MHC Tech Law: The EU’s new rules on electronic identification and e-signatures


16 May 2016

Mason Hayes & Curran explains the new EU regulation for electronic identification and e-signatures coming into effect this summer.

On 1 July 2016, a new EU Regulation establishing electronic identification and trust services for electronic transactions – the eIDAS Regulation – kicks in.

This will repeal Directive 1999/93/EC (the E-signatures Directive), which provided an EU framework for electronic signatures, or e-signatures and has been in force in Ireland via the Electronic Commerce Act in 2000.

Unlike the E-signatures Directive, which had to be implemented in national law (such as the 2000 Act), the eIDAS Regulation directly applies across all EU Member States and does not require national law to implement it. As a result, the eIDAS Regulation aims to provide a harmonised regulatory environment to enable secure and seamless electronic interactions between businesses, citizens and public authorities.

The aim is to encourage user convenience, trust, and confidence in digital transactions and interactions. In short, the eIDAS Regulation will provide clearer, stronger rules for the supervision of e-signatures and related trust services; and increase security accountability for ‘trust service providers’ (those entities that create, verify and validate e-signatures, seals and certificates).

E-signatures in Ireland

Since the 2000 Act, e-signatures have been legally recognised in Ireland and can be used in most circumstances.

While the 2000 Act recognised both simple and advanced e-signatures, the uptake of the latter was low.

The eIDAS Regulation builds upon the principles of the 2000 Act by introducing a harmonized, EU-wide framework along with addressing new concepts such as electronic-time stamps and electronic identity services.

Mutual recognition

The eIDAS Regulation requires that EU member states recognise and accept any means of electronic identification (eID) issued in another member state, which has been notified to the Commission (“mutual recognition”). Member states may choose to notify all, some or none of the eID schemes used at national level. In other words, while the notification is voluntary, the recognition of notified schemes is mandatory.

Mutual recognition will apply if the notifying member state’s eID scheme meets the European Commission’s conditions of notification. eIDs which have been notified will be published in the Official Journal of the European Union.

Types of E-signatures

The eIDAS Regulation establishes the principle that an e-signature should not be denied legal effect on the grounds that it is in electronic form.

The eIDAS Regulation distinguishes between three levels of e-signature:

  1. Simple e-signatures: These are data in electronic form which are attached to or logically associated with other electronic data and are used for signing purposes, such as typed signatures.
  1. Advanced e-signatures: These are electronic signatures that are uniquely linked to the signatory. They are capable of identifying the signatory and are designed using signature creation data that the signatory can, with a high level of confidence, use under his or her sole control.
  1. Qualified e-signatures: These are electronic signatures created by a qualified electronic creation device and based on a qualified certificate for e-signatures.

Other ‘electronic trust services’ covered by the eIDAS include electronic seals (for companies), electronic time-stamps, electronic documents, certainty of qualified cross-border electronic delivery and website authentication.

Security and supervision

The eIDAS Regulation requires EU member states to designate a supervisory body to oversee qualified trust service providers.

Trust service providers will be required to take appropriate measures to manage the risks posed to the security of the trust services they provide. For example, any significant breach of security must be notified to the relevant national supervisory body within 24 hours. Similarly, if any breach of security is likely to adversely affect a person or company, the trust service provider must notify them without undue delay.

The regulation also introduces an EU ‘Trust Mark’ for qualified trust services. Once a trust service provider has acquired ‘qualified’ status from the national supervisory body, it may use the EU Trust Mark to indicate this status.

Effect of the eIDAS Regulation

The eIDAS Regulation is expected to contribute to boosting cross-border e-commerce within the EU by tackling the current regulatory barriers, and there are practical effects of eIDAS.

Firstly, it will create greater confidence in cross-border, online transactions. This will make activities such as authenticating online transactions, submitting tax declarations or remotely opening a bank account easier and more secure.

Second, electronic documents and signatures that adhere to the eIDAS Regulation will not be denied legal status solely on the grounds that they are in electronic form.

Third, the EU Trust Mark will clearly differentiate qualified trust services from other trust services, fostering confidence in essential online services.

Finally, increased supervision of and the increased security requirements imposed upon qualified trust providers will boost public confidence in the services they offer, thereby increasing e-commerce.

The content of this article is provided for information purposes only and does not constitute legal or other advice.

Tech Law is a weekly series brought to you by Irish law firm Mason Hayes & Curran, whose legal tech team advises the world’s top social media organisations and emerging start-ups. Check out www.mhc.ie for more.

Electronic signature image via Shutterstock