Electronic Signature Laws & Regulations - The European Union

Adobe is a global leader for digitization with over 20 years of leadership in digital document standards and electronic signatures. We invented the PDF standard – now an open standard maintained by the International Organisation for Standardisation – and more than 250 billion PDF documents were opened in Adobe apps in the last year. We are well-versed in local rules and regulations and have addressed compliance and legal outcomes through our AATL and EUTL integrations in Acrobat. Acrobat Sign is a global leader in secure digital document transactions and standards-based electronic signatures, addressing needs of businesses of all sizes across geographies.

Acrobat Sign can propel your company faster and easier into the world of globally compliant signatures. Acrobat Sign is uniquely designed to support a broad range of e-signature and digital signature requirements so that you can do business locally or globally – and choose the best approach for each of your business processes. Acrobat Sign delivers a fast, simple, and modern signing experience on any device –no download required with supported certificate providers– allowing you to complete signature processes quickly and easily, making business more efficient while helping you meet your compliance obligations.

This flexibility is made possible by relying on cloud digital signatures, which provide all the benefits of traditional digital signatures with the convenience of working on any device – including mobile – without the need for software or external security tokens. Our cloud digital signatures are powered by technology developed from a revolutionary open standard platform pioneered by Adobe in 2016, the Cloud Signature Consortium (CSC). The CSC is a group of industry and academic organizations committed to building a new standard for cloud-based digital signatures that will support web and mobile applications and comply with the most demanding electronic signature regulations in the world.

European Union regulations and compliance

Electronic signatures are used extensively throughout the European Union in the public and private sectors.  EU Regulation (No 910/2014) of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (eIDAS) came into effect on 1 July 2016 and established an EU-wide legal framework for electronic signatures and other trust services.

Electronic signatures under eIDAS

eIDAS is directly applicable in all 27 EU Member States without any need for national implementation. Following the UK’s departure from the European Union (Brexit), the essence of eIDAS has been retained – with some minor changes - in UK law.

eIDAS differentiates three categories of electronic signature:

1. An electronic signature (sometimes called a “simple” electronic signature) is defined broadly as “any data in electronic form which is attached to or logically associated with other data in electronic form, and which is used by the signatory to sign.” (Article 3(10), eIDAS).
   
   A signatory is defined as a natural person who creates an electronic signature (Article 3(9), eIDAS).
   
   An electronic signature takes several forms ranging from a signatory typing their name into an electronic document or email to using an online e-signing platform. The baseline signature in Acrobat Sign - which allows the signatory to select a computer-generated signature from a variety of fonts and styles - is an electronic signature under eIDAS.
2. An advanced electronic signature (AdES) is an electronic signature that fulfils additional requirements. Article 26 of eIDAS provides that an AdES must also be: 
   • uniquely linked to the signatory;
   • capable of identifying the signatory;
   • created using electronic signature creation data (a private key) that the signatory can, with a high level of confidence, use under his sole control; and
   • linked to the signed data in such a way that any subsequent change in the data is detectable.
3. A qualified electronic signature (QES) is an AdES that :
   • is created by a qualified electronic signature creation device (QESCD) (Article 22, eIDAS). For example, a physical smartcard held by the signer with an associated pin code or hardware security module operated remotely by a qualified trust service provider (QTSP) in the cloud;
   • is based on a qualified certificate for electronic signatures issued by a QTSP (Article 3(23), eIDAS); and
   • meets technical and security requirements set out in Annexes I and II of eIDAS.

AdES and QES are available from Acrobat Sign and Adobe’s network of QTSPs. AdES and QES are commonly known as digital signatures. A digital signature provides a higher level of assurance and is a more technologically sophisticated electronic signature. A digital signature relies on public key infrastructure (PKI) technology and digital certificates issued by trust service providers (TSPs) to confirm the link between the signatory and their public and private keys. PKI is further discussed below.

Legal effect and admissibility

Our starting point in determining the legal effect of electronic signatures is Article 25 of eIDAS:

• An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for QES.
• A QES shall have the equivalent legal effect of a handwritten signature.
• A QES based on a qualified certificate issued in one EU Member State shall be recognised as a qualified electronic signature in all other EU Member States.

A QES benefits from mutual recognition in every EU Member State and in the UK. A qualified certificate issued by a European QTSP is also recognised as a qualified certificate in every EU Member State and in the UK. A QES based on a qualified certificate is presumed to be authentic and is therefore the gold standard for electronic signatures.

