E-signatures: what are the three types, and which one should you use?
At this point, organizations use e-signatures throughout the world for a wide range of purposes. You use e-signature technology each time you sign a touchscreen for a credit card transaction in person, when you agree to the terms of a contract sent digitally, and when you create a signature for your driver’s license.
Because of their electronic nature, however, e-signature transactions are more vulnerable to fraud and other cybercrimes.
An e-signature is merely a version of your signature in electronic form, but a “verified” e-signature holds more weight. Verified e-signatures are as legally binding as so-called “wet” handwritten signatures obtained in person.
We’ll explain some of the differences in the trustworthiness of the various signature types to help you determine which one is the best fit for you.
The three e-signature assurance levels under eIDAS
Enacted in 2016, the European Union (EU) eIDAS regulation. Lawmakers and regulators worked together to create eIDAS to establish a common foundation and framework for secure e-signatures. The legislation established three e-signature categories:
- Basic or Basic Electronic Signatures for general usage
- Advanced Electronic Signatures backed by authentication through digital certification by a trusted third-party
- Qualified Electronic Signatures authenticated by a third-party granted authority by the EU
These three types, or levels, of e-signatures, indicate the trustworthiness of signed agreements.
There are several different signature regulations that vary based on geography, industry regulations, and details about the document. The three types of e-signatures laid out in eIDAS offer increasing levels of security and assurance.
Basic electronic signatures
A simple electronic signature is the broadest e-signature type. The eIDAS regulation defines an electronic signature as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign.”
Basic electronic signatures are legally binding in most instances, but some entities may require a higher level of authenticity to accept an e-signature. A basic e-signature can be created by scanning an image of a signature or by simply ticking a box to indicate consent to website terms and similar language.
Basic electronic signatures are prone to tampering and forgery. For example, it’s virtually impossible to know who actually checked off the boxes to confirm terms and conditions. For this reason, many organizations and individuals do not put much stock in basic electronic signatures. They don’t establish authenticity on their own.
Advanced electronic signatures
Advanced electronic signatures (AES) have an “electronic seal” attached to them. They are transmitted through an electronic registered delivery service (ERDS) for additional verification. Often, a Certificate Authority (CA) issues certificates that validate advanced electronic signatures.
Under eIDAS, AES signatures must meet several qualifications. They must:
- Be uniquely linked to the signatory (the person with the authority to sign the document)
- Correctly identify the signatory
- Be created using e-signature creation data that the signatory can use under their sole control with a high level of confidence
- Linked to data in a document that signatories can monitor for subsequent changes
AES utilizes a Public Key Infrastructure (PKI) technology to satisfy these requirements. The PKI process is how a digital certificate verifies digital signatures. In a way, a digital certificate resembles a passport or driver’s license, in that a third-party CA has verified it. Each digital certificate is unique to the individual and nearly impossible to be convincingly replicated.
The signatory remains the sole holder of the private key, which is required to apply the signature. The parties can feel confident the other signer or signers are the people they say they are.
As part of the signature verification process, the PKI software automatically reviews documents to ensure that no one has made changes to them. If someone edits a document, all parties are notified and the process begins again.
The legal community usually considers AES as valid as traditional wet-ink signatures. Attorneys routinely cite the verification process as a reason to use AES as reliable evidence in court proceedings.
PandaDoc allows users to apply AES verification to their electronic documents.
Qualified electronic signatures
Qualified electronic signatures (QES) are the most advanced type of e-signature. These signatures are validated through a multistep process based on encrypted keys and double factor authentication. Essentially, an agreed-upon third party vets the signers before they can issue a qualified electronic signature.
The eIDAS definition for a QES is “an advanced electronic signature that is created by a qualified signature creation device and which is based on a qualified certificate for electronic signatures.”
Right away, we can guess that a “qualified signature creation device” will need to meet specific guidelines. Sure enough, there are several requirements these devices must satisfy. The device must:
- Protect the confidentiality of the electronic signature creation data
- Allow for only one usage of the QES
- Guard against forgery
- Be reliably protected by the legitimate signatory
- Not alter the data or prevent it from being presented to the signatory before signing
- Generate or manage signatory data on behalf of the signatory only at the behest of a qualified trust provider
If this explanation seems confusing, just remember that if you want to use QES, each step must meet the qualifications set out in eIDAS. Be discerning when looking for an electronic signature service provider. If a provider does not mention eIDAS and other regulations related to e-signatures, consider it a red flag.
To qualify for QES status, the eIDAS regulation requires all parties to use data on a device that is backed by a “qualified certificate for electronic signatures.” Only a CA accredited as a Qualified Trust Service Provider (QTSP) can issue qualified certificates. If your e-signature service provider is not a CA, be sure they partner with a reliable CA.
Unlike the other e-signature types, the third party guarantees that QES signatures can serve as the legal equivalent of a traditional wet ink signature.
No discussion of the three signature types established in the eIDAS would be complete without mentioning the purpose of e-seals. Similar to an e-signature, and e-seal guarantees integrity and authenticity. Instead of authenticating an individual, however, e-Seals verify the integrity of a legal entity, such as a board of directors, department within an organization, or government agency.
Which assurance level should I use to stay compliant?
So, you’re ready to move forward with finalizing an agreement. Which e-signature type is right for you?
This will mostly depend on how important it is to you that the agreement in question would hold up in court. If you want more assurance that it would be legally binding in the eyes of a judge, have your agreement signed with an AES or QES. The last thing you want is for a judge to simply toss out a contract because the signatures can’t be validated.
AES and QES establish higher levels of trust and assurance and are much more likely to convince legal authorities of a contract’s legitimacy.
While the eIDAS regulation was created by the EU, businesses, and individuals conducting business with EU countries will likely need to comply in order to be considered a party to a legitimate legal agreement.
There are also two United States regulations that you’ll need to consider:
The Uniform Electronic Transactions Act (UETA)
Established in 1999, the UETA regulation is managed by state legislators. This means it only applies in US states that have adopted it. Currently, UETA regulations apply to every state except Illinois, New York, and Washington.
Because of how the US government is structured and the guidelines laid out in the US Constitution, individual states control trade matters instead of the federal government.
The Constitution does require that states adopt a uniform response when it comes to interstate commerce. If you live in California and need an agreement signed by someone in New Jersey, you’re conducting interstate commerce. The federally mandated E-Sign Act covers this type of arrangement.
Electronic Signatures in Global and National Commerce Act (E-Sign Act)
Established in 2000 by President Bill Clinton, the E-Sign Act explicitly legalizes e-signatures. The legal text states that “contracts established on the internet will now have the same legal force as the equivalent contracts on paper.”
Like the eIDAS, the E-Sign Act lays out guidelines for establishing authority and authenticity of e-signatures, as well as rules for how to obtain, protect, and retain documents that include e-signatures.
Stay compliant with PandaDoc
If your organization frequently sends and receives signed documents, an e-signature solution like PandaDoc can help you stay compliant with all the laws and regulations related to the various types of electronic signatures.
Reputable e-signature service providers like PandaDoc hold the necessary certifications to create authentic signatures. You can create both AES and QES with PandaDoc. The service can help you stay compliant with laws in both the EU and the US.
PandaDoc streamlines the process of creating, approving, and e-signing documents like proposals, quotes, and contracts. Over 18,000 customers use the PandaDoc solution to save time and money on the e-signature process.
Learn more about PandaDoc and set up a free, 14-day trial today.