What is a qualified electronic signature?
Are you currently digitalising your company’s handwritten signature process? There are plenty of reasons to make this change: first and foremost, e-signatures are much more efficient thanks to faster throughput times and lower costs, they are paper-free, and they allow you to sign documents anywhere at any time.
During your research, you may have come across the term qualified electronic signature. But what does that mean, exactly? What is a digital signature anyway? In this blog post, we want to shed a bit of light on this topic.
Are electronic and digital signatures the same thing?
No. Even though the two terms are often used interchangeably, there is one important difference:
- An electronic signature is primarily a legal term. It is used to describe electronic data that is linked to other electronic data in a certain form and used by a signer to sign (electronic) documents. The law differentiates between various standards for the implementation of electronic signatures that make it possible to verify the identity of the signer and the integrity of the document with varying levels of security.
- A digital signature is a mathematical process used to validate the authenticity of digital messages or documents on the basis of asymmetric cryptography. A digital signature makes it possible to implement an electronic signature with a high level of security.
In this blog post, we will discuss one form of these signatures in detail – a qualified electronic signature, or QES for short.
What is a qualified electronic signature?
A qualified electronic signature is essentially an all-inclusive package for signatures that meets the strictest requirements in terms of security and compliance and is used by insurance companies, auditors, lawyers, tax advisors and banks. It is the world’s highest available e-signature standard with maximum legal weight and is recognised by every court of law. This is made possible when an independent, government-certified trust service provider (TSP) such as Swisscom or GlobalSign issues a certificate that guarantees the authenticity of the signed document as well as the identity of the signer.
"The European Union’s eIDAS regulation and the Swiss Federal Act on Electronic Signatures (ZertES) therefore define the QES as the only form of electronic signature that is equal to a handwritten signature before the law."
This means that whenever the written form – meaning a handwritten signature – is required by law for a contract, it can be replaced by a QES in the digital world. Naturally, in order to protect against possible risks, a QES may be used for any other contract in which the signer requires the greatest possible security in terms of their signature. Companies in strictly regulated environments may choose to use the QES as their standard signature for compliance reasons.
How does a qualified electronic signature work?
Newcomers to the world of digital signatures may have to get used to a few things. Unlike handwritten signatures that are made using a pen, in the digital world, the image of the signature itself is not the decisive factor for the validity of a secure online signature, but rather the electronic certificate from the trust service provider (TSP) that is attached to the PDF. In the case of a QES, the certificate can only be issued after the signer’s identity has been identified for the first time by means of an official ID. The certificate therefore confirms the identity of the signer, while the signature provides information about the time of the signature and the integrity of the document. It therefore guarantees that the PDF has not been changed since it was signed.
Maximum security and data protection conformity for EU companies
For European companies that need to deal with a lot of legal documents and for which security is a top priority, qualified electronic signatures are the best choice. Like all secure e-signatures, a QES is created using asymmetric cryptography.
"Every signature has a public and a private key. While the public key is accessible to everyone and allows anyone to verify the signature, the use of the private key in case of Skribble can only be authorised by the signer himself via two-factor authentication. This means that only the authorised signer has access."
As a European service provider, Skribble offers security as well as the highest level of data protection with its QES. In this way, Skribble complies with the requirements of both the European General Data Protection Regulation (GDPR) and the Swiss Federal Act on Data Protection (FADP). Its hosting is certified in accordance with ISO 27001, 100% of its hosting servers are located in Switzerland, and its hosting services have the same level of security as Swiss banks.
Trust service providers guarantee maximum legal weight with personal certificates
"Ultimately, the maximum legal weight of the QES is guaranteed by the independent trust service provider (TSP). The TSP confirms that the signature was carried out by a natural person with a personal certificate and verifies the time of the signature with a time stamp. The QES certificate links the public code with a unique identity."
Since the TSP as the issuer of the certificate (e.g. Swisscom) is regularly audited and certified by a government agency, the QES signature is incontestable in court. A QES is therefore always personal and cannot be repudiated. However, with Skribble, the user hardly notices all of this technical complexity behind the scenes. Thanks to our mission of combining maximum security with maximum user-friendliness, using Skribble to create a QES is child’s play. In this video, you can see just how easy it is.
Who offers qualified electronic signatures and what does it cost?
There are lots of signature providers on the European market, but few of them are focused on the QES, which is more complex. DocuSign and Adobe, for example, only offer simple electronic signatures off the peg. For advanced and qualified electronic signatures, a corporate client would need to conclude an additional contract with a trust service provider (TSP), integrate this into the process and pay for this service separately.
That is complicated, time-consuming and expensive. But not with Skribble, where multiple TSPs are integrated from the very first minute – once a client has created an account, this option is immediately visible as a possible upgrade and is seamlessly integrated into the user navigation. DocuSign, on the other hand, does not include a time stamp even after a user has integrated their own TSP. Instead, they record the time from the user’s computer in the signature.
Standard price models for corporate clients
In addition to one-off prices for private users, the most common price models for companies are volume-based packages with a certain number of signatures, users (seats) or documents in circulation (envelopes) included. Prices vary greatly among different providers depending on the model.
"Since trust service providers (TSPs) are often not included in these offers, corporate clients are often left with the difficult task of determining the price for a QES themselves. At Skribble, the prices for all e-signature standards are broken down transparently and can be viewed immediately."
Skribble offers its corporate clients unlimited seats or users – that means that all employees can sign documents, even if they only need to do so once a year. This allows the company to save even more, because everyone can switch to electronic signatures internally as well. Read more on our pricing page.
Some other service providers, such as DocuSign, offer a price model based on the number of seats, or users. This means that companies tend to only purchase seats for employees who regularly need to sign documents. Everyone else can only be invited to sign documents, but cannot initiate signatures themselves.
Qualified electronic signatures require an identity check in advance
Anyone who wants to sign a document with a qualified electronic signature will need to verify their identity beforehand. This is one of the reasons why a QES can offer such a high level of security and validity. However, in the past, this was also one of the biggest hurdles for preventing these signatures from conquering the market.
"Appearing in person to verify your identity is costly and time-consuming. In the European Union, however, it is also possible to verify your identity via video. Skribble has seamlessly integrated video identification for QES in accordance with eIDAS into its platform. This means anyone who wants to sign documents with a QES in accordance with EU law can set things up conveniently in the comfort of their own home."
Online identification only takes a few minutes and can be done in English or German. Once you have created an account with Skribble, you will have the opportunity to complete this step.
If you want to sign documents in accordance with Swiss law, you will still need to verify your identity in person – for example at a Swisscom shop or within your company after completing the necessary training. The advantage of this method is that it gives you the option of signing any contract in accordance with EU or Swiss law as needed. For more detailed information on all identification methods, click here.
Conclusion
A QES is the standard of choice with maximum legal weight for all contracts that require the written form or where maximum security is required in order to protect against possible risks. Skribble offers everything you need for QES from a single source – including trust service providers (TSPs) and an identification solution. With providers such as Adobe or DocuSign, business customers need an additional partner for identification services and also need to find their own TSP.