The qualified electronic signature is a type of digital certificate associated with the content of a document, usually in text format. It is used to accept what is indicated in these documents attached to the identification data of a signatory. Its meaning and origin is based on the European Union Regulation 910/2014.
This method stands out among those for the exercise of electronic signatures due to its complexity and high level of recognition by public institutions. Although it may not be the most suitable for certain types of operations, qualified electronic signatures are capable of offering the most demanding regulatory support.
Many businesses have started to ask themselves whether or not they should make the leap to a qualified signature solution. The answer is never the same, as it depends on the sector they belong to, the type of operations to be carried out, the context of these operations and the general risk profile around these aspects.
The qualified electronic signature is one of the different types of electronic certificates that are associated with digital documentation, as set out in the eIDAS regulation. It is known by its acronym QES (Qualified Electronic Signature) and contains essential information to identify the owner of the signature with a series of sensitive data. These data are:
All this information is linked and stamped to the content to be approved, denied, accepted or rejected, be it a contract, an agreement or the provision of consents. The qualified electronic signature must be issued by a Qualified Certification Authority. This means that Qualified Signature Creation Devices (QSCD) must be used to issue these certificates.
In this way, the qualified signature is able to confirm - without any doubt and with electronic evidence of the highest level - the authorship of an individual or collective will given for a given declaration and contained in a series of electronic data. This exchange of data results in an electronically signed, unalterable document with a legitimate interest.
We could say that there is an ascending order in electronic signature standards: simple, advanced and qualified. While the simple electronic signature is the mere inclusion of the image of a handwritten signature in a digital document, the advanced electronic signature must comply with a series of very specific requirements that, like the qualified electronic signature, grant legal validity to the signing process and digital traceability of what has taken place (with identity data sealed to the content).
However, and despite what many might think, the advanced signature is emerging as the most versatile and complete method, far from the often unnecessary complexity of the qualified signature. The latter is especially relevant for procedures with public administrations but not so interesting for B2C and B2B environments.
The qualified signature needs qualified devices to perform the issuance. These are generally cryptographic cards (such as the electronic ID card in the European Union for example) or cryptographic USBs. This presents some difficulty as well as security breaches as they can be stolen or lost. To use them, the chosen or given key must be used, but sometimes some criminals use methods to find them. That is why HSM servers are emerging as the solution.
eIDAS has contemplated the use of servers based on the latest cryptographic techniques to generate and - more importantly - store the qualified certificates that allow documents to be digitally signed. The fact that they are stored in the cloud solves the problem of loss or theft that we have been mentioning, and the providers offering this solution guarantee really high security measures.
Thus, qualified electronic signature platforms can be accessed at any time and in any place to generate certificates without problems with private keys. These unique and supervised repositories are particularly suitable for organizations with different types of certificates.
Qualified electronic signatures are often treated as counterparts or substitutes for traditional handwritten signatures. However, digitizing the signature of documents does not merely embody a digital transposition of a traditional process, but adds an extra layer of legal validity by providing more data, information and evidence than most physical signatures.
electronic IDentification, Authentication and trust Services, the eIDAS regulation was approved in the European Union to establish a framework for trust services and secure electronic transactions. However, this regulation, which is already law in all the states of the region, has been taken as a reference to establish the legal and technical standards for the exercise of digital signatures throughout the world. In other words, complying with eIDAS means practically complying with any digital signature regulation in any state, country or region of the world.
Other standards such as AML6 and PSD2 join eIDAS in the goal of creating an economic and social ecosystem where digital transactions have a concrete set of standards that guarantee technical security and legal recognition in court in case of dispute. Businesses around the world can now sell online and operate in any marketplace if they comply with these standards without additional investment.
The endorsement of the standards is so high that in many regions it is forbidden to require digital signature models higher than the qualified electronic signature by law. Its standards are XAdES, CAdES and PAdES, which were defined by the European Telecommunications Standards Institute.
Integrating qualified e-signature systems in enterprises was costly and complex a few years ago. Now, however, thanks to scalable SaaS platforms for digital signature and user identity verification, companies can be up and running in days without impacting their systems or IT teams.
The development of customisable software by disruptive startups has resulted in API and webhook systems with simple calls that users do not notice as they are fully integrated into the customer journey. Qualified Trust Services Providers (TSPs) with RegTech specialization across all industries are advising and integrating these tools in record time for businesses to get the best possible time-to-market and improve conversion of their customer acquisition and engagement processes. This is especially notable in industries such as banking, insurance, FinTech and WealthTech.
As mentioned above, electronic signature solutions focus on uniquely linking the data to the signatory in such a way that they cannot be modified. In the event of a subsequent modification, this must be detectable and traceable. The technology behind these systems has been in use for years, and beyond providing security, these solutions have brought countless benefits to companies.
From huge savings in materials and space to improved productivity in administration departments, e-signatures have reinvented the way users and businesses interact and contract. There is no longer any risk of loss and the signed contract is automatically valid in front of a judge for all that it entails. With a legal effect equivalent to a handwritten signature, it is no longer necessary for the customer to go to a commercial office or shop to sign a contract and purchase products and services or to finalize any kind of sensitive transaction.
The difference between advanced and qualified electronic signatures lies in the digital certificate created by the Certification Authority. This is useful for public administrations (B2G) but in B2C and B2B models the advanced electronic signature is more than enough. Currently, some electronic signatures such as Tecalis Signature offer the possibility of carrying out a KYC (Know Your Customer) process linked to the advanced electronic signature, which provides an extreme guarantee and enables onboarding and instant contracting for processes as delicate as opening a bank account. For business-to-business processes, Know Your Business has started to be used alongside the electronic signature in the same flow.