The eIDAS EU regulation is a well-established framework to refer to when conducting business in the EU/EEA, especially when you’re unsure about whether or not your electronic signature would be legally binding in the eyes of the EU/EEA member states.
The eIDAS regulation, formally known as regulation (EU) No 910/2014 on “electronic identification and trust services for electronic transactions”, regulates electronic transactions, including signatures, to provide a safe way for users to conduct business online. eIDAS has in many ways changed the way EU/EEA member states do business with one another, and how companies and users in the EU/EEA interact with each other. The regulation has applied to the EU/EEA member states since 1 July 2016 and by virtue of being a regulation, not a directive, it is directly applicable across the EU without the need for transposition into national legislation.
In this article, we’ll cover:
- How can eIDAS help me do business?
- The levels of electronic signatures according to eIDAS
- ‘Simple’ electronic signature (SES)
- Advanced electronic signature (AdES)
- Qualified electronic signature (QES)
- Seals vs Signatures
- How does the eIDAS regulation apply to the EU/EEA and beyond?
- For which countries is eIDAS applicable?
- Are electronic signatures legally binding in my country?
- eIDAS compliance at Oneflow
- Which types of electronic signatures do Oneflow offer?
- How do electronic signatures in Oneflow comply with the signature levels in the eIDAS regulation?
- Which signature format does Oneflow use?
- What is Signicat and why do I sometimes get redirected to them when I sign with AdES?
- FAQs on signed contracts in Oneflow
- Can I edit the signed contracts?
- My counterparty had signed, but suddenly it looks like the contract is unsigned by the counterparty again. What’s just happened?
- How do I verify that the contract I signed with Oneflow is still valid and securely signed?
- How are electronic seals used in Oneflow?
- How do I ensure that the right person has signed the contract?
- Can I import signed contracts?
How can eIDAS help me do business?
We are strong believers in eIDAS! We think that eIDAS is the most modern and comprehensive signature legislation currently existing in the world. While it’s comprehensiveness naturally means that not all parts of eIDAS are applicable to or required for all kinds of businesses and organizations, eIDAS continues to spur digital growth in EU/EEA by:
- Providing a safe and predictable framework regulated by the EU Commission
- Ensuring that electronic interactions between businesses are safer, faster and more efficient, no matter the EU/EEA member state they take place in
- Regulating the technologies and processes for signing documents remotely or to be able to seal documents, such as contracts
- Protecting businesses against theft, loss, damage or alterations of a document
- Fueling the development of document tracking, exchange, document signing, sealing and identification tools that help businesses to reduce costs, improve customer experience and increase security
Since eIDAS came into full force in 2016, businesses are realizing the significant benefits of eIDAS leading to an increasing need for tools enabling conducting business electronically – such as electronic signatures and contract automation platforms.
The levels of electronic signatures according to eIDAS
A core part of eIDAS is the recognition of electronic signatures as a valid form of signatures. This means that no EU/EEA court can dismiss an electronic signature solely because it is in an electronic format.
However, not all signatures are created equally and the regulation defines three levels of electronic signatures: ‘simple’ electronic signature, advanced electronic signature and qualified electronic signature. The requirements of each level build on the requirements of the level below it, such that a qualified electronic signature meets the most requirements and a ‘simple’ electronic signature the least.
‘Simple’ electronic signature (SES)
A ‘simple’ electronic signature is defined in eIDAS (Article 3) as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”.
This means something as simple as the click on a “Sign” or “I accept” button is considered a valid electronic signature, or responding “I agree” to an email. The same goes for drawing a signature with a mouse on a website or adding an image of a signature to an online document to indicate the signer’s acceptance or approval.
Advanced electronic signature (AdES)
The next level of signature, advanced electronic signature, is a signature that meets additional requirements on security and integrity.
A signature must meet the following requirements to be considered advanced (Article 26):
- it is uniquely linked to the signatory;
- it is capable of identifying the signatory;
- it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
- it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable
This means that the signature is always also a digital signature, most often created using a public key infrastructure (PKI), on top of being an electronic signature. Go here to read more on the difference between digital signature and electronic signatures.
