Faq

An electronic signature is a data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign, where the signatory is a natural person.

Like its handwritten counterpart in the offline world, an electronic signature can be used, for instance, to electronically indicate that the signatory has written the document, agreed with the content of the document, or that the signatory was present as a witness.

In case you want to seal a document as a legal person (e.g. as a business or organization), you might be instead interested in an electronic seal (What is an electronic seal?)

An electronic seal is a data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity, where the creator of a seal is a legal person(unlike the electronic signature that is issued by a natural person).

In this purpose, electronic seals might serve as evidence that an electronic document was issued by a legal person, ensuring certainty of the document’s origin and integrity. Nevertheless, across the European Union, when a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorized representative of the legal person is equally acceptable.

The eIDAS Regulation defines three levels of electronic signature: 'simple' electronic signature, advanced electronic signature and qualified electronic signature. The requirements of each level are built on the requirements of the level below it, such that a qualified electronic signature meets the most requirements and a 'simple' electronic signature the least.

An electronic signature is defined as 'data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign'. Thus, something as simple as writing your name under an e-mail might constitute an electronic signature.

An advanced electronic signature is an electronic signature which is additionally:

• uniquely linked to and capable of identifying the signatory;
• created in a way that allows the signatory to retain control;
• linked to the document in a way that any subsequent change of the data is detectable.

The most commonly used technology able to provide these requirements relies on the use of a public-key infrastructure (PKI), which involves the use of certificates and cryptographic keys.

A qualified electronic signature is an advanced electronic signature which is additionally:

• created by a qualified signature creation device (QSCD);
• and is based on a qualified certificate for electronic signatures.

Like the electronic signature, the eIDAS Regulation defines three levels of electronic seal: 'simple' electronic seal, advanced electronic seal and qualified electronic seal. The requirements of each level are built on the requirements of the level below it, such that a qualified electronic seal meets the most requirements and a 'simple' electronic seal the least.

Nevertheless, levels of electronic seals don’t have the same definitions, requirements, nor legal effects than levels of electronic signatures:

'Simple' electronic seals

An electronic seal is defined as data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity".

Advanced electronic seals (AdES)

An advanced electronic seal is an electronic seal which is additionally:

• uniquely linked to the creator of the seal;
• capable of identifying the creator of the seal;
• created using electronic seal creation data that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation;
• linked to the data to which it relates in such a way that any subsequent change in the data is detectable

The most commonly used technology able to provide these requirements relies on the use of a public-key infrastructure (PKI), which involves the use of certificates and cryptographic keys.

Qualified electronic seals (QES)

Similar to a qualified electronic signature, a qualified electronic seal is an advanced electronic seal which is additionally:

• created by a qualified seal creation device (QSCD);
• and is based on a qualified certificate for electronic seals.

When signing a document, a pair of keys might be needed (i.e. when the signature relies on the use of public-key infrastructure), namely a ‘public key’ and a ‘private key’. The public key can be publicly shared while the private key shall be securely stored. Especially, the private key is used by the signatory to sign a document while the public key is used by anyone verifying that it is actually the private key of the signatory that has been used to sign the document.

A certificate for electronic signatures, issued by a Certificate Authority (CA), is an electronic attestation which links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person. This way, the certificate, usually linked to the signed document, can be used to verify the identity of the signatory and whether the document has been signed using the corresponding private key.

Qualified certificates for electronic signatures, by following stricter requirements laid down in eIDAS, provide, for instance, higher guarantees regarding the identity of the signatory and therefore higher legal certainty regarding the created electronic signatures. Especially, qualified certificates are provided by qualified trust service providers (QTSP) which have been audited as such and granted a qualified status by a national competent authority, as reflected in the national Trusted List. Those lists, and therefore QTSPs listed in it, can be browsed in a user-friendly way using the Trusted List Browser (the actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists).

Usually, providers of qualified certificates for electronic signatures deliver the corresponding private key on a qualified signature creation device (QSCD).

