Legally binding? Debunking myths and clearing misconceptions about electronic signatures

Electronic signatures vs digital signatures: know the difference  

First, it’s important to draw a distinction between electronic signatures and digital signatures.  

Electronic signature is a legal term referring to the act of signing in an electronic format, and it is generally technology-neutral.  

Digital signature, on the other hand, is a technical term referring specifically to the use of public-key cryptography. A digital signature secures the authenticity and integrity of a signed document, making it an ideal mechanism for implementing electronic signatures.

Does eIDAS truly rule them all?  

Electronic signatures are governed by different legislations globally, each with its own nuances. Within Europe, the eIDAS Regulation harmonises electronic signature laws across EU Member States—as well as Norway, Iceland, and Liechtenstein.

eIDAS defines electronic signatures and stipulates requirements for their legal acceptance. Exceptionally, it leaves the use of specific signature types to the discretion of Member States' sectoral laws. For example, some Member States may accept a simple electronic signature for an employment contract, while others demand the highest level, a qualified electronic signature (QES). 

Do you really need a QES? eIDAS' electronic signature and its levels 

Under eIDAS, three signature levels are defined, each offering varying guarantees of security and compliance. Here’s an overview: 

1. (Simple) Electronic Signature (SES/ES)  

Electronic Signature, often referred to as Simple Electronic Signature, is the broadest signature category. eIDAS defines it as “data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”. Common examples include scanned handwritten signatures or typed names.  

A SES can be as straightforward as ticking a checkbox on a website or uploading an image of a handwritten signature into an online form. These are typically used in low-risk scenarios where the consequences of fraud or tampering are minimal—for instance, accepting website terms and conditions. However, SES lacks verification mechanisms to confirm the signer's identity or secure the data from alterations after signing. As such, it is unsuitable for transactions that require higher levels of legal assurance or security. 

While simple and widely accepted, SES lacks substantial security guarantees, making it unsuitable for sensitive or high-stakes use cases.  

2. Advanced Electronic Signature (AES)  

To achieve advanced status, a signature must meet the following criteria outlined in eIDAS Article 26: 

• Be uniquely linked to the signatory. 
• Identify the signatory. 
• Be created using electronic signature creation data under the sole control of the signatory. 
• Detect any subsequent changes to the signed data.  

Technically, this is most commonly implemented using digital signature technology, powered by public-key infrastructure (PKI).  

Signicat’s AES solutions go beyond basic compliance. We ensure identities are properly verified, data integrity is maintained, and processes are securely executed, providing peace of mind for users and organisations alike.  

3. Qualified Electronic Signature (QES)  

A QES builds on the foundation of an AES with two additional requirements: 

• Identity of the signer proven by a qualified certificate issued by a qualified certification authority (QCA). 
• The private key (used to create the signature) being stored in a qualified signature creation device (QSCD), such as a hardware security module (HSM).  

QES is the gold standard, meeting the highest legal requirements across EU Member States. Public authorities cannot mandate higher levels of signature security, making QES the ultimate assurance of compliance.  

At Signicat, we leverage our expertise and infrastructure to provide QES solutions that are both robust and seamless to use. Whether you’re operating locally or across borders, our certifications and adherence to standards guarantee the trustworthiness of your QES implementation.  

The “legally binding” myth: Is QES the only option?  

A persistent myth is that only qualified electronic signatures (QES) are legally binding. However, eIDAS Article 25.1 explicitly states that no electronic signature shall be denied legal effect solely because it is in electronic form or does not meet the QES requirements. 

That said, specific sectoral laws or circumstances may require higher signature levels. For example, if a QES is legally mandated for a use case, anything less than a QES will not suffice.  

It’s also important to note that all signatures, even QES, can be subject to dispute. If a signer can prove to a court or arbiter that they were misled, threatened, or didn’t sign willingly, even a valid QES won't be legally binding. While a QES meets all EU signature requirements, including cross-border, it doesn’t guarantee legal enforceability. 

To help you manage e-signing complexities and reinforce legal enforceability, Signicat’s signature solutions have three key advantages: 

1. Signicat’s solutions cater to the varying requirements across jurisdictions while ensuring compliance with eIDAS and local regulations alike, ensuring that your documents are authentic, secure, and your process is legally robust. 
2. As a qualified trusted third party, Signicat controls the signing process, ensuring that none of the actors involved can tamper with the document or obfuscate the process. 
3. Signicat provides a comprehensive audit trail. From initial document access to the final confirmation, every step is securely logged, providing extremely strong evidence in the event of a challenge.  

With trusted providers like Signicat, businesses gain access to the tools and expertise needed to confidently handle the complexities of electronic signatures, empowering them to focus on what matters most: their mission and value creation.