E-Signatures: what are the three types, and which one should you use?
At this point, organizations use e-signatures throughout the world for a wide range of purposes. You use e-signature technology each time you sign a touchscreen for a credit card transaction in person, when you agree to the terms of a contract sent digitally, and when you create a signature for your driver’s license.
Because of their electronic nature, however, e-signature transactions are more vulnerable to fraud and other cybercrimes.
An e-signature is merely a version of your signature in electronic form, but a “verified” e-signature holds more weight. Verified e-signatures are as legally binding as so-called “wet” handwritten signatures obtained in person.
We’ll explain, what counts as an esignature, and some of the differences in the trustworthiness of the various signature types to help you determine which one is the best fit for you.
The three e-signature assurance levels under eIDAS
Enacted in 2016, the European Union (EU) eIDAS regulation. Lawmakers and regulators worked together to create eIDAS to establish a common foundation and framework for secure e-signatures. The EU regulation established three categories of the different types of electronic signatures that exist:
- Basic or Basic Electronic Signatures for general usage
- Advanced Electronic Signatures backed by authentication through digital certification by a trusted third-party
- Qualified Electronic Signatures authenticated by a third-party granted authority by the EU
These three types, or levels, of e-signatures, indicate the trustworthiness of signed agreements.
Several different signature regulations vary based on geography, industry regulations, and details about the document. The three types of e-signatures laid out in eIDAS offer increasing levels of security and assurance.
Basic electronic signatures
A simple electronic signature is the broadest e-signature type. The eIDAS regulation defines an electronic signature as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.”
Basic electronic signatures are legally binding in most instances, but some entities may require a higher level of authenticity to accept an e-signature. A basic e-signature can be created by scanning an image of a signature or by simply ticking a checkbox to indicate consent to website terms and similar language.
Basic electronic signatures are prone to tampering and forgery. For example, it’s virtually impossible to know who checked off the boxes to confirm terms and conditions. For this reason, many organizations and individuals do not put much stock in basic electronic signatures. They don’t establish authenticity on their own.
Advanced electronic signatures
Advanced electronic signatures (AES) have an “electronic seal” attached to them. They are transmitted through an electronic registered delivery service (ERDS) for additional verification. Often, a Certificate Authority (CA) issues certificates that authenticate advanced electronic signatures.
Under eIDAS, AES signatures must meet several qualifications. They must:
- Be uniquely linked to the signatory (the person with the authority to sign the document)
- Correctly identify the signatory
- Be created using e-signature creation data that the signatory can use under their sole control with a high level of confidence
- Linked to data in a document that signatories can monitor for subsequent changes
AES utilizes a Public Key Infrastructure (PKI) technology, also known as asymmetric cryptography, to satisfy these requirements. The PKI process is how a digital certificate verifies digital signatures. Keep in mind that this is different from a symmetric key algorithm that relies on a single key to encrypt and decrypt data.
In a way, a digital certificate resembles a passport or driver’s license, in that a third-party CA has verified it. Each digital certificate is unique to the individual and nearly impossible to be convincingly replicated.
The signatory remains the sole holder of the private key, which is required to apply the signature. The parties can feel confident the other signer or signers are the people they say they are.
As part of the signature verification process, the PKI software automatically reviews documents to ensure that no one has made changes to them. If someone edits a document, all parties are notified and the process begins again.
The legal community usually considers AES as valid as traditional wet-ink signatures. Attorneys routinely cite the verification process as a reason to use AES as reliable evidence in court proceedings.
PandaDoc allows users to apply AES verification to their electronic documents.
Qualified electronic signatures
A Qualified Electronic Signature, or QES for short, is essentially an Advanced Electronic Signature that meets higher security and assurance levels. They are validated through a multistep process based on encrypted keys and double factor authentication. Essentially, an agreed-upon third party vets the signers before they can issue a qualified electronic signature.
It’s important to state that having a higher security standard doesn’t necessarily mean it is better. We’re simply saying it conforms to a higher set of security requirements compared to its AES counterpart.
Think of it this way. To qualify for the NBA league, you need to be pretty tall. The average player is somewhere in the realm of 6 ft. 7 in. Now, if you were 6 ft. 8 in. tall, would you qualify? What if you were 7 ft.? Would that earn you a spot in the league? The answer to both these questions is – yes.
In the same way, AES and QES signatures both provide the highest industry-accepted standards of trust and assurance. Each of them assigns a unique key to every user, which is directly linked to the signer’s identity. This means that a court of law would determine exactly who signed the document. There’s no question about that.
The main difference is that a QES requires you to jump through more hoops, one of which involves you undergoing a formal registration process for a qualified Certificate Authority to verify your identity. This, quite frankly, can be a pain and is entirely unnecessary if you have an AES.
The eIDAS definition for a QES is “an advanced electronic signature that is created by a qualified signature creation device and which is based on a qualified certificate for electronic signatures.”
