Digital Identity and Trust: eIDAS Regulation

Are Electronic Signatures Legal Under eIDAS?

Yes. Article 25 of Regulation (EU) No. 910/2014 (eIDAS) states that an electronic signature “shall not be denied legal effect and admissibility in legal proceedings solely on the grounds that it is in electronic form.” It further provides that a qualified electronic signature (QES) has the equivalent legal effect of a handwritten signature across all EU Member States. eIDAS establishes a tiered framework: simple electronic signatures (SES), advanced electronic signatures (AdES) and qualified electronic signatures (QES), each with different requirements.

Legal Framework

• Regulation status: eIDAS came into effect in July 2016 and is directly applicable in all EU member states. In 2024 the EU adopted amendments (eIDAS 2.0) to introduce a European Digital Identity (EUDI) wallet that will provide government‑issued electronic identities by November 2026.
  
  
• Non‑discrimination: All three signature types are admissible as evidence; a signature cannot be denied legal effect because it is electronic.
  
  
• Qualified equivalence: A qualified electronic signature has the same legal effect as a handwritten signature and must be recognized across member states.
  
  
• Levels of assurance:
  
  
  • Simple Electronic Signature (SES): Data attached to electronic data, such as typing a name or clicking an “I agree” button. No specific identification method is required, but reliability and audit trails increase evidentiary weight.
    
    
  • Advanced Electronic Signature (AdES): Must be uniquely linked to and capable of identifying the signer, created using electronic signature creation data under the signer’s sole control, and linked to the data so that any later change is detectable.
    
    
  • Qualified Electronic Signature (QES): An AdES based on a qualified certificate issued by a QTSP and created by a qualified signature creation device (QSCD). QES has the highest evidentiary value and cross‑border recognition.
    
    
• Trust service providers: Only QTSPs listed on the national trust lists can issue qualified certificates. They must meet stringent security and operational standards and undergo regular audits.
  

Requirements for eIDAS‑Compliant Signatures

Simple Electronic Signatures (SES)

• Identification: While identification is not strictly required, SES should reliably record the signer’s intent (e.g., email address, IP address and timestamp).
  
  
• Auditability: Maintain evidence of the signing process and include consent disclosures.
  

Advanced Electronic Signatures (AdES)

• Unique link: The signature must be uniquely linked to the signer and capable of identifying them.
  
  
• Sole control: The signature creation data must be under the signer’s sole control (e.g., private keys stored securely). Any changes to the signed data must be detectable.
  

Qualified Electronic Signatures (QES)

• Qualified certificate: Obtained from a QTSP listed in the national trust list.
  
  
• Qualified signature creation device: A secure device (often a smart card or token) that protects the signer’s private key and meets strict security standards.
  
  
• Identity verification: Signers undergo robust identity verification, often via in‑person or video identification. QTSPs adhere to strict due diligence and security requirements.
  

Use Cases for eIDAS‑Compliant Signatures

eIDAS‑compliant signatures enable secure cross‑border transactions across the EU, such as:

• Government services: e‑filing of tax returns, social security claims and applications for permits.
  
  
• Corporate governance: shareholder resolutions, board minutes and cross‑border M&A agreements.
  
  
• Financial services: opening bank accounts, loan agreements and high‑value securities transactions.
  
  
• Healthcare: consent forms, prescriptions and clinical trial approvals.
  

Implementation Considerations

• Select appropriate signature level: Match the signature type to the risk of the transaction; high‑risk contracts may require AdES or QES.
  
  
• Choose a reputable provider: For QES, work with a QTSP listed on the EU trust list to ensure cross‑border recognition.
  
  
• Audit trails and timestamps: Maintain detailed evidence of the signing process, including time‑stamps from qualified time‑stamping services.
  
  
• Cross‑border recognition: Verify that the certificates and signature device are recognized in all relevant jurisdictions.
  

Future Developments

Under eIDAS 2.0, the EU will roll out the European Digital Identity (EUDI) wallet by November 2026, allowing individuals and businesses to store digital identity credentials. This will streamline identity verification and allow mobile QES signing. Member states are also considering quantum‑resistant cryptography and enhanced security standards to address emerging threats.

Disclaimer

This guide is for informational purposes only and does not constitute legal advice. eIDAS requirements may change; consult legal counsel to determine the appropriate signature level and provider for your transactions.

‍