Qualified electronic signatures (QES) are digital signatures that enable organisations within the European Union (EU) and the UK, to digitally sign documents securely and, most importantly, legally.
A QES, backed by UK and EU legislation and secure online security and trust networks, enables a financial services, professional services and other organisation to trade online confident that the documents signed within the QES framework are legally enforceable.
Why are qualified electronic signatures needed?
There were two original drivers for a QES framework:
- Legitimising and unifying the validity of digital signatures within the then, pre-Brexit, 28 member states. Not all member states were as digital as others, adding a layer of complexity and costs to cross-border transactions.
- Creating the legal and technical infrastructure ensuring electronic transactions are treated the same as hardcopy transactions via mail and fax. This required a secure framework for digital signatures to be legally, technically and securely appended to digital documents confirming transactions.
The whole point was ultimately confidence and redress. Organisations could sign an agreement with another party electronically and be confident that agreement was legally executed and could be recognised by and enforced in a court of law if a dispute arose.
What is the legislation and technology behind QES?
In 2014, the EU introduced EU Regulation No 910/2014, also known as the electronic IDentification, Authentication and trust Services (eIDAS) Regulation, and in 2016 it became law. To be an eIDAS qualified electronic signature, then it must meet the requirements of being an advanced electronic signature:
- A unique link between the signature and the signatory, and the signatory can be uniquely identified
- The signatory controls the private key used for the signature (see below)
- It must be possible to identify if the signature’s data has been tampered with
- If there is evidence of tampering within the signature’s data, then the signature is no longer valid.
Next, a QES must be generated by a qualified signature creation device (QSCD). The device qualifies the signature with dedicated hardware and software that has a private key. The unique and protected signature data must be managed by a qualified trust service provider, which could be a financial services or telecoms organisation, or a business dedicated to trust services. There are just under 600 eIDAS-regulated trust service providers across the EU.
The European Telecommunications Standards Institute (ETSI) created three digital signature standards with which the QES must be implemented, and which the trust service providers must use. A qualified digital certificate is the public key issued by the trust service provider to confirm the data integrity and authenticity of the signature. To use QES, an organisation must have the hardware and software from an approved and regulated trust service provider and a digital certificate for every transaction.
Do QES’s and eIDAS still work post-Brexit?
When the UK left the EU, much of the EU legislation was incorporated into UK law through the EU Withdrawal Act. There are UK eIDAS Regulations that, according to the Information Commissioners Office (ICO), set out the UK legal framework for UK trust service providers and also integrate with EU trust service providers.
QES is an essential component of digital transactions in the EU, requiring signatories to obtain hardware and software solutions and digital certificates from an authorised trust service. It is still relevant for UK organisations with EU-based counterparties.
Bonafidee digital engagement platform enables organisations and individuals to engage online in a safe, compliant and fully evidencable way. To find out more about digital signature and customer verification solutions, download our guide, or contact our team.
