What Is a Qualified Electronic Signature?
A Qualified Electronic Signature is an e-signature accompanied by a qualified certificate to ensure the highest levels of authenticity & originality. A QES verifies the signer’s identity with a legitimacy level that equals the legal value & effect of a traditional handwritten signature in Europe.
Among the various types of electronic signatures defined under the eIDAS Regulation, a Qualified Electronic Signature guarantees the highest level of security. A user signs a document based on a qualified digital certificate. This certificate gives a trustworthy digital representation of the person’s identity, due to a highly regulated identity verification process. For example, the ID document information is extracted by reading the NFC chip, and the owner of the passport is recognized and identified via a sophisticated facial recognition and liveness check process.
What Different Types of Electronic Signatures Are There?
When exploring the different levels of electronic signatures available across Europe, companies needing an electronic signature offering need to review the legal requirements specific to the documents and legal acts they intend to use Sign for. The eIDAS Regulation offers three options of electronic signatures, now all covered by Sign, the digital signing solution of CM.com:
1. (Simple) Electronic Signatures
Article 3 of the eIDAS Regulation defines an “electronic signature” or “simple electronic signature” as follows: “electronic signature’ means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign. This most basic form of electronic signing does not require complex technical implementation to deliver digital verification or protect against forgery. Due to the relatively low levels of authenticity guaranteed by this type of signature, it is usually reserved for low-value sales agreements or documents of lesser importance.
2. Advanced Electronic Signatures (AdES)
“An advanced electronic signature is an electronic signature which is additionally:
Uniquely linked to and capable of identifying the signatory;
created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and;
linked to the document in a way that any subsequent change of the data is detectable.
This technology relies on the use of so-called key pairs consisting of a “public key” and mathematically corresponding “private key”, as well as certificates. The keys can be used to encrypt (i.e. the data becomes unreadable) or to sign data (i.e. the data is readable but a hash of it is generated that can be used to detect subsequent changes to the data and the hash is then encrypted with the private key - the result of which can be used to verify the identity of the signatory).
3. Qualified Electronic Signatures (QES)
As mentioned previously, a QES guarantees the highest level of security for electronic signatures due to the digital certificate granted by a Qualified Trust Service Provider (QTSP). This digital certificate is delivered by our partner Digidentity. The benefit of these types of digital signatures is that they are time efficient, they reduce the number of errors made in the process and, due to the high level of trust that a QES carries, ensure a safe feeling for all parties involved. With Digidentity’s user-friendly service, CM.com can offer Qualified Electronic Signatures without compromising on convenience and security. The authenticity offered by a QES means they are ideal for highly regulated transactions and are considered the legal equivalent of wet ink signatures.
What Are the Legal Requirements for Electronic Signatures?
The eIDAS Regulation provides the legal justification for electronic signatures. Even for Simple Electronic Signatures, eIDAS stipulates that a signature should not be denied legal effect within legal proceedings “solely on the grounds that it is in an electronic form.” In light ofOutside of the EU, the legal validity of electronic signatures may be slightly different, but an increasing number of markets worldwide recognize electronic signatures as legally robust and follow the eIDAS standards.
One of the differences between a Simple and an Advanced electronic signature is the required level of authenticity. A Simple Electronic Signature (SES), for example, is defined by eIDAS as “any piece of electronic data that is attached to or logically associated with other forms of electronic data used by the signatory to sign a document.” As such, including your name below your email could qualify as a SES.
An Advanced Electronic Signature is subject to some additional requirements, for example that it must be “uniquely linked to and capable of identifying the signatory, created in a way that allows the signatory to retain control, and is linked to the document in a way that any subsequent alteration of the data is detectable.”
Finally, a QES must be created by a Qualified Signature Creation Device (QSCD) and be based on a Qualified Certificate for electronic signatures. According to eIDAS, a Qualified Certificate must include information such as the signatory’s name, corresponding electronic signature validation data, information identifying the certificate’s period of validity from start to finish, and the Qualified Trust Service Providers’ (QTSP) unique certificate identity code. This certificate is automatically attached to the Qualified Electronic Signature at hand. According eIDAS, a QES is seen as the legal equivalent of a handwritten signature.