When sealing a document, a pair of keys might be needed (i.e. when the seal relies on the use of public-key infrastructure), namely a ‘public key’ and a ‘private key’. The public key can be publicly shared while the private key shall be securely stored. Especially, the private key is used by the creator of the seal to seal a document while the public key is used by anyone verifying that it is actually the private key of the creator of the seal that has been used to seal the document.

A certificate for electronic seals, issued by a Certificate Authority (CA), is an electronic attestation that links electronic seal validation data to a legal person and confirms the name of that person. This way, the certificate, usually linked to the sealed document, can be used to verify the identity of the creator of the seal and whether the document has been sealed using the corresponding private key.

Like qualified certificates for electronic signatures, qualified certificates for electronic seals, by following stricter requirements laid down in eIDAS, provide, for instance, higher guarantees regarding the identity of the creator of the seal and therefore higher legal certainty regarding the created electronic seals. Especially, qualified certificates are provided by qualified trust service providers (QTSP) which have been audited as such and granted a qualified status by a national competent authority, as reflected in the national Trusted List. Those lists, and therefore QTSPs listed in it, can be browsed in a user-friendly way using the Trusted List Browser (the actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists).

Usually, providers of qualified certificates for electronic seals deliver the corresponding private key on a qualified seal creation device (QSCD).

Signature/seal creation devices come in many forms to protect the electronic signature/seal creation data (e.g. private key) of the signatory/creator of the seal, such as smartcards, SIM cards, USB sticks. A qualified signature/seal creation device (QSCD), by following stricter requirements laid down in eIDAS, offers higher guarantees regarding the protection (e.g. mitigating any kind of replication or forgery) of the electronic signature/seal creation data (such as the private key) and therefore higher legal certainty regarding the created qualified electronic signatures/seals.

For example, a smartcard (e.g. ID card), when following specific requirements, can be seen as a QSCD as, in order to “unlock” the electronic signature creation data, the signatory shall physically possess the smartcard and know the associated PIN code.

A QSCD is not necessarily in the physical possession of the signatory/creator of the seal but can also be remotely managed by a qualified trust service provider (QTSP). This kind of QSCD is known as “remote QSCD”. Those remote QSCD offer an improved user experience while maintaining the legal certainty offered by qualified electronic signatures/seals.

Across all EU Member States, the legal effects of electronic signatures are laid down in Article 25 of eIDAS.

An electronic signature (either simple, advanced or qualified) shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.

Regarding qualified electronic signatures, they explicitly have the equivalent legal effect of handwritten signatures across all EU Member States.

Across all EU Member States, the legal effects of electronic seals are laid down in Article 35 of eIDAS.

Like an electronic signature, an electronic seal shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic seals.

Regarding qualified electronic seals, they explicitly enjoy the presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic seal is linked across all EU Member States.

While different levels of electronic signatures may be appropriate in different contexts, only qualified electronic signatures are explicitly recognized to have the equivalent legal effect of hand-written signatures all over EU Member States.

Moreover, as a general rule, if a certain level of electronic signature (e.g. advanced signature) is required, a higher level will probably be accepted (e.g. advanced signature with a qualified certificate, qualified electronic signature).

While different levels of electronic seals may be appropriate in different contexts, only qualified electronic seals explicitly enjoy the presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic seal is linked, all over EU Member States.

Moreover, as a general rule, if a certain level of electronic seal (e.g. advanced seal) is required, a higher level will probably be accepted (e.g. advanced signature with a qualified seal, qualified electronic seal).

Nevertheless, when a transaction requires a qualified electronic seal from a legal person, a qualified electronic signature from the authorised representative of the legal person is equally acceptable.

In the first place, in order to sign documents as a natural person (in order to seal documents as a legal person, you might be instead interested in electronic seals), a certificate for electronic signatures is needed. And, using this certificate, electronic signatures can be created. As part of the eIDAS Regulation, these certificates can be purchased from specific providers, named Trust Service Providers (TSP).

Obtain a digital certificate from a TSP

In the case of an ‘advanced electronic signature’, the certificate can be or not qualified. In the case of a ‘qualified electronic signature’, the certificate shall be qualified and the private key related to the certificate shall be stored on a ‘qualified electronic signature creation device’ (QSCD).

