eSignature in the EU
This Directive establishes the legal framework at European level for electronic signatures (eSignatures) and the recognition of certification-service providers. The aim is:
|
— |
to make eSignatures easier to use and
|
|
— |
help them become legally recognised within all EU countries.
|
ACT
Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures.
SUMMARY
This Directive lays down the criteria that form the basis for legal recognition of eSignatures. It focuses on regulating certification-service providers. It sets down:
|
— |
common requirements for certification-service providers in order to secure cross-border recognition of eSignatures and certificates throughout the European Union (EU);
|
|
— |
common rules on liability to help build confidence among users, who rely on the certificates;
|
|
— |
cooperative mechanisms to facilitate cross-border recognition of eSignatures and certificates with non-EU countries.
|
The Directive defines new ideas:
|
— |
the electronic signature, data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication.
|
|
— |
the advanced electronic signature, which meets the following requirements:
|
|
— |
the qualified certificate, which must in particular include:
|
The certificate must also be issued by a certification-service provider which meets specific requirements laid down in the Directive.
Market access
EU countries must not make the supply of certification services subject to prior authorisation of any kind.
EU countries may have their own schemes to encourage certification with enhanced features. They may not limit the number of accredited certification-service providers. Nor may they restrict the supply of certification-services originating in another EU country
EU countries may make the use of eSignatures in the public sector subject to possible additional requirements. These requirements must be objective, transparent, proportionate and non-discriminatory.
Legal effects of eSignature
An advanced eSignature based on a qualified certificate satisfies the legal requirements of a signature in relation to data in electronic form in the same way as a handwritten signature satisfies those requirements in relation to paper-based data. [For convenience, this type of signature can be called a ‘qualified eSignature’. Although the Directive describes it, it does not actually define it]. It is also admissible as evidence in legal proceedings.
An eSignature may not legally be refused as evidence in legal proceedings simply because it is:
|
— |
in electronic form;
|
|
— |
not based on a qualified certificate;
|
|
— |
not created by a secure signature-creation device.
|
Liability
EU countries must ensure that a certification-service provider which issues a qualified certificate takes certain responsibilities. These include liability for damages in regard to any person or entity who reasonably relies on the certificate for:
|
— |
the accuracy of all information in the qualified certificate at the time of its issue,
|
|
— |
the fact that the certificate contains all the details prescribed for a qualified certificate at the time of its issue, and that the signatory identified in the certificate is the person to whom it was issued.
|
The certification-service provider may impose a limit on the value of transactions for which the certificate can be used. This limit must be made evident to third parties. The provider must not be liable for damage arising from use of a qualified certificate that exceeds the limitations placed on it.
International aspects
EU countries must ensure that mutual legal recognition of qualified certificates and eSignatures from non-EU countries is applied. Certain reliability conditions must be met such as:
|
— |
the non-EU providers meet the requirements of this directive and are accredited in an EU country's voluntary accreditation scheme; or
|
|
— |
an EU provider which meets the requirements of the directive can guarantee non-EU providers' certificates to the same extent as its own certificates.
|
The European Commission may make proposals to ensure that international standards and agreements are fully implemented.
Data protection
EU countries must ensure that certification-service providers and national bodies responsible for accreditation or supervision comply with Directive 95/46/EC on the protection of personal data.
New Electronic Identification and Trust Services (eIDAS) Regulation adopted
The eIDAS Regulation (Regulation (EU) No 910/2014) was adopted in 2014. It entered into force on 17.9.2014 and will apply from 1.7.2016, except for certain articles that are listed in its Article 52. Regulation (EU) No 910/2014 repeals Directive 1999/93/EC with effect from 30.6.2016.
For more information, see the European Commission's Digital Agenda for Europe Trust services webpage.
REFERENCES
|
Act |
Entry into force |
Deadline for transposition in the Member States |
Official Journal |
|
Directive 1999/93/EC |
19.1.2000 |
18.7.2001 |
Successive amendments and corrections to Directive 1999/93/EC have been incorporated in the basic text. This consolidated version is for reference purpose only.
RELATED ACTS
Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions - Action Plan on e-signatures and e-identification to facilitate the provision of cross-border public services in the Single Market (COM(2008) 798 final of 28.11.2008).
In this communication, the Commission proposes an Action Plan aimed at assisting EU countries in implementing mutually recognised and interoperable eSignatures and e-identification solutions, in order to facilitate the provision of cross-border public services in an electronic environment. This is essential to avoid fragmentation of the single market.
Actions in the Action Plan are divided in 2 parts:
|
— |
actions targeted at improving the cross-border interoperability of qualified eSignatures and advanced eSignatures based on qualified certificates,
|
|
— |
actions improving the cross-border interoperability of electronic identity.
|
Report from the Commission report to the European Parliament and the Council - Report on the operation of Directive 1999/93/EC on a Community framework for electronic signatures (COM(2006) 120 final of 15 March 2006).
The report indicates that EU countries have implemented the general principles of the Directive.
The Commission notes that transposition of the Directive into EU countries' legislation has met the need for the legal recognition of eSignatures. It therefore considers that the Directive's objectives have been fulfilled and that no need for its revision has emerged at this stage. The Commission nonetheless plans to consult the countries and relevant stakeholders to address a number of issues, particularly on interoperability problems, technical aspects and standardisation.
Commission Decision 2003/511/EC of 14 July 2003 on the publication of reference numbers of generally recognised standards for electronic signature products in accordance with Directive 1999/93/EC of the European Parliament and of the Council (Official Journal L 175 of 15.7.2003, pp. 45-46).
This Decision gives the references of 3 generally recognised standards for electronic signature products which presume compliance with the qualified electronic signature.
Commission Decision 2000/709/EC of 6 November 2000 on the minimum criteria to be taken into account by Member States when designating bodies in accordance with Article 3(4) of Directive 1999/93/EC of the European Parliament and of the Council on a Community framework for electronic signatures (Official Journal L 289 of 16.11.2000, pp. 42-43).
This Decision sets out the criteria that EU countries must take into account when designating national bodies to evaluate the conformity of secure signature-creation devices.
Last updated: 09.01.2015