The Council of the European Union and the European Parliament have adopted the eIDAS regulation (regulation for trust services necessary for electronic identification and electronic transactions) with the purpose of simplifying cross-border use of electronic services. This facilitates the achievement of a common digital market and a functioning digital economy. The regulation mainly addresses public electronic services.
The eIDAS regulation aims to create a level of trust in the digital world that would equal that of the physical world. To achieve that, common principles on the acknowledgment of electronic identity and digital signatures were established for European public institutions. The comparability, recognition, and common grounds for operation are also ensured for trust services.
Pursuant to the regulation, all Estonian state and local government institutions and private companies who provide public services must recognise digital signatures from all EU members as of 1 July 2016.
Similarly, other public sector institutions of EU Member States must accept digital signatures provided by Estonian citizens. Digital signatures of EU citizens that are equal with nationally used digital signatures must be accepted.
For a private person to provide a digital signature accepted in Europe or to verify the validity of a digital signature on a document sent from another EU country, the person’s computer must have an up-to-date operation system » and the newest DigiDoc client software ».
- eIDAS regulation »Explanation of eIDAS authentication levels and requirements
Europe uses the term ‘electronic signature’ and divides the signatures into four levels of trust.
The highest of these, a signature equal with a handwritten-signature, is called a digital signature in Estonia.
States may also use electronic signatures with a lower level of trust. Electronic signatures with a lower level of trust may be, but need not be accepted.
As a warning, the DigiDoc Client marks signatures with a lower level of trust with yellow.
Qualified electronic signature (QES) – equal with a handwritten signature. This advanced signature is based on qualified certificates and has been provided with qualified means of signing. A qualified certificate guarantees that the identity of a natural person was established during the issuing of the certificate. Qualified means of signature operate as guarantees that the data used for creating the signature (the private key) is strictly under the sole control of the signatory.
Advanced electronic signature with qualified certificates (AdES/QC) – advanced electronic signature that is based on qualified certificates, but does not use qualified means for providing signatures. This means that the data for providing signatures (the private key) may be installed in the user’s computer, for example. At the same time, the key may be located on a smart card, but the means and its creation/sharing has not been audited or certified (it has no guarantee).
Advanced electronic signature (AdES) – corresponds to the following minimum criteria:
- the signature is only connected to the signatory;
- the signature allows to identify the signatory;
- the signature has been created with data necessary for signing and its high level of confidentiality secures that the data is under the sole control of the signatory;
- the signature is connected with the data of the signatory in a way that allows identifying all later changes in data.
Other electronic signatures are any other solutions that do not comply with the abovementioned requirements. These may be service-based signatures (e.g. EchoSign supported by Adobe Acrobat Reader) as well as signatures drawn by hand /with a stylus on touchscreens.
Verification of electronic signatures
Upon the opening of an electronically signed document, the DigiDoc client software checks whether the certificate used for signing has been issued by a trusted establishment.
The software will then notify if the electronic signature is equal with a handwritten signature. If the electronic signature is not equal with a handwritten signature, then it may be accepted for operations that do not require a handwritten signature (but in this case, it should be deliberated whether an electronic signature is necessary at all).
Electronically signed documents may have different file formats. Currently, the most widespread electronically signed document format is PDF and the signature format with the extension .asice.
The DigiDoc client software enables to sign national BDOCs as well as digital signatures in ASiC-E-format recognised in Europe. In order to ensure the validity of a digital signature in other Member States, please select the .asice instead of the .bdoc-format when providing a digital signature. A signature in this format is equal to a handwritten signature within the European Union.
Private sector establishments decide on their own whether and at which security level to accept electronic signatures. It is recommended to update the information systems that process digital signatures. Only this allows to guarantee that signatures provided in Estonia in the .asice format qualify in the solutions of other countries and vice versa.