The law recognizes different levels of electronic signatures, which can be used as a replacement for the handwritten signature. According to European Law, a qualified electronic signature (QES) is as legally valid as a handwritten one. The Advanced Electronic Signature and the normal private Electronic Signature have legal status since July 2016. This means that the signature can be used as proof, in legal proceedings. An Electronic Signature of a legal person hasn't got any legal value. Prerequisite to its legality is that the method used in placing the electronic signature has to be 'sufficiently reliable' with regards to the purpose of the signature. Consequentially, signing methods differ per document type and/or application. Different types of electronic signature exist:
Definition of an Electronic Signature
An electronic signature is a signature 'that consists of electronic data that is attached to or logically associated with other electronic information and which is used for authentification'. The purpose of an electronic signature is to determine:
- the identity of the sender of the electronic information (authenticity and identification);
- the unchangeability of the transmitted data (integrity).
This means that a signature that doesn't meet these requirements, is not an electronic signature.
Normal Electronic Signature
Electronic data which has been linked to other electronic data for identification purposes. An example of this type of electronic signature is placing a pre-scanned handwritten signature at the bottom of an e-mail. Providing it is possible to prove the validity of the signature (by, for example, a group of known users), this type of signature has a legal value. It is relatively easy to falsify an ordinary electronic signature.
Advanced Electronic Signature
An advanced electronic signature, also called a digital signature. This type of signature has to meet the following requirements:
- it is uniquely linked to the signatory;
- it enables identification of the signatory;
- it is created using means that the signatory can maintain under his sole control;
- it is linked to the data to which it relates in such a way that any subsequent change to that data is detectable.
An advanced electronic signature is based on the use of an asymmetric key pair; the private key and the public key. These keys are codes that are inextricably linked to each other and are unique for every certificate. The private key generates the digital signature and is kept secret. The public key is available to everyone and is used to verify the validity of the digital signature. To guarantee the identity of the corresponding certificate, the public key is signed by a Certificate Authority (CA). In doing so, the CA functions as an independent third party, verifying and registering the applicant of the certificate. The actual signing of a digital document using an advanced digital signature comprises of two separate stages. Firstly, the computer file containing the document is 'hashed'. This means that a unique code is generated based on the contents of the message and the identity of the sending party. The resulting 'hash value' is then encrypted using the sending party's private key. The end result of this process, the digital signature, is then sent to the receiving party together with the document. The receiving party then checks the validity of the document by decrypting the digital signature, using the public key of the certificate.
The GlobalSign PDF signature is an advanced digital signature.
Qualified Electronic Signature
'Sufficiently reliable' is assumed in case the qualified electronic signature is used, that is based on a qualified certificate and is created by a secure-signature creation device. Without this combination, reliability cannot be assumed. The qualified electronic signature has the same properties of the advanced electronic signature (or digital signature), and is also:
- generated using a certificate issued by a Trusted Third Party (TTP) registered with the ACM;
- marked in the certificate as 'qualified' by the TTP (this is noted in the certificate);
- generated using a 'safe means' (for example a usb-token or smartcard), which protects the certificate from being copied;
- issued after a face to face verification of the identity of the applicant (so not by, for example, a letter containing a copy of identification documents).
Legal Validity Electronic Signature
Of the different kinds of electronic signatures, only the qualified electronic signature is seen as equal to a handwritten signature with regards to the law in all of Europe. Any party claiming the signature to be false or forged will have to provide evidence of this claim. This does not hold true for the other types of electronic signature, where it is up to the signatory to provide evidence in a legal dispute. In practice, the advanced electronic signature is used more than the qualified electronic signature, due to the complicated issuing process of the qualified signature.
Electronic Seals are comparable to an electronic signature, the difference is the identity behind the signature. The eSeal can only be used by an organization or corporate entity and cannot be used as signature of an individual person. Furthermore, the eSeal will guarantee the origin and integrity of the eSeal, just like the Electronic Signature does. This allows organizations to sign documents as a department instead of having to use an authorized signer.
Signing an invoice
In 2014 the European Union has adapted a directive towards signed invoicing. This directive standardises the used methods for signing an invoice. Signing an invoice is not obliged, while guaranteeing the sender and the content of the invoice is. This guarantee can be given by an electronic signature of an individual person, or by an electronic Seal of an entity. The directive needs to be implemented in national law, so the outcome of the law can change per country.