In an ever-increasing digital world, electronic communications between transaction parties have become the norm and the exchange of electronic documents is daily routine in transactions (whether occurring locally or cross-border). In this digital environment, therefore, it is imperative that the right tools are utilised to ensure that no legal mishaps occur: electronic signatures, electronic seals and electronic time stamps, as well electronic identification mechanisms are in place on the basis of a pan-European legal framework guaranteeing that the use of electronic communications is undertaken in a secure and consistent manner.
In this article, we set out the legal framework for the use of the electronic tools mentioned below and describe how we can assist you to implement your digital strategies efficiently.
The eIDAS Regulation
The European Union, understanding that it is essential to provide for a legal framework to facilitate cross-border recognition, has been in the front-run: a European electronic signatures framework was put in place in 1999 through the enactment of the eSignature Directive (1999/93/EC) and has been adapted gradually to meet the needs of our modern era. The current legal framework is based on Regulation (EU) No 910/2014 on Electronic Identification, Authentication and Trust Services (the eIDAS Regulation).
The eIDAS Regulation aims to enable convenient and secure electronic transactions across EU borders for citizens, businesses, and public sector institutions. It entered into force on 17 September 2014 and became directly applicable throughout the EU since 1 July 2016 by the fact that it is a regulation, and not a directive (as was its predecessor, the eSignature Directive (1999/93/EC) which was repealed by the eIDAS Regulation.
The eIDAS Regulation establishes an EU-wide legal framework for electronic signatures, seals, time stamps and documents and introduced the concept of “trust services”.
The electronic signatures
An “electronic signature” under the eIDAS Regulation is defined as “any data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”.
In practice, the eIDAS Regulation recognises three types of electronic signature – electronic signature as a type of signature, and advanced and qualified electronic signatures.
(a) electronic signature: the first type is as simple as applying a scanned signature image or clicking the “I accept” button on a website.
(b) advanced electronic signature: a type of electronic signature meeting specific requirements set out in Article 26 of the eIDAS Regulation so that it provides a higher level of security. The Regulation requires that it is:
(i) uniquely linked to the signatory;
(ii) capable of identifying the signatory;
(iii) created using electronic signature creation data that the signatory can, with a high level of confidence, use under his/her sole control; and
(iv) linked to the data signed in such a way that any subsequent change in the data is detectable
(c) qualified electronic signature: the only electronic signature type to have special legal status in EU member states, being the legal equivalent of a written signature. In order for an electronic signature to be qualified, it must meet the advanced electronic signature requirements and, in addition, be backed by a qualified certificate issued by a trust service provider (TSP) authorised by a national supervisory body to provide qualified trust services.
The concept of “trust services” introduced by the eIDAS Regulation is very important in the new digital world as it facilitates cross-border interaction by recognising the use of trust services as evidence in legal proceedings in all Member States and, moreover, by giving precedence to trust services complying with this eIDAS Regulation over compliance with national laws and regulations.
An electronic trust service is an electronic service normally provided for remuneration consisting of:
(a) the creation, verification and validation of electronic signatures, electronic seals or e electronic time stamps, electronic registered delivery services and certificates related to those services, or
(b) the creation, verification and validation of certificates for website authentication; or
(c) the preservation of electronic signatures, seals or certificates related to those services.
Qualified trust service providers in Cyprus
eIDAS also introduced the concept of qualified trust services and qualified TSPs. Qualified TSPs can issue qualified certificates which are subject to a more comprehensive regulatory regime. A TSP that intends to provide qualified trust services must submit a notification of its intent and a conformity assessment report to its national supervisory body. The supervisory body will then assess whether that TSP complies with the requirements under eIDAS and must pre-approve it before the TSP begins providing qualified trust services. Similarly, a qualified TSPs established in another Member State needs to notify the national supervisory body. In this way, the eIDAS Regulation attempts to ensure that qualified TSPs across Europe meet the same high-level security standards.
In Cyprus, the supervisory body is, pursuant to Law 55(I)/2018, the Department of Electronic Communications of the Ministry of Transport, Communications and Works. TSPs that are granted qualified status by the Department of Electronic Communications are included on a "trusted list" which currently has one company established and operating in Cyprus and two companies established in another Member State of the European Union and operating in Cyprus, as qualified TSPs.
As a qualified TSP, these companies can issue digital certificates for electronic signatures, both for natural persons and for natural persons acting on behalf of a legal entities, as well as certificates for electronic seals for legal entities.
The digital certificates can then be used by their holder to electronically sign any form of electronic documents (including PDFs, Word, Excel files, etc.) and such electronic signature, coupled with the digital certificate, will have the same legal force as a handwritten signature and will be recognised in all Member States of the European Union.
Obtaining a digital certificate
Each of the TSPs has issued its Certification Practice Statement that sets out the basis on which the qualified trust services are provided to subscribers and/or subjects; these two terms are used to distinguish between the person (i.e. the subscriber) who bears the ultimate responsibility for the use of the credential provided by the TSP and the individual (i.e. the subject) that is authenticated when the credential is presented. In few words, subscriber means a natural or legal person to whom the TSP provides the trust services, while the subject may be either (a) a natural person or (b) a natural person who is identified in association with a legal person or (c) a legal person.
At Harneys, we can assist you with all aspects of your application whether you are natural person or a legal person including by appearing in front of the TSP to submit the relevant documentation , assisting with putting together the appropriate documentation and certifying/arranging for certification as appropriate.