Decrypting the eIDAS European regulation on electronic signatures

On 23 July 2014, the Council of the European Union announced their definitive adoption of the new eIDAS regulation (Electronic Identification and Trust Services), regarding electronic identification and trust services for electronic transactions within the internal market.  

The eIDAS regulation defines and governs the use of different types of trust services:  

• the issuing of website authentication certificates, 
• timestamping,
• electronic signatures, 
• electronic seals, 
• electronic registered mail services

Published on 28 August 2014 in the Official Journal of the European Union under reference (EU) No 910/2014, this text has profoundly transformed the European legal framework. This new framework should therefore allow users to fully benefit from a unique and secure space for the majority of electronic transactions in Europe. 

The eIDAS European regulation, a veritable pan-European digital trust market  

The eIDAS regulation is not a simple update of the 1999 directive: it repeals the 1999/93/EC directive, which only concerned the electronic signature. The eIDAS regulation therefore establishes a much more general legal framework for different types of electronic transactions within the internal market.  

The eIDAS regulation applies fully and directly within Europe, and leaves no possibility for national legislative transpositions by member states. It replaces national laws, which has resulted in the need for significant modifications to the legislation of certain countries with regard to electronic signatures and identification. Similarly, national reference documents like the French RGS certificate have had to be adjusted in accordance with this regulation. 

With the eIDAS regulation, an electronic document constitutes legal evidence

Chapter 4 of the eIDAS regulation effectively stipulates that an electronic document cannot be refused as evidence in court for the sole reason that it is presented electronically. In 2016, at a time when certain aspects of the digital world may have generated some reluctance, this service was deemed worthy of being written into regulations! 

Trust services governed across Europe

For each type of service (signature, timestamping, etc.) the eIDAS regulation defines the notion of the qualified trust service and of the qualified Trust Service Provider (TSP). These operators must fulfil a certain number of security requirements and follow a process of qualification which certifies that they are compliant with the regulation.  

In return, users are assured that if they use qualified services or a qualified TSP, these will comply with the requirements of the eIDAS European regulation. 

Imposed upon member states several years ago by the European Commission, the lists of Trust Service Providers constitute a veritable reference list of companies deemed trustworthy by the different states of the European Union. In France, the National Agency for Computer Security (known as ANSSI) is the national body responsible for the implementation of this regulation. 

A mutual recognition of electronic identification in Europe 

The eIDAS regulation attaches great importance to the means of electronic identification, which are processed independently of other trust services. It defines three levels of guarantee which differ in their degree of reliability: low, substantial and high level of guarantee.  

The eIDAS regulation also encourages the implementation of substantial and high levels in order to achieve an interoperability of the means of electronic identification across Europe. In short, all European public services should be able to accept substantial and high means of identification, regardless of which State commissioned them. 

Timestamping introduced at a European level by the eIDAS regulation

While electronic timestamping had benefited from a clear and longstanding legal framework in France, thanks in particular to the RGS certificate, it had not yet been introduced within European law. The eIDAS regulation remedied this situation by defining both timestamping and qualified timestamping.  

To summarise, qualified timestamping guarantees the existence of a file at a given date, and that it has not been modified since that date (principle of integrity). Consequently, a document sealed with a qualified timestamp, as understood by European regulations, benefits from assumed accuracy with regard to its date, time and integrity before all European courts. 

The eIDAS regulation defines different types of electronic signatures

Before the eIDAS European regulation, all public legal texts placed great emphasis on the generation of certificates and the creation of electronic signatures. On the other hand, they rarely tackled the question of how a signature may be verified and validated.  

The eIDAS regulation has rectified this, in dedicating two articles to the validation of qualified signatures. It also provides for three levels of signature: simple, advanced and qualified. However, as a result of commercial practices, a fourth level has been developed: advanced with qualified certificate.  

Universign – An eIDAS regulation-qualified Trust Service Provider  

As a TSP, qualified in accordance with the eIDAS European regulation, Universign trust services guarantee the identification of the signatory and the integrity of the document.  

Universign’s role as a TSP is to bear this legal and security responsibility in order to offer electronic signature services which grant evidentiary value to signed documents, in accordance with the eIDAS European regulation. 

Universign is governed by the French National Agency for Computer Security (known as ANSSI), which issues its qualifications. Universign was one of the first companies to obtain security certificates issued by this authority, designed to allow for easy identification of the most trustworthy IT solutions. 

Furthermore, Universign is also audited by LSTI. This independent compliance assessment body is the only body authorised by ANSSI to qualify TSPs.