eIDAS and the classification of remote signature: can it be simple or advanced signature?
Introduction to eIDAS and electronic signature
The eIDAS Regulation (Regulation (EU) No. 910/2014) establishes the legal framework for electronic identification and trust services in the European Union. It aims to ensure the legal validity of electronic transactions and provide a homogeneous framework for all member countries. Among the trust services regulated by eIDAS, the electronic signature plays a fundamental role, as it allows authenticating digital documents with legal guarantees.
Within the eIDAS framework, there are three levels of electronic signature: simple signature, advanced signature and qualified signature. Each of these has different requirements and security levels, which influences their validity and application in different legal and business contexts. In this article we will explore how a remote signature solution can fit into these levels and what conditions it must meet to be considered an advanced signature.
What is a remote signature?
A remote signature is one in which the signer does not need to have the digital certificate on his own device, but it is hosted on a secure server and is used in a controlled manner. This type of signature has become popular in cloud-based electronic signature services, allowing users to sign documents from any location with an Internet connection.
Remote signature solutions can be implemented with different levels of security and authentication, which affects their classification within the eIDAS framework. Depending on how the solution is designed, a remote signature could be considered as a simple signature or an advanced signature.
Simple signature in remote signature solutions
The simple electronic signature is the most basic level defined by eIDAS. It is any data in electronic format that is attached or logically associated to other electronic data and used as a means of authentication. Its main characteristic is the absence of rigorous technical requirements, which makes it easy to implement, but also less secure and with less probative value in the event of legal disputes.
Examples of simple electronic signatures in remote signature solutions include:
- Signing by entering a name on a digital form.
- Acceptance of terms and conditions by clicking on an “I agree” button.
- The signature based on the use of an OTP (One-Time Password) code sent by SMS or e-mail.
While these signatures may be sufficient for certain internal procedures or agreements, they do not necessarily guarantee the integrity of the document or the identity of the signatory in a robust manner. In many cases, a simple signature could be legally challenged more easily than an advanced or qualified signature.
Advanced signature in remote signature solutions
The advanced electronic signature, according to eIDAS, must meet the following requirements:
- Be uniquely linked to the signatory.
- Allow identification of the signatory.
- Have been created using means under the sole control of the signatory.
- Be linked to the signed data in such a way that any subsequent modification is detectable.
For a remote signature solution to meet these requirements and be considered an advanced signature, it must implement additional security and authentication controls, such as:
- Use of digital certificates issued in the signatory’s name.
- Strong biometric or multi-factor authentication (MFA).
- Generation of signature keys in secure and controlled environments, such as HSM (Hardware Security Module).
- Recording of electronic evidences that certify the signature and the process used.
Examples of remote signature solutions that can be considered advanced signatures include:
- Electronic signatures made with a digital certificate stored in an HSM and accessible through multifactor authentication.
- Identity-verified signatures through a KYC (Know Your Customer) process that authenticates the user’s identity before allowing the signature.
- Signatures that use biometric data, such as facial verification or fingerprint, to ensure that only the authorized signer can execute them.
Key differences between simple and advanced signatures in remote environments
| Feature | Simple Signature | Advanced Signature |
|---|---|---|
| Identification of the signatory | Not guaranteed | Guaranteed by sound methods |
| Exclusive control of the signatory | Can be shared or uninsured | Strong authentication required |
| Document integrity | Not always insured | Secured by cryptographic mechanisms |
| Legal admissibility | Limited, easily challenged | High, with strong probative value |
Conclusion
Remote signature solutions can be classified as simple or advanced signatures depending on how they are implemented. While a simple signature can be useful in low-risk situations, advanced signatures offer greater security and legal value, complying with the requirements demanded by eIDAS.
For organizations that need to guarantee the legal validity of their electronically signed documents, it is advisable to opt for remote signature solutions that implement robust authentication mechanisms and secure technologies. This not only improves security and confidence in the signing process, but also ensures its acceptance in legal and administrative procedures.
