Electronic signatures in Brazil: validity, types and legal framework

Brazil has undergone a significant digital transformation in recent years, establishing a robust legal framework for electronic signatures that guarantees legal certainty and facilitates digital transactions in both the public and private sectors. The country has one of the most advanced digital certification systems in Latin America, supported by the Infraestrutura de Chaves Públicas Brasileira (ICP-Brasil) and software providers such as Tecalis, which provide the technological and legal support necessary for the validity of electronically signed documents.

In this article, we explore in depth what the electronic signature is like in Brazil, its legal validity, the different types that exist, the legislation that regulates it, as well as its relationship with digital certification through ICP-Brasil. We will also discuss the preservation of electronic documents with electronic signature and its value as evidence in legal proceedings. 

What is Electronic Signature in Brazil?

The electronic signature in Brazil is a set of data associated to an electronic document that allows the identification of the signatory and the manifestation of his will, with the peculiarities of the requirements requested in Brazil for this to be considered as such. This concept ranges from simple signatures based on access codes, to qualified signatures using digital certificates such as those issued by ICP-Brazil.

The implementation of electronic signatures in Brazil has accelerated significantly since the COVID-19 pandemic, when the need to digitize processes became critical to maintain business continuity and public services. This massive adoption has shown the efficiency and security of the Brazilian system, consolidating its position as a regional benchmark in digital transformation.

The fundamental purpose of any electronic signature is to fulfill three essential functions:

• Authenticity: to guarantee the identity of the person signing the document, linking it unequivocally to the act.
• Integrity: to ensure that the content of the document has not been altered after signing. Any modification invalidates the signature.
• Non-Repudiation: prevent the signer from denying having signed the document. The electronic evidence generated in the process makes the signer legally responsible for the act.

The Brazilian system recognizes the electronic signature as an unequivocal manifestation of will that makes it possible to identify the signatory and guarantee the integrity of the signed document. Unlike a simple digitized image of a handwritten signature, the electronic signature in Brazil incorporates cryptographic and security elements that provide technical and legal guarantees equivalent to those of a traditional handwritten signature.

Types and Formats of Electronic Signatures in Brazil

Brazilian legislation establishes a clear taxonomy of electronic signature types, each with specific characteristics and defined use cases. This classification allows organizations to select the most appropriate signature type according to their security needs and applicable regulatory requirements.

• Assinatura eletrônica - Simple Electronic Signature: based on methods such as PIN, password, or biometrics, without requiring formal certification. Applicable for low-risk procedures.
  
• Assinatura avançada - Advanced Signature: meets technical criteria (exclusive linkage to the signatory, verification during the act, integrity, united association) and may include cryptographic methods.
  
• Assinatura qualificada - Qualified Signature: generated with a digital certificate issued by a Certification Authority accredited by ICP-Brasil, based on Brazilian PKI (Public Key Infrastructure).

The technical implementation formats vary according to the type of signature and the specific application. Qualified signatures use the PKCS#7 or XML Digital Signature standard, which incorporate digital certificates and allow cryptographic verification of the authenticity and integrity of the document. Advanced signatures can use a variety of technical formats, including cryptographic hash codes, time stamps and biometric evidence.

Key Legislation Governing Electronic Signatures in Brazil

In Brazil, electronic signatures are valid and legally recognized, backed by a strong regulatory framework that guarantees their equivalence to traditional handwritten signatures. Brazilian law clearly establishes that electronically signed documents have the same legal validity as handwritten documents, provided they comply with the established technical and procedural requirements.

Their legal validity is supported by multiple norms:

• Civil Code (Art. 104, 107, 225): equates electronic documents to physical documents when they meet technical requirements.
• Law No. 11.419/2006: establishes the legal framework for electronic signatures in the context of judicial and administrative proceedings.
• Law No. 14.063/2020: defines three levels of signature (simple, advanced, qualified) and their areas of use.
• Code of Civil Procedure (Art. 369, 411, 440): admits electronic documents as evidence in trials.
• Personal Data Protection Law (LGPD): although it does not focus exclusively on electronic signatures, it establishes rules on how personal data should be handled, which indirectly affects the use of electronic signatures.

Additionally, the Cyber Crimes Law (Law No. 12,965/2014 - Marco Civil da Internet) and Provisional Measure No. 2,200-2/2001 establish that electronically signed documents have presumption of authenticity, integrity, confidentiality and legal effectiveness.

However, the electronic signature certified by a provider accredited by ICP-Brasil, such as Tecalis, guarantees full legal validity, according to the standard described in this national regulation.

The Brazilian regulatory framework is characterized by its risk-based approach, where the level of security required for electronic signatures correlates with the level of risk and value of the transaction. This approach allows optimizing the user experience while maintaining the appropriate security levels for each context.

Legal Validity and Use cases: Simple Signature vs. Advanced Signature

Not all electronic signatures are the same, and in Brazil, choosing the wrong one can have serious legal consequences. The legislation establishes a clear hierarchy based on a fundamental principle: the higher the risk in a transaction, the higher the level of security and legal certainty of the signature. Understanding this distinction is vital to ensure the full validity of any digital act.