Right away, we can guess that a “qualified signature creation device” will need to meet specific guidelines. Sure enough, there are several requirements these devices must satisfy. The device must:
- Protect the confidentiality of the electronic signature creation data
- Allow for only one usage of the QES
- Guard against forgery
- Be reliably protected by the legitimate signatory
- Not alter the data or prevent it from being presented to the signatory before signing
- Generate or manage signatory data on behalf of the signatory only at the behest of a qualified trust provider
If this explanation seems confusing, just remember that if you want to use QES, each step must meet the qualifications set out in eIDAS. This also means that you need to be discerning when looking for an electronic signature service provider. If a provider does not mention eIDAS and other regulations related to e-signatures, consider it a red flag.
To qualify for QES status, the eIDAS regulation requires all parties to use data on a device that is backed by a “qualified certificate for electronic signatures.” Only a CA accredited as a Qualified Trust Service Provider (QTSP) can issue qualified certificates. If your e-signature service provider is not a CA, be sure they partner with a reliable CA.
All in all, whether you choose an AES or a QES, the most important thing to know is that they are both legally enforceable in a court of law. Getting an AES, however, is much less of a hassle since it doesn’t require you to overcome a whole bunch of hurdles just to make your business-critical documents legally-binding.
No discussion of the three signature types established in the eIDAS would be complete without mentioning the purpose of e-seals. Similar to an e-signature, and e-seal guarantees integrity and authenticity. Instead of authenticating an individual, however, e-Seals verify the integrity of a legal entity, such as a board of directors, department within an organization, or government agency.
Which assurance level should I use to stay compliant?
So, you’re ready to move forward with finalizing an agreement. Which e-signature type is right for you?
This will mostly depend on how important it is to you that the agreement in question would hold up in court (in which case, a Basic Electronic Signature is out of the question), and how many hoops you’re prepared to jump through just to get it.
If you want more assurance that it would be legally binding in the eyes of a judge, have your agreement signed with an AES or QES. Both of these establish higher levels of trust and assurance and are much more likely to convince legal authorities of a contract’s legitimacy.
An AES, however, presents a more convenient alternative that doesn’t require you to present yourself to a Certificate Authority and undergo a rigorous vetting process before they can issue you with QES. An AES carries just as much weight to stay compliant without having to subject yourself to the grueling validation procedures that come with QES.
While the eIDAS regulation was created by the EU, businesses, and individuals conducting business with EU countries will likely need to comply to be considered a party to a legitimate legal agreement.
There are also two United States regulations that you’ll need to consider:
The uniform electronic transactions act (UETA)
Established in 1999, the UETA regulation is managed by state legislators. This means that these electronic signature laws only apply in US states that have adopted them. Currently, UETA regulations have a legal effect in every state except Illinois, New York, and Washington.
Because of how the US government is structured and the guidelines laid out in the US Constitution, individual states control trade matters instead of the federal government.
The Constitution does require that states adopt a uniform response when it comes to interstate commerce. If you live in California and need an agreement signed by someone in New Jersey, you’re conducting interstate commerce. The federally mandated E-Sign Act covers this type of arrangement.
The legality of electronic signatures as stipulated by UETA
For an eSignature to be considered valid and enforceable, it needs to meet the following requirements:
- Consent – All parties to the agreement have to be privy to the electronic signing process.
- Intent – The signer needs to show intent by actively attaching a digital signature for electronic document signing.
- Association – The electronic signature solution selected must be linked to the digital document at the time it is signed and saved in Adobe PDF or any other chosen file format.
- Attribution – The eSignature needs to be attributable to the signatory subject to the context and circumstances surrounding the signing process. This could be in the form of an IP address, date/time stamp, or any other relevant metadata.
- Record retention – The electronic document should be saved in a form that can be retrieved and reproduced when need be. It also needs to maintain an accurate audit trail of all actions taken at every stage of the workflow.
Electronic signatures in global and national commerce act (e-sign act)
Established in 2000 by President Bill Clinton, the E-Sign Act explicitly legalizes e-signatures. The legal text states that “contracts established on the internet will now have the same legal force as the equivalent contracts on paper.”
Like the eIDAS, the E-Sign Act lays out guidelines for establishing authority and authenticity of e-signatures, as well as rules for how to obtain, protect, and retain documents that include e-signatures.
Stay compliant with PandaDoc
If your organization frequently sends and receives signed documents, an AES e-signature solution like PandaDoc can help you stay compliant with all the laws and regulations related to signing digital documents that would hold up during litigation.
It complies with the eIDAS regulatory guidelines that call for locally-held electronic identification credentials; the control and confidentiality of said credentials; and direct linkage to the signatory.
PandaDoc streamlines the process of creating, approving, and e-signing documents like proposals, quotes, and contracts. Over 23,000 customers use the PandaDoc solution to save time and money on the e-signature process.
Learn more about PandaDoc and set up a free, 14-day trial today.