Advanced and Qualified Electronic Signatures are electronic signatures that comply with EU Regulation 910/2014 on eIDAS electronic transactions in the European internal market. They enable long-term verification of electronic signatures. Today, we explain the difference between Qualified and Advanced Electronic Signatures, both in terms of legal status and technical requirements.
For an electronic signature to be considered an advanced or qualified electronic signature, three main requirements must be met.
- First, it is necessary to link the signatory and identify it uniquely with the signature.
- Secondly, the data used to create the signature must be under the signatory's sole control.
- Finally, it must be able to identify whether the data that accompanies the signature has been manipulated since the message was signed.
An advanced electronic signature with a qualified digital certificate created by a qualified signature creation device (QSCD) is a qualified electronic signature. The addition of a qualified certificate is the difference between the advanced electronic signature and the qualified electronic signature. This certificate is issued by a qualified trust service provider and certifies that the electronic signature is authentic to serve as proof of the signatory's identity.
eIDAS requires that no electronic signature be denied legal effect or admissibility as evidence solely on the ground that it is in an electronic form or does not meet the requirements for qualified electronic signatures. However, the qualified electronic signature has the equivalent legal effect as a handwritten signature - it has a higher probative value in court. All EU Member States must recognize that a qualified electronic signature is valid as long as it has been created with a qualified certificate issued by another Member State under the EIDAS Regulation. In addition, it is prohibited for public services in member states to request higher-level signatures than qualified electronic signatures.
As mentioned above, generating a qualified electronic signature is more than simply adding a qualified certificate to an advanced electronic signature—the signature must be created using a qualified signature creation device (QSCD). This device is responsible for securing qualified electronic signatures by using specific hardware and software to ensure that private keys are controlled by the signatory only.
In addition, a qualified trust service provider manages the generated signature data. The creation of signature data must remain unique, confidential and protected from forgery. Qualified electronic signatures that comply with eIDAS can be technically implemented through three specific digital signature standards (XAdES, PAdES, and CAdES developed by the European Telecommunications Standards Institute ETSI).
Then they need to be complemented by a qualified digital certificate through the procedures described above.
The qualified trust service provider plays an important role in the process of qualified electronic signing. A trust service provider must obtain qualified status from a governmental supervisory body that effectively allows the entity to provide qualified trust services for the creation of qualified electronic signatures. The European Union has compiled an EU trust list with the legal effect that a provider or service will only be qualified if it appears in the trusted list.
Qualified trust service providers are required to comply with the strict guidelines outlined as part of the certificate creation process. The service provider must provide a valid time and date for the creation of certificates. Signatures that have expired certificates must be immediately revoked.
Personnel employed by the qualified trust service provider must be adequately trained. The service provider's software and hardware must be trustworthy and capable of preventing forgery of certificates.
Under eIDAS, the purpose of implementing qualified electronic signatures is to serve several purposes, such as facilitating business and public service processes, including cross-border processes.
Using electronic signing under eIDAS, these processes can be safely accelerated. EU Member States have set up Single Contact Points for Trust Services to ensure that electronic ID schemes can be used in cross-border public sector actions such as exchanging and accessing cross-border healthcare information.
Previously, a signatory would sign a document or message and then return it to the intended recipient via the postal service, Facsimile service by hand, or by scanning and attaching it to an email.
The problem with these practices is that they are not always totally secure (man in the middle attack). Long delays of delivery could occur and there is the chance that signatures could be forged or that the original documents could be altered. Risks are higher as multiple signatures are needed from different people who may be located at multiple locations.
These fundamental problems are mitigated by the use of qualified electronic signatures, which are legally valid and provide a higher level of technical security. Instead of relying on traditional methods, users may now perform transactions across borders, like "1-Click" payment services.
Blog post by Dr. Ulrich Scholten
About the author
Ulrich Scholten is an internationally active entrepreneur and scientist. He holds a PhD in information technology and owns several patents on cloud-based sensors. His research on cloud computing is regularly published in highly rated journals and conference papers. From 2008 - 2015, he was associated research scientist at the Karlsruhe Service Research Institute (KSRI), a partnership by KIT and IBM, where he researched network effects around web-platforms together with SAP Research.