Assurance levels under eIDAS between advanced and qualified electronic signatures

Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) lays out a common framework for electronic signatures in the EU. It outlines several different signature types including the qualified electronic signature and the advanced electronic signature.

The qualified electronic signature relies on a digital certificate, which is an electronic document that links the validation data of a signature with a natural or legal person and with a pair of keys (one public and the other private).

“It contains the information necessary to electronically sign and identify [the certificate’s] owner with their information: name, [government identification], algorithm and signature keys, expiration date and issuing body,” indicates the Spanish Government’s Electronic Administration Portal.

The qualified electronic signature complies with the provisions of the eIDAS Regulation and offers the highest level of assurance, which should “characterise the degree of confidence in electronic identification means in establishing the identity of a person, thus providing assurance that the person claiming a particular identity is in fact the person to which that identity was assigned,” according to the eIDAS Regulation.

This signature type has the presumption of legal validity, and is the legal equivalent to a handwritten signature. It would thus be considered valid evidence in court without needing to provide any expert testimony.   

What qualified devices exist to be able to carry out an electronic signature?

For the digital certificate to be considered qualified, it must be issued by a Qualified Certification Authority, through a qualified signature creation device.

Docuten has three devices:

• The cryptographic card (like the electronic DNI, the national identity document in Spain)
• The cryptographic USB
• HSMs, which are cryptographic servers included in the European signature regulation. The regulation indicates the possibility of generating and safeguarding qualified certificates in the cloud using HSMs. In this way, it is possible to obtain, through a qualified provider, a qualified electronic certificate in the cloud, and use it to sign with a qualified signature. Since the electronic certificate is in the cloud, properly stored and safeguarded, it allows for a high degree of mobility. The qualified electronic signature can be done from anywhere.

These three devices share a common characteristic: they generate certificates. The certificates are created inside, and are safeguarded and protected since the private key does not leave them.

Advantages to the centralised qualified signature

The centralised signature is related to the electronic certificates used in an organisation (previously discussed) that are centrally managed, operating from a single, controlled, secure repository.

Because it’s stored in the cloud, the centralised signature has a number of benefits:

• Device independence: users have access to certificates from any computer or mobile device.
• Centralised control of permissions: the certificates to which a user has access (and on which pages or services they can take action) can be controlled and limited.
• Monitoring and traceability: centralised keys let you monitor the time, location, and second-factor authentication. In addition, it offers a record of all the operations carried out with electronic certificates in your organisation.
• Fewer misplaced certificates: as they are not stored on the user’s machine, there are less problems with misplaced certificates.
• Streamlined management of certificates: since the certificates are centralised, the organisation handles any and all issues with revoked, expired or destroyed certificates, which makes procedures more uniform and easier to control.

The qualified electronic signature vs. the advanced electronic signature

At Docuten, we recommend our clients rely on the idea of proportionality when choosing what type of signature to use. While all our electronic signature options are secure and legal, for particularly important documents, the highest level of assurance should be  used, which would be the qualified electronic signature. However, not all documents are created equal: signing a commercial contract is not the same as signing a vacation time request. In the latter, usability should be prioritised over the highest assurance level.

This is why we also offer advanced electronic signatures. This type of signature is outlined in the eIDAS regulation, and includes the signature with OTP and the biometric signature (sign documents online or with the app).

• OTP signature: the signature with OTP (One-Time Password) is a digital signature executed by sending a one-time code with temporary validity to the signatory by SMS or email.
• Biometric signature: the biometric signature allows you to sign documents in a similar way to the handwritten signature, on any mobile device (tablet, smartphone) with full legal validity. Because we’re always striving to best meet our clients’ needs, with Docuten you can sign using a biometric signature online or with the app.

Qualified Trust Service Provider

Docuten has been certified as a Qualified Trust Service Provider in accordance with Regulation (EU) No 910/2014 regarding electronic identification and trust services for electronic transactions (eIDAS Regulation).

After having passed an external audit done by an accredited certification body, and with the approval of the Secretary of State for Digitalisation and Artificial Intelligence of the Ministry of Economic Affairs and Digital Transformation, Docuten is now listed on the European Trusted List.

In this line, Docuten’s digital signature service is held to the highest European standard, substantiating our continuous commitment to the highest standards of security and legality.

Interested in electronic signature regulations? Check out our article on eIDAS & Brexit.