Legality in the EU
SigniFlow was developed with compliance at its core. We utilize state-of-the-art digital cryptographic signature technology that allows you and your customers to sign documents remotely and securely, with the sound knowledge that you are signing with legally binding, enforceable signatures.
SigniFlow offers both advanced and qualified signatures, as per EU regulation No 910 (eIDAS).
Let us advise you on how best to approach e-signatures and meet all legal requirements.
If you have questions that are not answered in the FAQs below, please
We use qualified or advanced electronic signatures, as defined under eIDAS regulations.
SigniFlow was developed with compliance at its core. We utilize state-of-the-art digital cryptographic signature technology that allows you and your customers to sign documents remotely and securely, with the sound knowledge that these will be legally binding. Our solution is compliant with ECT (South Africa), eSign (US), eIDAS (Europe), among others.
Contact us to learn more about your region.
eIDAS stands for electronic identification, authentication and trust services.
It refers to the EU Regulation adopted on 23 July 2014 and is a set of standards for the electronic identification and trust services for electronic transaction in the European single market.
This is explained in Article 25 of the regulation, which confirms all types of e-signatures can be submitted as evidence in a court of law. Furthermore, eIDAS classifies e-signatures into three types: basic electronic signatures, advanced electronic signatures and qualified electronic signatures. Qualified electronic signatures are the legal equivalent of handwritten signatures.
There is a wide range of basic electronic signatures, most commonly scanned wet-ink signatures, but other instances include:
- A scanned PDF, where there is no original copy and both parties have signed with wet ink.
- A tick-box that indicates agreement to or acceptance of a stated clause/terms and conditions.
- Many document signing solution providers without core cryptography use basic electronic signatures in combination with an audit trail on their platform, to give extra weight to these types of signatures.
The requirement for Advanced electronic signatures are defined in Article 26.
It’s important to note that Eidas doesn’t the define the method of how to achieve these requirements.
X.509 certificates are most commonly used to achieve this requirement. We decided to take some extra compliancy assurances when meeting this requirement to insure that our Advanced e-signatures are always seen as the legal equivalent of a hand written signature in the court of law.
• We make sure we validate the identity of the signer by using one of our identification methods or by using a public certificate authority to verify the identity
• We always use a public certificate authority who is included on the Adobe Approved trust List (AATL) and therefore audited to ensure the trust marks are enabled when opening the document in popular programs like acrobat reader
• We timestamp the document by using a certified timestamp authority to ensure the long term validation of a document as the non-repudiation in a court of law.
• We make sure that our certificates are stored on a Hardware security models (EAL4+ and FIPS level 140-3+ ) protecting the private key which can only be accessed by the user after strong authentication.
• We provide a complete timestamped audit trail detailing all the events (viewed, approved, signed, …) that happened to the document.
Here is an example of an advanced Signatures shown in adobe Reader.
We’re not aware of any court cases were advanced e-signatures weren’t seen as an equivalent of a handwritten signature. We recommend the use of advanced certificates definitely in cases where qualified signatures aren’t possible.
If we look at the requirements for a qualified signature-creation device in Annex 2 of the eIDAS Regulation, we can conclude that the certificate should be stored on an HSM Fips Level 3+, and issued and hosted by a qualified trust service provider that is included on the qualified trust service provider (QTSP) list of one of the member states. This means that the company in question is audited and approved to issue these types of certificates.
There are essentially two types of qualified certificates: One is maintained by the government in its eID program, whereby a citizen’s eID holds a qualified certificate and they can sign with their eID using an eID or smartcard reader; while the other is issued by a CA that is included on the QTSP list, and will be issued on an HSM Fips Level 3+, allowing users to sign remotely following strong authentication to that HSM.
Here you can see an example of a qualified e-signature show in Adobe Reader. This example was signed with a Belgian e-ID card.
We use qualified or advanced electronic signatures as defined under the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016.
These regulations came into fors on 22 July 2016 (eIDAS).
The 2002 Electronic Signatures Regulations have been revoked and replaced with a new set of regulations, based on the eIDAS Regulation (Regulation (EU) No 910/2014).
The UK will follow its own local law. The Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 came into effect on 22 July 2016, and are based on eIDAS (Regulation (EU) No 910/2014).
It is important to note that after Brexit comes into being, the UK could review and amend the current legislation.
It is, however, very unlikely that the UK will adopt different regulations to Europe, as it was instrumental in the creation of the eIDAS Regulation.
The eIDAS regulation was created to provide an easier, safer and faster means of doing transactions on digital platforms. It is in the UK’s own interests to stay aligned with European regulations, to promote and simplify transactions between the EU and the UK.
eIDAS is applicable to all the EU member states.
The EU member states include:
Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.
Countries inside the European Economic Area (EEA) also chose to adopt the eIDAS Regulation.
The EEA includes EU countries, as well as Iceland, Liechtenstein and Norway. This allows these countries to be part of the EU’s single market.
SigniFlow uses publicly trusted certificate authorities that are included in the Adobe Approved Trust List. All our signatures will show the relevant trust marks in Adobe Reader.