Many are unaware of eSigning basics and the differences in styles and methods. This overview explains key terms.
Electronic Signatures are not all the same
European (including UK) legislation for eSigning is based on eIDAS Regulations being adopted across all participating countries and now setting the global standard for eSigning (in a manner similar to GDPR). From simple e-signatures, that typically rely on an email address for identification purposes, to robust and highly secure options, customers can choose from:
This type of electronic signature is the most basic and the widely used. Also referred to as ‘simple eSignatures’.
An e-signature is an electronic symbol attached to a contract or other record that a person with an intent to sign uses. The definition of “symbol” is very broad, which provides a lot of flexibility (including a keystroke, the swipe of a stylus or even a selected checkbox). If one can prove that data hasn’t been tampered with, e-signatures can be legally binding in certain geographies – especially for use cases that do not have strong signatory identification requirements.
Digital signatures offer greater assurance than simple e-signatures about the identities of the parties involved in a transaction.
They embed cryptographically created personal key infrastructure (PKI) item(s) into the signing process to identify both the party requesting a signature and the party providing one. This also guarantees that an electronic document is authentic. eIDAS defines advanced signatures and qualified signatures as types of digital signatures.
Advanced signatures are an intermediate approach between a simple e-signature and a qualified signature.
Advanced signatures are legally binding. They uniquely identify and link a document to its signatory. They offer strong security because: (1) the private key used to create the signature is under the sole control of the signatory and (2) the signature identifies whether the data has been tampered with after the message has been signed (if so, invalidating the signature). This last feature is essential to make the signature legally binding.
This signature carries higher probative value and can’t be challenged easily because the authorship is considered non-repudiable.
These signatures are stronger than advanced signatures. The difference between the two is the addition of a qualified certificate. This certificate is issued by a qualified trust services provider (QTSP), and it attests to the authenticity of the electronic signature to serve as proof of the identity of the signatory. Simply put, a qualified signature further increases the level of security that an advanced electronic signature provides. Under eIDAS Regulations, a QES is legally equivalent to a handwritten wet ink signature (or higher) in all EU member states and close partners (including UK).
Then between different solutions providers, there are many different implementations and methods which can satisfy one or more of these various signing types. Once the legal match is understood, then a deeper examination of other important factors such as Infrastructure and device considerations, simplicity of use (internally and for clients), functional range (workflow, features, etc.) for all intended use cases will then be needed.
Giving front-end choices of different signature styles (e.g. type name, hand sign, etc.) and modes (remote online, mobile apps, in-person, etc.) supports the best client and user experiences. When choosing an esigning Service Provider, it is important to select one platform that can address all these signing types with only one back-end integration rather than multiple. Non-IT staff can then easily configure each use case. Namirial is provides this.
eIDAS not only recognises a hierarchy of different types of signatures, but also different methods between signing by Individuals and the use of Seals by businesses. There are many types of Trust Services available. It also formally recognises trust services providers who play an integral role within the digital identity ecosystem. These TSP (and QTSP) providers help organizations answer the “how to prove who you are” question.
They provide identity authentication and signature (non-repudiation services), which creates trust among parties. These services make parties accountable for their actions. While eIDs and TSPs are covered by different parts of the regulation, TSPs often depend on the same identity verification checks required to issue an eID. TSPs that meet the highest eIDAS quality requirements are “qualified trust services providers” (QTSPs) and can act as a certification authority (CA) and issue qualified identity certificates.
In this way eIDAS promotes cooperation and enables easy cross-border business across Europe. Every business transacting over a public network needs assurance about participants’ digital identities and their actions in binding contracts. Using qualified providers of trust services (identity attribution, authentication, and signature) means transactions will be binding and recognized across Europe without too much compliance burden, as the qualified trust services provider takes care of compliance requirements.
Thus Organisation’s Security and Risk (and IT & Operations) teams have to deal only with the solution’s deployment and potential residual risk.
These capabilities evolve Digital Transaction Management (DTM) use cases. Classic DTM - signing, sharing, and storing documents - is developing rapidly. TSPs assist clients with services such as timestamping, website authentication, and registered electronic deliveries.
Edge use cases are also emerging, including management of digital identities, electronic invoicing, attribution and management of machines’ identities, remote witnessing, etc.
Each Industry has it’s favoured uses. Banks and Financial Services providers, for example, must comply with an array of requirements about their customers’ identities and their transactions. Banks leverage QTSPs qualified digital identities and services to comply with Know Your Customer and Anti-Money-Laundering regulations. But new use cases are emerging. The European Payment Service Directive 2 (PSD2) and connected standards require strong customer authentication (SCA). SCA is improved authentication where customers initiate online payments or access an account. QTSPs can support this use case. Namirial, for example, has a new PSD2-compliant Strong Customer Authentication Platform.
Each provider also has its own unique capabilities. Namirial offers video-based consulting on documents and real-time identification using a choice of many techniques to speed-up Onboarding uses. It is also a Certificate Authority which means that it has full control of quality aspects of its activities as a QTSP. Namirial already has one of the broadest and deepest portfolio of solutions in this space; Their strength and range of offerings are expected to accelerate with recent PE funding.1
Technologies like these are recognised as cornerstones of enterprise digital transformation. A cluster of these and aligned technologies, including workflow and content automation, is referred to as Digital Transaction Management or "DTM". They pave the way for automated customer journeys and employee productivity. To see how this may affect you, some Analyst and Icon resources to inspire include:
For further information on any of the terminology, technologies and issues raised above, contact us to discuss
Whatever your use case, we're here to help get you started. Ask about our Free Offers.
1 Recently Ambienta SGR S.p.A., Europe’s largest Sustainability-focused Private Equity investor, acquired a 70% stake. This enables Namirial to accelerate its growth and it fits Ambienta’s strategic alignment (as Namirial enables efficient remote working and transaction execution, reducing paper use and travel to meetings). More...
Accreditation & Memberships include:
Please click above to request a callback