Authentic official documents can be created electronically as well as on paper. The EU Regulation on Electronic Identification, Authentication and Trust Services (eIDAS) (Regulation (EU) No 910/2014 “eIDAS Regulation”) has the legal effect of simplifying and standardising digital identities and signatures across Europe. It applies to all EU Member States and provides a consistent legal framework for the adoption of electronic identities and signatures. The Regulation also introduces the use of digital seals for business entities.
eIDAS defines three categories of electronic signatures:
1. Simple electronic signatures
eIDAS declares that no signature can be questioned on the grounds of its purely electronic form. This requirement can be met by typical electronic signatures.
Simple e-signatures can be hand-drawn on a desktop screen or even scanned from a handwritten signature, but there can be no assurance that an electronic document signed in this way is actually associated with the person who signed it. This simple form of e-signature does not have sufficient probative value to be legally appropriate for complex transactions (e.g. for high-risk contracts). Therefore, in case of doubt (lack of trust), simple e-signatures may legitimately raise questions about the identity of the signatory and the validity (and enforceability) of the legal commitments contained in the document signed in this form.
2. Advanced e-Signature, AES
When using AES, signatures must be attached individually to the signatory, whose identification must also be ensured. Signatories should only sign with data under their own control, and the final document should be marked with a tamper-evident flag. This requirement can be met by digital signatures.
Enhanced security electronic signatures provide a higher level of legal security and authenticity, because the e-document signed in this way is protected by the service provider using cryptographic means. In Hungary, an e-document with an advanced electronic signature is considered a simple private document, i.e. legally equivalent to a commitment made on paper with a handwritten signature. Simple private documents do not have the same evidentiary value as private documents with full evidentiary value (which can only be created by a so-called qualified electronic signature, see below), but commitments made with an advanced electronic signature are still legally binding between the parties. To be considered an advanced e-signature, the service provider must provide the following conditions:
- change-tracking – i.e. once the e-signature has been inserted into a document, the finished e-document can no longer be modified in a way that is undetectable to the parties;
- signature identifiability – i.e. you must provide assurance that the e-signature can only be linked to the person who signed it; and
- • a secure electronic environment (device and/or virtual platform accessible only to registered customers) – allowing users to create, store and manage their e-signatures in a virtual space. For security reasons, the operators of such platforms can only be trust service providers, i.e. organisations that take responsibility for the electronic identification of signatories and the issuance of e-signatures and other electronic certificates (e.g. time stamps) using efficient authentication technologies. The eIDAS Regulation defines how trust service providers can provide customer identification and signature integrity services and how they should be regulated and recognised in all EU Member States.
3. Qualified electronic signatures, QES
QES is a stricter form of AdES and the only signature type that has the same legal validity as handwritten signatures. It requires signatories to use both a certificate-based digital identifier issued by an authorised EU trust service provider (TSP) and a one-time use transaction code generated by a smart card, USB token, mobile app or other qualified signature creation device (QSCD).
In the case of qualified electronic signatures, legal security and authenticity are enhanced to the highest level compared to an e-signature with enhanced security by the issuance of a qualified certificate by a qualified trust service provider, which is part of the e-document. This qualified certificate can be used to verify the identity of the signatory and to confirm the authenticity of the electronic signature associated with the electronic document. In Hungary, an electronic document with a qualified e-signature is considered a private document with full evidential value, i.e. with a higher evidential value than a simple private document (which can be created by means of an e-signature with enhanced security). In the case of qualified electronic signatures, the e-signature itself must be created using a special device (card or token) and/or software. These digital means of creating a qualified electronic signature ensure that:
- the signer alone has control over the private key used to create the electronic signature (i.e. the signer “owns” the private key used to create the electronic signature);
- the signature details are unique and protected against forgery; and
- • the signature data is managed by a qualified trust service provider, an organisation approved by the competent authorities of the country concerned and responsible for providing a qualified electronic environment for identification, authentication, electronic certificates and e-signatures. The local legislation of the Member States and the requirements of the eIDAS Regulation define the operational rules that qualified trust service providers must follow.
Although they have a lower probative value, simple e-signatures and enhanced security e-signatures have their place and role in business and private situations where trust between the parties is undoubtedly present. However, legally speaking, the strongest evidence is provided by qualified electronic signatures. The latter type of e-signature is specifically required in cases where it is required by law or where a high-risk transaction is involved and trust between the parties is reduced (or even absent) or even potential litigation may occur. In the case of communications with governmental bodies, the Hungarian authorities usually also require e-documentation to be provided in a qualified form, i.e. with a qualified e-signature.
Verification of electronically signed documents
In the case of electronically signed documents, you can be sure that the signature was actually made by the person indicated in the signature and that the signatory actually signed the document by verifying the electronic signature and the signed document. One possible means of verification is the Government Electronic Signature Verification Service (eSignature Verification Service; KEAESZ) operated by NISZ Zrt.
During the verification, the KEAESZ software determines, among other things, beyond any doubt whether the signed document and the electronic signature are related, whether the document has been changed since the time of signature, and whether the private key certificate used to create the electronic signature was valid at the time of signature
Further links:
The database of the National Media and Infocommunications Authority (NMHH), as the authority registering trust service providers, on qualified trust service providers:
http://webpubext.nmhh.hu/esign2016/szolgParams/main.do
List of qualified trust service providers in the European Union and the Member States of the European Economic Area that comply with the eIDAS Regulation:
https://esignature.ec.europa.eu/efda/tl-browser/#/screen/home