A simple electronic signature and an AdES cannot be denied legal effect or admissibility in evidence solely because of their electronic nature. This is known as the non-discrimination principle. It means that a national or EU court may not discard the signature (or a document) on the grounds that it is in electronic form. However, the court must still verify whether there are any execution formalities under EU or national law that apply to the particular document. Execution formalities may, for example, mean that certain documents (such as wills) are not capable of electronic execution in some EU legal systems. In some use cases, the governing law may prescribe the use of an AdES or QES.

The interaction between eIDAS and national law is considered below.

QES and the role of QTSPs

TSPs are natural or legal persons that provide one or more electronic services relating to activities such as the creation, validation and preservation of e-signatures, e-seals or electronic time stamps. TSPs can operate either as qualified or as non-qualified trust service providers. TSPs are essential to the e-signature ecosystem established by eIDAS and are required in order to provide AdES and QES. Prior to the availability of cloud signatures, a user would use physical devices to apply digital signatures in Acrobat Sign. For an improved user experience, a user can now apply a digital signature by remotely (and securely) accessing the user’s digital certificate that is stored in the cloud by a TSP.   

Adobe works with a wide array of Qualified TSPs (or “QTSPs”) who issue qualified certificates to Adobe customers and signatories for applying QES signatures to documents within Acrobat Sign. eIDAS subjects QTSPs to a comprehensive regulatory and audit regime which is designed to ensure that QTSPs observe strict security standards. This includes submitting a conformity assessment report to a supervisory body in an EU Member State and demonstrating that the QTSP and their qualified electronic signature creation device (QESCD) comply with the requirements set out in eIDAS (Articles 20 and 24, eIDAS). The regulatory regime is more onerous for QTSPs than for TSPs who provide electronic signatures. This enhances trust in QES and the qualified certificates that underpin them.

Each EU Member State publishes and maintains a national trusted list of QTSPs that are supervised in their jurisdictions, and the qualified trust services they provide (Article 22, eIDAS). Under eIDAS, national trusted lists have constitutive effect. This means that the electronic signature is only a QES if the QTSP appears in a trusted list. The European Commission operates a Trusted List Browser (https://esignature.ec.europa.eu/efda/tl-browser/#/screen/home) which enables customers to verify that a QTSP is listed in a national trusted list. More than 200 EU TSPs are currently listed in this EU Trusted List as QTSPs.

The circumstances in which customers might opt for a digital signature will depend on use case, governing law, and the jurisdiction(s) in which the electronic document is to be recognised, registered or enforced. The industry sector is also a contributory factor: digital signatures are more prevalent in the pharmaceutical, healthcare, financial and government sectors which require greater legal certainty and more rigorous authentication of signatories.

eIDAS and Adobe Acrobat Sign

Acrobat Sign is a cloud-based electronic signature platform that allows users to manage document signature workflows.

Acrobat Sign supports several options for the identification of a signatory. As an outcome, it supports all three types of electronic signatures defined in eIDAS. It allows the creation of simple electronic signatures, and it also supports digital signatures using digital certificates issued by third-party TSPs,  QTSPs and advanced technology and authentication techniques that can be used to generate higher grade signatures such as AdESs and QESs.

As mentioned above, Adobe has integrated with a wide array of QTSPs that issue qualified certificates. Adobe customers and signatories can use such certificates to create QESs on the Acrobat Sign platform. In collaboration with the CSC, Adobe is the first global vendor to support an open standard for cloud-based digital signatures and paved the way for technical interoperability between e-signing platforms and QTSPs. Organizations around the world can use Acrobat Sign to apply remote QES using qualified certificates issued by QTSPs that support the CSC standard. This delivers eIDAS-compliant QES and great customer and user experience.

Acrobat Sign allows the creation of remote QES using the trust services from the following QTSPs that are natively integrated via the CSC API: A-Trust (Austria), Asseco (Poland), Cleverbase (Netherlands), D-Trust (Germany), DigiCert (Belgium), Digidentity (Netherlands), Docaposte Certinomis (France), Entrust (Spain), GlobalSign (Belgium, Netherlands), InfoCert (Italy), Intesi Group (Italy), Itsme (Belgium, Luxembourg, Netherlands), PrimeSign (Austria, Germany), SK (Estonia, Latvia, Lithuania), Trans Sped (Romania), TrustPro (Ireland), Universign (France), ZealiD (Sweden). Each of these QTSPs, independent of their country of accreditation and supervision, provides qualified certificates for remote QES that satisfy the stringent standards laid down in eIDAS. Signatories can use these qualified certificates to generate QES that have the equivalent legal standing of a handwritten signature in the EU bloc and UK.

As well as enabling remote QES, Acrobat Sign supports many legacy personal digital signature devices (i.e., smart cards, USB tokens) via the native integration with Adobe Acrobat on desktop computers.