As laid down in eIDAS, a qualified electronic signature explicitly has the equivalent legal effect of a handwritten signature.

Providers of qualified certificates for electronic signatures, as an eIDAS legal obligation, are mandatorily listed in the corresponding national Trusted List. But providers of non-qualified certificates for electronic signatures could be but are not mandatorily listed in these Trusted Lists.

Trusted Lists, and therefore the providers listed in it, can be browsed in a user-friendly way using the Trusted List Browser. The actual content of these Trusted Lists is managed and published by each Member State and Trusted List Browser is “merely” browsing these Trusted Lists.

Choose your TSP using Trusted List Browser

Using Trusted List Browser, go to “Search by Type of service” (top left of the screen).

Select “Certificate for electronic signature” and/or “Qualified certificate for electronic signature” and click “Next”.

Then, select any country you may found appropriate and click “Search”.

Finally, click on any TSP you may found appropriate and, via the “Electronic address” multi-part field of the “Detailed information”, you will find a link to a website providing more information about this provider and the products it provides.

Sign your document

Once you have a certificate for electronic signature, you will be able to sign documents. TSPs might offer their own step-by-step process for signing digitally.

In the first place, in order to seal documents as a legal person, a certificate for electronic seals is actually needed. And, using this certificate, electronic seals can be created. As part of the eIDAS Regulation, these certificates can be purchased from specific providers, named Trust Service Providers (TSP).

1. Obtain a digital certificate from a TSP

In the case of an ‘advanced electronic seal’, the certificate can be or not qualified. In the case of a ‘qualified electronic seal’, the certificate shall be qualified and the private key related to the certificate shall be stored on a ‘qualified electronic seal creation device’ (QSCD).

As a general rule, if a certain level of electronic seal (e.g. advanced seal) is required, a higher level will probably be accepted (e.g. advanced seal with a qualified certificate, qualified electronic seal).

As laid down in eIDAS, a qualified electronic seal explicitly enjoys the presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic seal is linked.

Providers of qualified certificates for electronic seals, as an eIDAS legal obligation, are mandatorily listed in the corresponding national Trusted List. But providers of non-qualified certificates for electronic seals could be but are not mandatorily listed in these Trusted Lists.

Trusted Lists, and therefore the providers listed in it, can be browsed in a user-friendly way using the Trusted List Browser. The actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists.

2. Choose your TSP using Trusted List Browser

Using Trusted List Browser, go to “Search by Type of service” (top left of the screen).

Select “Certificate for electronic seal” and/or “Qualified certificate for electronic seal” and click “Next”.

Then, select any country you may found appropriate and click “Search”.

Finally, click on any TSP you may found appropriate and, via the “Electronic address” multi-part field of the “Detailed information”, you will find a link to a website providing more information about this provider and the products it provides.

3. Seal your document

Once you have a certificate for electronic seal, you will be able to seal documents. TSPs might offer their own step-by-step process for sealing digitally.

Three formats of advanced signature and one format of signature container are specified in the European Telecommunications Standards Institute (ETSI) standards, namely:

• XML advanced electronic signature (XAdES), based on XML signatures;
• PDF advanced electronic signature (PAdES), based on PDF signatures;
• CMS advanced electronic signature (CAdES), based on Cryptographic Message Syntax (CMS);
• Associated Signature Container (ASiC) based on ZIP format and supporting XAdES and CAdES signature formats.

Especially, following CID 2015/1506, these formats shall be recognised by European public sector bodies.

Advanced electronic signatures and advanced electronic seals being similar from the technical point of view, the standards for formats of advanced electronic signatures apply mutatis mutandis to formats for advanced electronic seals.

When signing/sealing a single document, the format of signature to choose typically depends on the format of the document to sign:

• XML documents are suggested to be signed/sealed using XAdES signature format (either with enveloped or enveloping packaging);
• PDF documents are suggested to be signed/sealed using PAdES signature format;
• Binary files are suggested to be signed/sealed with XAdES or CAdES signature formats (with enveloping packaging).