Qualified electronic signature (QES)
Qualified electronic signatures represent the highest level of electronic signature and are legally considered equivalent to a handwritten signature. In disputes, it means that the signer does not have the burden of proof, rather it is the challenging party who has the burden to prove the invalidity of the qualified signature signature.
A qualified electronic signature is an advanced electronic signature that additionally meet the following requirements (Article 3):
- created by a qualified signature creation device;
- and is based on a qualified certificate for electronic signatures;
Qualified signature creation devices are special high security hardware specifically made to perform sensitive cryptographic operations, such as signing. Qualified certificates are special high security PKI certificates issued by a special type of third party that has been vetted, approved and certified by special conformity assessment bodies in accordance with eIDAS (Section 3).
Seals vs Signatures
Article 3 defines ‘electronic seal’ as “means data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity”.
The legal framework as well as the technical implementation for seals are in most respects identical to signatures. The main difference between the two is that signatures implies legal intent on behalf of the of the signatory, which is not the case for seals.
The three levels of signatures, SES, AdES and QES, exist for seals as well and are somewhat confusingly named the same, namely Simple Electronic Seal (SES), Advanced Electronic Seal (AdES) and Qualified Electronic Seal (QES).
How does the eIDAS regulation apply to the EU/EEA and beyond?
For which countries is eIDAS applicable?
eIDAS is an EU regulation, meaning it is applicable in all EU/EEA member states. Meaning eIDAS is applicable in all EU member states as well as Iceland, Liechtenstein, Norway, and the United Kingdom. When we talk about EU/EEA member states on this page we refer to all these countries.
Are electronic signatures legally binding in my country?
One of the most frequently asked questions by our users is whether electronic signatures are legally binding in the countries where they are operating in.
First of all, it’s important to understand that even though eIDAS regulation sets up a framework to help businesses perform safer transactions into all countries in “European Single Market” and cross-border within the EU/EEA, the local legislations in each country vary. In many cases, the local legislations take precedence over the eIDAS regulations and furthermore, legislations are continuously updated.
This means that unless you’re consulting a lawyer specializing in this field of law in the country you’re operating in, anything that you read on the Internet will have a “this is not a legal advice” disclaimer to avoid disputes.
Oneflow develops, sells and implements digital contract management and automation systems. We, being the provider of a SaaS contract automation platform, as well as many electronic signature providers in the industry, are not in any credible position to advise anyone or any business in legal matters.
The only thing we can do is inform you how Oneflow works, how the different levels of signatures are implemented and on which assumptions the system operates. It will always be up to you as the user to ensure that you use the appropriate kind of signature for your kind of document and circumstance.
eIDAS compliance at Oneflow
At Oneflow we are committed to offer electronic signatures that are secure, easy to use, independently verifiable and tamper-proof, all in accordance with the framework set out by eIDAS.
We also want to offer you the kind of signature that best meets your needs and requirements. It’s easy to think that you should always use qualified electronic signatures, as it is the highest level of signature, but that’s not so. With higher levels of signatures comes higher cost and higher friction. For this reason it’s important to use the right level of signature for the use case (eSignature – Get started).
Which types of electronic signatures do Oneflow offer?
Oneflow offers both simple (SES) and advanced electronic signatures (AdES).
The simple signature comes in many forms. The different forms have different levels of security and reliability but also correspond to different needs and requirements.
The simple electronic signature types that Oneflow offers include the following:
- Standard e-signature by which you sign with a click of a button through a private, encrypted link
- Signing with an SMS or text message;
- Signing with a wet ink or handwritten signature;
- Signing with electronic identification through our eID partners.
For advanced electronic signature Oneflow relies on external partners, such as Swedish and Norwegian BankID, and Signicat (see section below). The list of supported advanced signatures is growing continuously but currently include:
- Swedish BankID
- Norwegian BankID
How do electronic signatures in Oneflow comply with the signature levels in the eIDAS regulation?
Oneflow offers electronic signatures at simple (Simple Electronic Signature, SES) and advanced level (Advanced Electronic Signature, AdES).
The simple level has no requirements beyond “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign” (eIDAS Article 3). All our simple signatures do this and much more. We also collect multiple points of data for each signature, making even the simple level in many cases more secure than a traditional handwritten signature.