Adobe also has a unique role in the industry as the maintainer and publisher of the Adobe Approved Trust List (AATL). The AATL and European Union Trusted List (EUTL) are natively supported in Adobe Acrobat and Acrobat Sign to establish a network of TSPs and QTSPs that facilitates the validation of AdES and QES. (Article 32, eIDAS).

Additional Considerations

Interaction between eIDAS and national law

It should be acknowledged that eIDAS has fallen short of fully harmonising electronic signature laws across the EU and the UK.  Recital 49 of eIDAS is key to understanding if, and when, customers may use an electronic signature for their transactions.  eIDAS states that – except for QES (which has the equivalent standing of a handwritten signature) – national law still defines the legal effect of electronic signatures. In practical terms, each EU Member State and the UK may prohibit the use of an electronic signature for certain transactions (for example, wills or transfers of real estate) or prescribe that a higher form of signature (such as an AdES or QES) be used to approve that transaction.

Furthermore, public registries (such as real estate or probate registries) are at liberty to require a handwritten signature for registration purposes. One consequence of the COVID-19 pandemic is that public registries were forced to digitalise their services. It is now quite rare for a public registry to insist on a handwritten signature and the majority accept electronic and digital signatures.

eIDAS does not specify any documents that cannot be signed electronically. However, the E-Commerce Directive (2000/31/EC) gave EU Member States discretion to exclude certain categories of contract from the general rule that contracts may be concluded by electronic means (General Rule). The EU-UK Trade and Cooperation Agreement 2020 (TCA) has also sought to regulate the extent to which an EU Member State or the UK might choose to diverge from the General Rule. The TCA not only has a direct bearing on how to interpret eIDAS but reminds us of the centrality of national law when evaluating the use of electronic and digital signatures.

The TCA lists several categories of contracts which an EU Member State and/or the UK may unilaterally decide are exempt from the General Rule and may not be capable of electronic execution (Article DIGIT.10(2), Chapter 3 of Title III (Conclusion of contracts by electronic means)). The list includes:

• Legal representation services
• Services of notaries or equivalent professions
• Contracts requiring in-person witnessing
• Contracts that create or transfer rights in real estate
• Family law contracts such as wills

Thus, understanding the interaction between eIDAS and national law is vitally important when using electronic and digital signatures. It should be front of mind for in-house and external lawyers when they create e-signing policies and differentiate between signature requirements in domestic and cross-border transactions.

To assist in assessing specific national law requirements, please see the jurisdictional legality guides at https://www.adobe.com/trust/document-cloud-security/cloud-signatures-legality.html.

Example use case: public procurements in France

As an example, in March 2019, France issued a decree on the use of electronic signatures in public procurement contracts (2019 Decree). The effect of the decree is that when an electronic signature is used in public procurements, it has to be a a QES based on a qualified certificate from a QTSP. Simple electronic signatures and AdESs will not suffice.

Customers entering into a French public procurement contract may use a qualified certificate from any of the QTSPs in the EU Trusted List.

The National Cybersecurity Agency of France (Agence nationale de la sécurité des systèmes d’information or “ANSSI”) is the supervisory body for QTSPs on the French Trusted List.  Certinomis* whose qualified trust services, by ANSSI, are integrated with Acrobat Sign, in case engaging with a French QTSP is preferred. Nevertheless, it is explicit in Article 2 of the 2019 Decree and especially in Article 25 of the eIDAS Regulation that organizations entering a public procurement contract must rely on qualified electronic signatures based on qualified certificates issued by QTSPs listed on a Trusted List from any EU Member State.

*Costs for QTSP services for QES creation and usage are subject to the business model of the QTSP. In this example a customer would contract directly with Certinomis to activate their services.

Public Key Infrastructure (PKI)

PKI is a set of hardware, software, policies and cryptography procedures used by e-signing platforms and their (Q)TSPs to create and validate digital signatures (AdES and QES). PKI technologies enable the creation, management, use, storage and revocation of digital certificates, as well as public and private encryption keys for digital signatures. The (Q)TSP verifies the identity of the signatory and issues a digital certificate (or, in the case of QES, a qualified certificate) confirming their name (or pseudonym) and linking the signatory’s identity to their public key. The public key is uniquely associated with the private key which the signatory uses to digitally sign a document on an e-signing platform. The digital certificate is embedded into the digital signature and provided to the recipient who uses the public key (taken from the certificate) to identify the signatory and validate the signature using Adobe Acrobat or Reader. This provides a higher level of assurance than an electronic signature as to the authenticity and integrity of an electronic document.