It is not entirely unknown among legal and compliance personnel within larger enterprises and government entities where the regulation affects the daily routine. However, eIDAS is not so well known among everyday employees outside these circles – the people that the regulation was designed to protect and make life easier for. There have been few attempts to make eIDAS better known in these circles but the seeming complexity of the regulation often proves to be a hindrance. The technicality of the regulation also makes it difficult for end-users to fully grasp what it’s all about.
So what exactly is eIDAS and what difference does it make to business processes?
eIDAS provides clear guidance for digital business processes, including the use of e-signatures. It is broader than the directive it has replaced and emphasises removing any ambiguity that could unduly disrupt the business process. For example, to facilitate the recognition of e-identities across the borders, e-identity defines different identity assurance levels and obliges each member state to accept e-identities issued by another member state, provided that the e-identity meets the identity assurance level required for its service access.
Electronic signatures are also a focus of eIDAS. For many organisations seeking to deliver business via online and mobile channels, electronic signatures are the final piece of the digital transformation puzzle. From managing security challenges to the need to improve the customer experience, electronic signatures are underpinning the digital revolution, facilitating more seamless transactions across the world.
eIDAS provides three types of e-signature to satisfy the varying levels of risk associated with digital transactions – Electronic Signature, Advanced Electronic Signature (AES) and Qualified Electronic Signature (QES). These types are meant to enforce security measures to protect company and customer data while ensuring compliance with regulations. The challenge then lies in enabling a seamless user experience to attract more customers, and to do so in a manner that ensures that digital transactions are legal and secure at all times.
The approach to all three is explicitly technology-neutral. The regulation does not stipulate that any specific technology must be used, rather that the signature component must meet certain criteria:
An Electronic Signature must be applied by the person associated with the signature in a way that demonstrates intent. Furthermore, the signature must be associated with the document or data that the signer intended to sign.
An AES adds to the Electronic Signature and must identify the signer and be uniquely linked to and under the sole control of the signer, as well as detect changes to the document or data after the application of the AES.
A QES builds on an AES and must also be created using a qualified signature creation device like a smart card and supported by a qualified certificate that is issued to the signer in a form he or she can keep under his or her control.
When evaluating an e-signature solution and choosing the optimal e-signature type, it’s important to take the time to look at your business processes and determine the level of risk.
For some high risk, high-value transactions such as money transfers, it may make sense to implement the QES. Companies should look for a solution that uses standards-based digital signatures and can support the necessary certificates – not all solutions can do so and if not, they can’t be used immediately without some hard coding. Out-of-the-box readiness is one of the must-haves that will ensure you can implement e-signatures today rather than waiting for the vendor to deliver on future development plans.
For more routine and common signing use cases, such as contracts, agreements and onboarding documents, the AES may be the appropriate choice. If you decide to go with the latter, be sure to evaluate whether the vendor’s solution provides detailed audit trails to support you in the event of a legal dispute. Some solutions in the market are stingy on the details so do your due diligence and ensure your legal and compliance teams are part of the evaluation and selection process.
Whatever digital solution businesses choose, it’s important to strike a balance between customer experience and security. Use of a QES may present a lower risk for certain transactions, but it does so at the expense of customer experience. In turn, a cumbersome customer experience may result in low adoption when used for broader, high-volume business and government transactions. It’s important to select the type of e-signature that best meets organisational and customer needs.
We cannot talk about a new EU regulation and not mention Brexit. With regards to Brexit and eIDAS, the simple answer is that the UK already has an electronic signature law in place that it will continue to use. The UK’s law is aligned with the different eIDAS signature requirements so there will be no issue with cross-border transactions between the UK and EU member states.
eIDAS is a major step on a long road towards improving digital business processes across the world. As technology catches up with the desire to move more processes online, organisations will need the safeguards and structures to make sure that they can continue to do business without any undue inhibitions.
By removing the existing barriers to doing business online, we can continue to make huge strides towards improving efficiency, enhancing the user experience and reaping the good rewards we all want to see.
Michael Laurie, vice president product strategy, eSignLive by VASCO.