Does Sign by CM.com offer a Qualified Electronic Signature?
Sign is a Software-as-a-Service (SaaS) provided by CM.com that enables customers to upload documents and then invite signatories to review and sign them. Sign can be used through the web interface designed by CM.com or through an API. The first option provides the full functionality of Sign via the standard interface accessible via any browser as-intended by CM.com and the second option enables customers to integrate Sign’s features into third party software (e.g. their own DMS).
In its default configuration, Sign by CM.com generates electronic signatures that meet and exceed the requirements imposed by the eIDAS Regulation for simple electronic signatures as meant in Article 3 (10). Furthermore, Sign by CM.com is capable of generating electronic signatures that meet and exceed the requirements imposed by the eIDAS Regulation for advanced electronic signatures in Article 26, provided that additional authentication options are selected by the customer for the signing process, and the means employed by the customer to identify the signatories – prior to providing that information to CM.com - are sufficiently reliable. Examples of additional authentication options are One Time Password via SMS, IBAN verification, or iDIN, and expected in Q2 2023, ID Scan.
Sign by CM.com now also supports Qualified Electronic Signature; Qualified Signing by CM.com. Supporting identity verification in the HR, rental, legal, and insurance industries, as well as many others. With the Qualified Electronic Signature, CM.com offers all levels of Electronic Signature according to the eIDAS regulation. With QES functionality, our Sign solution provides users with the highest levels of authenticity, integrity, and trust.
If you are interested in Qualified Electronic Signing, please contact us for more information regarding subscriptions and pricing.
Frequently Asked Questions About Qualified Electronic Signatures
I want to start using Qualified Electronic Signature. What is exactly required for this?
First, you need to have an active subscription with Sign by CM.com. This can either be an existing subscription plan (Professional, Business, or Enterprise) or one of the new Bundle subscriptions. Please note that our pre-paid 50-Document Bundles and the Go Plan do NOT support the use of QES. Second, QES needs to be activated on your account. To activate QES please contact your Account Manager.
What type of subscriptions are available for QES?
When activating QES on your account there are two options. First you need to activate QES so you can send out Sign requests to your recipients on level Qualified. This type of signature is what we call a one-time signature. You invite a signee to sign a document on level Qualified and after signing of the document, the user cannot sign another document (only after receiving a new invite). Each signing will be invoiced separately. As a special add-on it is also possible to purchase a subscription. With this subscription you activate a Qualified Electronic Signature for (mostly) you own employees. With such a subscription your employee can sign an unlimited number of documents. The certificate is valid for one year, and after this the certificate can be renewed for another year. Such a subscription can already be beneficial if your employee needs to sign 3 or more documents per month.
Can I use Sign by CM.com to create a one-time QES without a subscription?
No, this is not possible. As stated in what is required for QES, you need to have an active subscription with Sign by CM.com. Without this subscription it is not possible to send sign requests on level Qualified.
Where can I use Qualified Electronic Signature (QES)?
QES is a European standard and therefore can be used within all EU Member States. And while eIDAS guidelines are leading for other regions countries, you probably also comply in countries or regions outside of the EU. Please ensure yourself which level is required for your specific use case.
Can you briefly explain the process for obtaining a qualified certificate and sign Qualified?
After QES is activated in your account (see also previous question) you can start sending out Sign requests on level Qualified. Here you can define the level of Authentication (Qualified Signing by CM.com) and send the sign request. When the signee filled out all the required data and presses the ‘Sign’ button a QR code is shown to start the QES signing process. After scanning the QR code, the user is taken to the Digidentity app (and if not installed it link to the Play Store / App Store). After installing the app an account needs to be created and once the account is activated the qualified digital certificate can be created by scanning the ID Document and read the data using NFC. Once the certificate is activated a user is able to sign documents on level Qualified.
I have issues with account activation, requesting a digital certificate, or with signing on level Qualified.
A. QES is offered through our partner Digidentity. Here, you can find an overview of questions and answers at Digidentity. Not sure about who to ask, just let us know and we will take care of it.