It provides rules for legal certainty and technical interoperability for eIDs and e-signatures and the Trust Service Providers (TSPs) that offer these services.
It defines three e-signature levels:
basic, advanced and qualified e-signatures
It recognises that both natural persons and legal entities can sign documents (e-signatures and e-seals)
It sets the rules for Trust Service Providers (TSPs)
Uniquely linked to the signer
Users are provided with individual digital signature keys OR can alternatively use unique keys sourced from third party Certificate Authorities (CAs).
Created using electronic signature creation data that the signer can, with a high level of confidence, use under his or her sole control
User signing keys can be held in a cloud Hardware Security Module (HSM) or locally by the user on a secure smartcard, USB token or smartphone. In all cases the user is securely authenticated before access to their signing key is allowed.
Capable of identifying the signer & linked to the signed data in such a way that any subsequent change in the data is detectable
SigningHub creates long-term advanced signatures which contain all the embedded evidence to prove who signed, why they signed, when they signed and what they signed.
A QES is a secure form of signature which provides the highest level of assurance and non-repudiation – it in fact reverses the burden of proof in case of disputes, i.e. with a QES the signer has to prove that they did not create the signature! Technically QES are the same as AES but require the use of a qualified signature creation device and a qualified digital certificate issued by a trusted Qualified Certificate Authority (CA). SigningHub meets the eIDAS QES requirements.
SigningHub’s remote qualified signature capability provides the best user experience as there is no need for users to handle smartcards/tokens and they can sign from anywhere on any device – all with the high degree of security and legal acceptance across Europe. Remote qualified signatures are considerably more cost-effective as there is no need to provide secure smartcards/tokens to users. However, where a user already holds an eID card with a signing key and qualified certificate these can be easily used with SigningHub’s local signing capability.
An e-seal is a digital signature created by a legal entity. eIDAS compliant e-seals have the same properties as e-signatures and are possible at both advanced or qualified levels. The main difference is that e-seals can be created automatically using a corporate key i.e. without human intervention. This is beneficial when signing a large number of documents, e.g. millions of e-invoices, e-statements or e-bills on a daily basis.
SigningHub meets all technical requirements of eIDAS for advanced and qualified e-signatures and e-seals. To operate as an eIDAS compliant qualified TSP however takes more than just technology. Physical, procedural and personnel security countermeasures are required, as well as a secure enrolment process to verify the identity of users and issue qualified certificates.
Ascertia works through its network of Qualified TSP partners in a number of European countries to offer SigningHub as a qualified signature creation and verification service. Our Qualified TSP partners are responsible for vetting the identity of users, issuing qualified certificates and also operating SigningHub in their secure facilities. This ensures the highest levels of physical, procedure and personnel security and adherence to eIDAS requirements for TSPs, particularly:
EN 319 401 – General policy requirements for Trust Service Providers
EN 319 411 – Policy and security requirements for Trust Service Providers issuing Qualified Certificates
EN 319 421 – Policy and security requirements for Trust Service Providers issuing time-stamps