3. created using electronic signature creation data (a private key) that the signatory can, with a high level of confidence, use under his sole control; and
  4. linked to the data signed in such a way that any subsequent change in the data is detectable.

• A qualified electronic signature (QES) is an AdES that is:
  1. created by a qualified electronic signature creation device (QESCD) (Article 22, eIDAS); and
  2. based on a qualified certificate for electronic signatures issued by a qualified trust service provider (QTSP) (Article 3(23), eIDAS).

AdES and QES are also available from Adobe Acrobat Sign (and Adobe’s network of QTSPs).  AdES and QES are commonly known as digital signatures. A digital signature is a more secure and technologically sophisticated electronic signature. It relies on public key infrastructure (PKI) technology and certificates issued by trust service providers (TSPs) to confirm the link between the signatory and their public and private keys. An explanation of PKI technology is set out below.

Public Key Infrastructure (PKI)

PKI is a set of hardware, software, policies and cryptography procedures used by e-signing platforms and their TSPs to create and validate digital signatures (AdES and QES). PKI technologies enable the creation, management, use, storage and revocation of digital certificates, as well as public and private encryption keys for digital signatures. The TSP verifies the identity of the signatory and issues a digital certificate confirming their name (or pseudonym) and linking the signatory’s identity to their public key. The public key is uniquely associated with the private key which the signatory uses to digitally sign a document on an e-signing platform. The digital certificate is embedded into the digital signature and provided to the recipient who uses the public key (taken from the certificate) to identify the signatory and validate the signature using Adobe Acrobat or Reader. This provides a higher level of assurance than an electronic signature as to the authenticity and integrity of an electronic document.

The circumstances in which customers might opt for a digital signature will depend on the governing law of the document and the jurisdiction(s) in which that document is to be recognised, registered or enforced. The industry sector is also a contributory factor: digital signatures are more prevalent in the pharmaceutical, financial and government sectors which value greater security and more rigorous authentication of signatories.

Legal effect and admissibility

Our starting point in determining the legal effect of electronic signatures is Article 25 of eIDAS:

1. An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for QES.
2. A QES shall have the equivalent legal effect of a handwritten signature.
3. A QES based on a qualified certificate issued in one EU Member State shall be recognised as a qualified electronic signature in all other EU Member States.

A QES benefits from mutual recognition in every EU Member State and in the UK. A qualified certificate issued by a QTSP in any EU Member State is recognised as a qualified certificate across the EU and in the UK. A QES based on a qualified certificate is presumed to be authentic and is therefore the gold standard for electronic signatures.

A simple electronic signature and an AdES cannot be denied legal effect or admissibility in evidence solely because of their electronic nature. This is known as the non-discrimination principle. It means that a national or EU court may not discard the signature (or a document) on the grounds that it is in electronic form. However, the court must still verify whether there are any execution formalities under EU or national law that apply to the particular document. Execution formalities may, for example, mean that certain documents (such as wills) are not capable of electronic execution in some EU legal systems, or the governing law may prescribe the use of an AdES or QES.

The interaction between eIDAS and national law is considered below.

QES and the role of QTSPs

Adobe works with a wide array of QTSPs who issue qualified certificates to Adobe customers and signatories for signing documents on the platform with a QES. eIDAS subjects QTSPs to a comprehensive regulatory and audit regime which is designed to ensure that they observe strict security standards. This includes submitting a conformity assessment report to a supervisory body in an EU member state and demonstrating that the QTSP and their QESCD comply with the requirements set out in eIDAS (Articles 20 and 24, eIDAS). The regulatory regime is more onerous for QTSPs than for TSPs who provide electronic signatures. This enhances trust in QES and the qualified certificates that underpin them.

Each EU Member State publishes and maintains a national trusted list of QTSPs and the qualified trust services they provide (Article 22, eIDAS). Under eIDAS, national trusted lists have constitutive effect. This means that the electronic signature is only a QES if the QTSP appears in a trusted list. The European Commission operates a Trusted List Browser (https://esignature.ec.europa.eu/efda/tl-browser/#/screen/home) which enables customers to verify that a QTSP is listed in a national trusted list.

Additional considerations

Interaction between eIDAS and national law

Only QES has the equivalent legal effect as a handwritten signature. There is no such equivalency for  AdES or other electronic signatures.

It should be acknowledged that eIDAS has fallen short of fully harmonising electronic signature laws across the EU and the UK. Recital 49 of eIDAS is key to understanding if, and when, customers may use an electronic signature for their transactions.  It states that – with the exception of a QES (which has the equivalent standing of a handwritten signature) - national law still defines the legal effect of electronic signatures. In practical terms, each EU Member State and the UK may prohibit the use of an electronic signature for certain transactions (for example, wills or transfers of real estate) or prescribe that a higher form of signature (such as an AdES or QES) be used to approve that transaction.

Furthermore, public registries (such as real estate or probate registries) are at liberty to require a handwritten signature for registration purposes.

eIDAS does not specify any documents that cannot be signed electronically. However, the E-Commerce Directive (2000/31/EC) gave EU Member States discretion to exclude certain categories of contract from the general rule that contracts may be concluded by electronic means (General Rule). The EU-UK Trade and Cooperation Agreement 2020 (TCA) has also sought to regulate the extent to which an EU Member State or the UK might choose to derogate from the General Rule. The TCA not only has a direct bearing on how to interpret eIDAS but reminds us of the centrality of national law when evaluating the use of electronic and digital signatures.

The TCA lists several categories of contracts which an EU Member State and/or the UK may unilaterally decide are exempt from the General Rule and may not be capable of electronic execution (Article DIGIT.10(2), Chapter 3 of Title III (Conclusion of contracts by electronic means)). The list includes:

• Legal representation services
• Services of notaries or equivalent professions
• Contracts requiring in-person witnessing
• Contracts that create or transfer rights in real estate
• Family law contracts such as wills

Understanding the interaction between eIDAS and national law is therefore vitally important when using electronic and digital signatures. It should be front of mind for in-house and external lawyers when they create e-signing policies and differentiate between signature requirements in domestic and cross-border transactions.

To assist in assessing specific national law requirements, please see the jurisdictional legality guides at https://www.adobe.com/trust/document-cloud-security/cloud-signatures-legality.html.

The guide to cross-border transactions and eIDAS, which you can access at https://helpx.adobe.com/sign/using/eu-uk-cross-border-transactions.html,  provides essential guidance for using electronic signatures in overseas transactions.