When signing/sealing multiple documents, it is suggested to use ASiC containers.

Above suggestions are intended for basic usage of the signature/seal of documents. Other formats of signatures might be more appropriate in other specific contexts.

An electronic time stamp is a data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time.

For example, a signatory can use an electronic time stamp to bind a signed document to a particular date and time and prove in the future that the signed document existed at this particular date and time.

As part of eIDAS, a time stamp can be qualified. Following stricter requirements laid down in eIDAS, a qualified electronic time stamp enjoys the presumption of the accuracy of the date and the time it indicates and the integrity of the data (e.g. signed document) to which the date and time are bound.

Across all EU Member States, the legal effects of electronic time stamps are laid down in Article 41 of eIDAS.

An electronic time stamp (qualified or not) shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements of the qualified electronic time stamp.

Regarding qualified electronic time stamps, they enjoy the presumption of the accuracy of the date and the time it indicates and the integrity of the data to which the date and time are bound, across all EU Member States.

Qualified time stamps are provided as part of a service, provided by qualified trust service providers (QTSP). QTSP, as an eIDAS legal obligation, are mandatorily listed in the corresponding national Trusted List.

Trusted Lists, and therefore the providers listed in it, can be browsed in a user-friendly way using the Trusted List Browser. The actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists.

Using Trusted List Browser, go to “Search by Type of service” (top left of the screen):

1. Select “Qualified time stamp” and click “Next”.
2. Then, select any country you may found appropriate and click “Search”.
3. Finally, click on any QTSP you may found appropriate and, via the “Electronic address” multi-part field of the “Detailed information”, you will find a link to a website providing more information about this provider and the products it provides.

Using DSS Demonstration WebApp

In order to easily validate on any format of document whether a signature/seal is qualified, you might be interested in the “Validate a signature” feature of DSS Demonstration WebApp. This demo is based on the open-source library Digital Signature Software (DSS). DSS supports the creation and verification of interoperable and secure electronic signatures/seals in line with the eIDAS Regulation. More information is available in the documentation.

Using Adobe Acrobat Reader (for signatures only)

When the signed document is a PDF, you can also use the “Adobe Acrobat Reader” software. If, via the Signature Panel, the software indicates “This is a Qualified Electronic Signature according to EU Regulation 910/2014”, you can assume the signature is qualified.

Via a qualified trust service

Some qualified trust service providers (QTSP) also offer “qualified validation service for qualified electronic signature/seal” services. When using this kind of service, users ensure the validation service follows requirements laid down in eIDAS and benefit therefore of higher legal certainty.

QTSP, as an eIDAS legal obligation, are mandatorily listed in the corresponding national Trusted List. Trusted Lists, and therefore the providers listed in it, can be browsed in a user-friendly way using the Trusted List Browser. The actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists.

Using Trusted List Browser, go to “Search by Type of service” (top left of the screen):

1. Select “Qualified validation service for qualified electronic signature” or “Qualified validation service for qualified electronic seal” and click “Next”.
2. Then, select any country you may found appropriate and click “Search”.

Finally, click on any QTSP you may found appropriate and, via the “Electronic address” multi-part field of the “Detailed information”, you will find a link to a website

As defined by RFC 5280, a Trust Anchor is the end point of a certificate validation process.

As part of the EU Trusted List, when validating a qualified certificate (i.e. QC for electronic signatures, QC for electronic seals, QC for website authentication), the Trust Anchor is the Service digital identity (Sdi) of a trust service entry (cf. ETSI TS 119 612 v2.1.1). It means that, when validating a certificate, there is no need to chain up to the Root CA of a qualified certificate but only to the related CA/QC issuer entry within the Trusted List.

In order to extract the certificate chain from a qualified certificate to its issuer, you may find interesting the “certificate validation” feature of DSS Demonstration WebApp. This demo is based on the open-source library Digital Signature Software (DSS). DSS supports the creation and verification of interoperable and secure electronic signatures in line with the eIDAS Regulation. More information is available in the documentation.

You will also find more document information about this certificate validation in the “Introduction to the Qualified electronic signature (QES) validation algorithm” webpage.