The advanced level puts strict requirements on the identification of the signatory and its control over the means of signing. In Oneflow this is handled by the various eIDs that can be used for signing. We also include the actual signature, as given to us by the eID provider, into the signed contract so that it can be later checked and validated.
As described above, in the section on “How does the eIDAS regulation apply to the EU/EEA and beyond?”, Oneflow does not offer legal advice and cannot tell you which type of signature you need in your specific case (kind of document and circumstance).
Which signature format does Oneflow use?
The qualified electronic seal applied to all signed contracts, that ensures its integrity after signing, is of type CAdES-A (eSignature Standards+and+specifications).
What is Signicat and why do I sometimes get redirected to them when I sign with AdES?
To provide our customers with secure and reliable eIDs and advanced signatures, in a wide range of countries, Oneflow partners with Signicat. Signicat is the leading eID broker in EU/EEA and a Qualified Trust Service Provider (QTSP).
Therefore, when signing with eIDs you are often redirected to signicat.com to complete the signature.
FAQs on signed contracts in Oneflow
In this section, we have selected some of the most frequently asked questions from our users on signed contracts in the Oneflow application. There are many more questions in our Help Center, and of course if you have specific question, please don’t hesitate to contact us.
Can I edit the signed contracts?
No. When a contract has been signed by all signatories, it is locked for legal and security reasons and can no longer be edited.
If you need to edit a signed contract, you can instead make a copy of the contract (in Oneflow, open the contract and choose the copy option under the three dots on the top right), and then you make the change in the copy before sending it for signature again.
More information on how to copy and edit signed contracts: https://support.oneflow.com/en/support/solutions/articles/77000435938-editing-signed-contracts
My counterparty had signed, but suddenly it looks like the contract is unsigned by the counterparty again. What’s just happened?
The signatures were reset, or removed, because someone changed the contract.
When a contract in Oneflow is signed by all signatories it becomes locked and no further changes can be made to that contract, see “Can I edit signed contracts?” above. Up until this point the entire contract can be changed, as long as the user has the permission to do so.
However, before the contract is signed by all signatories, each version of the document is a distinct contract proposal. Any change to a contract proposal results in a new contract proposal.
For this reason, when a few, but not all, of the signatories have signed a contract and the contract changes, those signatories who had signed the contract will have their signature reset, to ensure that everyone signed the correct version.
You can find more information on how and why signatures are reset when contracts are changed in our Help Center.
To see which changes were made to the contract that resulted in the signatures being reset you can check the contract’s Audit trail. The Audit trail feature collects and logs all of the changes made to a contract. You can see exactly which event reset the signatures under the “audit trail” tab at the top right panel of the contract.
More information on how to find the audit trail for your contracts here.
How do I verify that the contract I signed with Oneflow is still valid and securely signed?
Oneflow provides a contract verification PDF on all signed documents. The contract verification PDF is electronically sealed with a Qualified Electronic Seal (QES).
The verification and its seal ensures the integrity of the signed contract.
See the Oneflow Help Center for details on how to verify the integrity of the verification and the contract.
How are electronic seals used in Oneflow?
When the contract is signed by all signatories, Oneflow applies a Qualified Electronic Seal to the contract to ensure integrity, preventing it from being tampered with. If the verification, the contract or any of its attachments are changed, regardless of how small the change is, the seal will be broken and the change will be detected.
The seal is applied by our partner Sovos Trustweaver, which is a Qualified Trusted Service Provider.
The seal can be independently verified by any service or application that supports CAdES signatures.
How do I ensure that the right person has signed the contract?
Oneflow offers multiple types of signatures, with different levels of security and assurance. If a lower level of assurance is acceptable, then a simple electronic signature via a verified email might be sufficient. Alternatively using SMS multi-factor authentication can be added on.
If a higher level of assurance is required then eIDs should be used. The actual assurance level depends on the eID that is used (eIDAS Levels of Assurance (LoA)).
If you haven’t already activated it, we have a guide on how to activate signing with eID in supported countries here.
Can I import signed contracts?
Of course. You can import signed contracts in Oneflow using our Import function. Log in to Oneflow, go to “Contracts” on the left menu. Then click “Import signed contracts” at the top right. You can read more about how to import agreements into Oneflow in this guide.