Beyond theory, the practical application of each signature defines its true value on a day-to-day basis. The following are the most common scenarios for each level.

Simple Electronic Signature

Its objective is speed and efficiency in high volume and low legal impact processes. It is ideal for:

• Human Resources: approval of vacation requests, confirmation of reading internal policies.
• Commercial: acceptance of an initial quote, confirmation of receipt of a proposal.
• Legal: acceptance of privacy policies and terms of service on websites or applications.

Advanced Electronic Signature

Considered the de facto standard for most business operations, it offers a perfect balance between robust security and a seamless user experience. Used in:

• Contracts: signing service contracts, non-disclosure agreements (NDAs), employment contracts.
• Real Estate: lease agreements and sale and purchase proposals (the final act of transfer usually requires a qualified signature).
• Financial: opening of bank accounts (according to the bank's policy) and signing of personal loan agreements.
• Public Sector: interactions with the government that do not explicitly require a qualified signature, such as those carried out with a Gov.br silver or gold level account.

The effectiveness of electronic signatures is multiplied when integrated with secure KYC processes. Solutions such as those from Tecalis combine biometric and document identity verification with the signature in a single step, guaranteeing with total certainty who is signing the contract. This unified approach is the safest and most robust option for signing up new users, shielding the process against fraud and ensuring maximum legal validity from the outset.

ICP-Brasil: The Brazilian Digital Certification Ecosystem

ICP-Brasil enables the issuance of digital certificates that form the basis of the country's qualified electronic signature system. This ecosystem represents one of the most robust and complete digital certification infrastructures in Latin America, providing the technical and institutional foundations for secure digital transactions.

This Public Key Infrastructure is a complex and hierarchical chain of trust, managed and audited by the government, whose purpose is to guarantee authenticity, integrity and confidentiality in electronic communications.

The structure of ICP-Brasil is organized as follows:

• Comitê Gestor da ICP-Brasil: this is the highest level body, composed of representatives of civil society and government. Its function is to determine the policies and regulations of the system, acting as the normative authority.
• Instituto Nacional de Tecnologia da Informação (ITI): it is the executive and technical arm. The ITI acts as the Root Certification Authority (Autoridade Certificadora Raiz - AC Raiz), that is, the first entity in the chain of trust. It is the only one that can issue, distribute, revoke and manage the certificates of lower level Certification Authorities. In essence, the ITI is the anchor of all trust in the system.
• Certification Authorities (ACs): these are public or private entities, accredited by the ITI, with the power to issue digital certificates to end users. Examples of well-known ACs in Brazil are Serpro, Caixa Econômica Federal, Certisign and Serasa Experian.
• Registration Authorities (ARs): these are the entities that act as the "front office" of the ACs. They are linked to an AC and are responsible for the identification (in person or by videoconference) of the applicant of a digital certificate. They verify the documents and the identity of the person or company before the CA issues the certificate, ensuring that the certificate holder is who he/she claims to be.

Obtaining an ICP-Brasil certificate (such as an e-CPF or e-CNPJ) involves contacting an AR, presenting the required documentation, validating the identity and, finally, receiving the certificate, which can be stored on a USB token, a smart card or in the cloud.

Preservation of Electronic Documents and Their Value as Evidence

The preservation of signed electronic documents in Brazil is essential to maintain their evidentiary value in the long term, legally equating them to physical documents. The regulations require preserving not only the document, but all associated cryptographic evidence (certificates, time stamps) using appropriate management systems.

Preservation periods vary according to the type of document (e.g. 5 years for tax or 10 years for commercial) and it is crucial to have technological migration strategies to update the archives and ensure their future validity in the face of evolving algorithms. Finally, organizations should conduct regular audits to ensure compliance and integrity of their digital archives.

Tecalis guarantees a minimum custody of 5 years for all documents and evidence generated in its signature processes, a period that is adapted and extended according to the requirements of regulations such as the eIDAS Regulation and the sectorial obligations of each client, which may require up to 10 years or more. As a Trusted Service Provider, the platform is designed to safeguard the complete evidentiary dossier (time stamping, evidence, etc.), thus ensuring the evidentiary value and integrity of signatures throughout the document's legal life cycle.

Identity Verification: The Role of CPF and The Gov.br Platform

Brazil's identity verification system is a pillar of its electronic signature ecosystem, based on the Cadastro de Pessoas Físicas (CPF) as a unique identifier and the Gov.br platform, which centralizes digital identification.

This system operates with different levels of trust (basic, medium and high) that adapt to the risk of each operation. In addition, it enables secure integration with the private sector through APIs to facilitate customer verification in all types of services, from account opening to online contracting.

This synergy between robust government infrastructure and market needs has created a digital ecosystem that balances security, usability and legal trust, positioning Brazil as a regional leader in digital identification.

Tags