Qualified electronic signatures are the highest standard of electronic signature described in eIDAS (The Electronic Identification and Trust Services Regulation). Legally, they hold the same weight as handwritten signatures and are used in the highest assurance use cases where it’s imperative to have a secure signature and proof of the signatory’s identity. Example industries that require this strong customer authentication are banks and other financial services who are typically required to conduct extensive KYC (know your customer) and CDD (Customer Due Diligence) processes as part of AML (anti-money laundering) and CFT (countering the financing of terrorism) compliance.
Qualified electronic signatures are required to adhere to technical standards outlined by the independent standards body, ETSI (The European Telecommunications Standards Institute). Conforming to these standards requires an extensive audit that ensures the provider has robust support processes in place, and meets high standards of security, interoperability, and assurance. The relevant ETSI standards for identity verification and QES are:
- ETSI TS 119 461: describes standards for the management and operation of a solution, and identity proofing service requirements.
- ETSI EN 319 401: describes standards for electronic signatures and infrastructures to support the eIDAS regulation.
eIDAS regulation and qualified electronic signature
As stated by the European Commission, ‘eIDAS is a key enabler for secure cross-border transactions.' In other words, it seeks to make digital transactions safer, and harmonize rules for doing so. It covers:
Electronic identification (eID) schemes
Ensuring that eID schemes in the EU are interoperable, secure, and accepted across Member States.
Trust services
Creating, verifying, and preserving electronic signatures, seals, electronic time stamps, electronic delivery services and website authentication certificates.
Authentication
Promoting a high level of assurance and the use of strong authentication for eIDs, identity proofing methods and trust services.
Mutual recognition
Ensuring that solutions meeting eIDAS standards are accepted across all Member States.
However, eIDAS does not mandate a single, exclusive interoperable standard. In fact, it allows for three routes to compliance:
Using an eID (electronic identity)
eIDAS 2.0 will mandate that Member States accept eIDs — however, it’s not expected they become widespread for a number of years.
Via nationally accredited schemes
Examples include PVID in France and the SEPBLAC Certification in Spain. These schemes are unique to each Member State, and so create additional complexity for businesses operating across borders.
By requesting an eIDAS qualified electronic signature
Accepted across all Member States as having the same weight as a handwritten signature.
What’s the difference between advanced vs. qualified electronic signatures?
Although an advanced electronic signature (AES) may appear similar to a qualified electronic signature (QES), and similarly require proof of identity via document and biometric verification — they are not recognized in the same way.
For highly sensitive use cases, like banking, eIDAS only recognizes and oversees qualified electronic signatures.
To complete identity verification for qualified electronic signatures, providers must comply to the previously mentioned ETSI standards — allowing them to act as an Identity Proofing Service Provider (IPSP) for Qualified Trust Service Providers (QTSP), and support know your customer (KYC) for anti-money laundering (AML) regulated businesses.
There are also differences in how questions of validity are handled. For AES, the signatory is responsible for proving it’s valid. For QES, whoever doubts validity must provide proof. This means QES has the highest legal enforceability and protections in court.