What Is eIDAS & What Do You Need to Know?

While electronic signatures have been a key and trusted part of business transactions for over two decades now, eSigning wouldn’t be possible without security and trust...and regulation of the former. If you work with clients, customers, or colleagues in the 27 countries of the European Union as well as a few non-EU states who participate in the union’s single market, you’ve likely run into or heard of Electronic Identification and Trust Services (eIDAS) when signing contracts or agreements electronically.

But what exactly is eIDAS, and what do you need to know about it as an enterprise operating in an EU country or working with clients or customers who operate in the EU? Electronic Identification and Trust Services essentially provide a common set of guidelines and regulations for secure electronic transactions among businesses, individuals, and public entities across EU borders. Let’s take a closer look at how it works and what you need to know about eIDAS.

Electronic Identification and Trust Services regulations actually came out of an older guidance, Directive 1999/93/EC, which set goals for eSigning initiatives in Europe. The first nation to adopt digital signatures and identification was actually Estonia in 2002, followed by Latvia four years later. Those two Baltic states’ experiences with electronic transactions actually helped inform creation of eIDAS regulations recognized throughout the EU today.

Adopted by the General Affairs Council in July 2014, Electronic Identification and Trust Services replaced any and all eSignature directives and eliminated inconsistencies in digital signature laws across Europe. eIDAS went into full force July 1, 2016 and mandates mutual recognition of electronic identities (or eIDs) across EU member and single market participator countries. eIDAS mandates that any digital transactions conducted in an EU member state must be recognized by all other EU states as of September 29, 2018.

Electronic Identification and Trust Services provide for secure electronic transactions throughout the EU, ensuring that businesses, public agencies, and private individuals need no longer rely on in-person meetings, mail, or facsimiles in order to conduct business or sign documents.

The law regulates not only electronic signatures but all electronic transactions and their embedding processes, providing standards for eSignatures, digital certificates, timestamps, electronic seals, and other mediums for electronic transaction authentication.

Designed to promote the effectiveness and efficiency of online services, e-businesses, and electronic commerce in the EU, eIDAS regulates authentication, signature seals, registered delivery services, and time stamps throughout member countries.

Electronic Identification and Trust Services provide three levels of assurance for identification protocols that reflect the likely legal value of the eSignature: low, substantial, and high. Those levels of assurance are defined as follows:

• Low Assurance offers limited confidence in the signer’s identity and may only prove ownership of an email address.
• Substantial Assurance provides a higher degree of confidence in the signer’s claimed identity and requires proof not only that the signer owns an email address but also proves that signer’s identity.  
• High Assurance supplies a high degree of confidence in a signer’s claimed identity by not only proving their identity but also proving the signer represents a particular organization.

It is critically important if you or your business are employing eSignatures for identity verification and electronic transactions and you’re operating in the EU that you comply with eIDAS regulations. That means making sure the eSignature platform you’re using passes eIDAS qualificationsby creating electronic signatures using a Digital Certificate purchased from a so-called “trusted services provider.”

That trusted services provider or Certificate Authority must meet a series of Electronic Identification and Trust Services regulations:

• Verification of the identity of the individual for whom the certificate will be issued. For all but “low assurance” levels of identification, this requires that individual to be physically present.
• Notification of a supervisory authority of any changes in the trusted service provider or intent to revoke certificates.
• Training of staff in best practices for data security.
• Ability to securely store data and certificates and avoid potential forgery or theft.
• Maintenance of certificate data even after revocation of a certificate for reference purposes.

Not all of Europe falls under eIDAS guidance. It applies in the following countries:

• Bulgaria
• Croatia
• Cyprus
• Czech Republic
• Denmark 
• Estonia
• Finland
• France
• Germany
• Greece
• Hungary
• Iceland
• Ireland
• Italy
• Latvia
• Lichtenstein
• Lithuania
• Luxembourg
• Malta
• Netherlands 
• Norway
• Poland
• Portugal
• Romania
• Slovakia
• Slovenia
• Spain
• Sweden
• United Kingdom

There are a few cases where eSignatures are not legally binding under eIDAS regulations. Those include the following:

• Documents related to family law and inheritance, such as separation agreements or last wills and testaments
• Legal actions or documents requiring notarization of court authorization
• Legal documents for securing a property guarantee for bail
• Instances where a special law forbids eSigning 

eIDAS law has governed electronic transactions in the EU for more than 15 years and provides the following benefits to business, public agencies, and individuals engaged in online transactions or electronic document sharing and signing:

• Ensures cross-border electronic transactions are secure and trustworthy
• Provides transparency and standardization across markets in the EU
• Establishes accountability in the digital space
• Reduces the need for and use of paper when citizens are moving to new EU member states
• Reduces paper processes for businesses, thus decreasing overhead and increasing profitability
• Provides for more convenient and flexible public and government services

Thanks to eIDAS, the EU possesses a solid legal framework to allow individuals, businesses, and public entities to safely and securely access online services and carry out online transactions. In fact, the law is responsible for our ability to do everything from remotely opening a bank account to authenticating online payments.

While a recent study conducted by the European Union indicated that 90% of responding business owners believe eIDAS provides them an opportunity to grow their business, the eIDAS regulations are not without challenges. Both citizens and organizations may lack understanding of what trust in electronic transactions is and why it’s important.

While eIDAS is designed to create trust, establish its importance, and regulate standards of trust, the law is not always easy to understand, making it critical for business, entities, and individuals who conduct electronic transactions to work with an electronic document and eSigning partner that has expertise in the law as well as the ability to monitor and implement compliance updates. Currently the number of trust services providers is somewhat limited and many are not eIDAS compliant.

The EU has also made efforts more recently to do a better job of explaining eIDAS’ significance and how it works through the go.eIDAS campaign.

Electronic Identification and Trust Services regulations can be challenging to interpret since they were drafted to avoid giving preference to any one type of technology or validation process for electronic documents. That’s why it’s so important that you work with eSigning tools you can trust.

At Nitro, we regularly validate and test our compliance to provide assurance of our trustworthiness and adherence to industry standards. While eIDAS laws and other standards may change, you can rely on NitroSignⓇ to stay abreast of regulations and maintain compliance. We routinely test our controls and compliance with the help of independent third-party auditors.

Ready to learn more about eSigning with Nitro? Sign up for a free trial, and learn more about unlimited eSigning from anywhere on any device.