What is Electronic Signature?
Complete Guide to eIDAS Regulation and Signature Levels
Electronic signature is a cryptographic process that guarantees the signer's identity and the integrity of a digital document. The European eIDAS regulation defines 4 levels with increasing legal value.
Definition
An electronic signature is a cryptographic process that:
- Identifies the signer reliably
- Guarantees integrity of the document (no modification)
- Ensures consent of the signer
- Creates a link between the signer and the document
Unlike a scanned handwritten signature (just an image), electronic signature relies on cryptographic mechanisms that make it unforgeable.
eIDAS Regulation
The eIDAS regulation (electronic IDentification, Authentication and trust Services - EU 910/2014) is the European legal framework for:
- Electronic signatures
- Electronic seals (legal entities)
- Electronic timestamps
- Qualified trust services
Key Principles
- Mutual recognition: A valid signature in one country is valid in all member states
- Non-discrimination: An electronic signature cannot be rejected solely because it is electronic
- Technology neutrality: No technology mandated
Effective July 1, 2016, eIDAS replaces directive 1999/93/EC.
4 Signature Levels
1. Simple Electronic Signature (SES)
Basic level, not technically defined by eIDAS.
- Examples: Checkbox, name entry, click on «I agree»
- Evidentiary value: Low, can be contested
- Usage: Low-stakes documents
2. Advanced Electronic Signature (AES)
Must meet 4 criteria (art. 26 eIDAS):
- Uniquely linked to the signatory
- Capable of identifying the signatory
- Created using data under the signatory's sole control
- Linked to data in such a way that any modification is detectable
- Evidentiary value: Medium to high
- Usage: Commercial contracts, HR, procurement
3. Advanced Signature with Qualified Certificate
Advanced signature + certificate issued by a qualified Trust Service Provider (TSP).
- Evidentiary value: High
- Usage: Regulated documents
4. Qualified Electronic Signature (QES)
Highest security level:
- Advanced signature
- Qualified certificate
- Qualified Signature Creation Device (QSCD)
Article 25.2 eIDAS: «A qualified electronic signature shall have the equivalent legal effect of a handwritten signature.»
- Evidentiary value: Maximum, incontestable
- Usage: Notarial acts, public procurement, authentic documents
Legal Value
Non-Discrimination Principle
Article 25.1 eIDAS: An electronic signature shall not be denied legal effect solely on the grounds that it is in electronic form.
Burden of Proof
| Level | Burden of Proof |
|---|---|
| Simple | Claimant must prove authenticity |
| Advanced | Contester must prove fraud |
| Qualified | Presumption of authenticity (equivalent to handwritten) |
Special Cases
- Public procurement: Advanced signature with qualified certificate minimum
- Notarial acts: Qualified signature mandatory
- Electronic invoices: Advanced signature recommended
Use Cases
Human Resources
- Employment contracts: Advanced signature
- Amendments: Simple to advanced
- Expense reports: Simple signature
- GDPR documents: Advanced signature
Commercial
- Quotes and proposals: Simple signature
- Client contracts: Advanced signature
- Terms & Conditions: Simple signature
- NDA: Advanced signature
Finance
- Invoices: Advanced signature or seal
- Purchase orders: Advanced signature
- Bank transfers: Qualified signature
Legal
- Leases: Advanced signature
- Authentic acts: Qualified signature
- Powers of attorney: Advanced to qualified
Technical Overview
Asymmetric Cryptography
Electronic signature is based on a key pair:
- Private key: Held only by the signer, used to sign
- Public key: Shareable, used to verify the signature
Signing Process
- Hashing: Creating a unique fingerprint of the document (SHA-256)
- Encryption: The fingerprint is encrypted with the signer's private key
- Association: The encrypted signature is linked to the document
Verification
- Decrypting the signature with the public key
- Recalculating the document fingerprint
- Comparison: If identical, document hasn't been modified
X.509 Certificates
The electronic certificate associates:
- The signer's identity
- Their public key
- The Certificate Authority (CA) signature
- The validity period
Choosing the Right Level
Selection Criteria
| Criterion | Simple | Advanced | Qualified |
|---|---|---|---|
| Financial stake | < 5,000 EUR | 5-100,000 EUR | > 100,000 EUR |
| Legal risk | Low | Medium | High |
| Regulatory requirement | None | Sector-specific | Legal |
| Cost per signature | 0.50 EUR | 1-3 EUR | 5-15 EUR |
Recommendations
- 90% of cases: Advanced signature (good security/cost balance)
- Internal documents: Simple signature
- Strategic contracts: Qualified signature
- Legal obligation: Follow applicable regulations
KaliaOps and Signature
KaliaOps V2 will integrate electronic signature natively:
Planned Features
- Workflow-integrated signing: Contract, change, document validation
- eIDAS levels: Simple, advanced, qualified based on document type
- Certificates: Integration with European TSPs
- Qualified timestamp: Date proof
ITSM/CMDB Use Cases
- Vendor contracts: Signature upon validation
- Critical changes: Signed CAB approval
- Compliance documents: Signed audit trail
- Intervention reports: Technician/client signature
EDM Integration
- Signed documents automatically stored
- Signature verification on opening
- Retention with signature proofs
- Electronic signature guarantees the signer's identity and document integrity
- eIDAS regulation (EU 910/2014) defines 4 signature levels recognized across Europe
- Qualified signature has the same legal value as a handwritten signature
- 90% of contracts can be signed with simple or advanced signature
- Electronic seal allows sealing documents on behalf of a company
- Qualified timestamp proves a document's existence at a specific date