Legal implications varying from country to country, it means that there is much more to consider than the technology for electronic signature projects. Meticulous preparation is needed to identify the company requirements and constraints relating to electronic signatures, which are a key component of digital transformation.
Varying regulations relating to electronic signature security and legal value
Legally speaking, the principle remains the same: confirm the signatory’s consent. But depending on the scope of the commitment implied by the signature, it alone may not be enough. This is the case in France, for instance, where the signatory’s identity must be verified when signing a notarized deed. On the other hand, accepting the general terms of sale on an e-commerce does not requires such formalities.
In other words, a signature only has legal value and confirms the signatory’s consent if the relevant regulations are observed. These vary depending on the type of document, the sector of activity and the country’s jurisdiction.
These principles apply whether the signature is handwritten or electronic. And all electronic signature projects must comply with the applicable regulations and standards, mandatory and optional. This is done in a bid to strengthen digital trust. In Europe, European regulation eIDAS (Electronic IDentification And Trust Services) governs electronic signatures. Introduced in 2016 to promote digital trust, it defines three main types of signature: simple, advanced and qualified. Outside Europe, in North Africa in particular, the regulation is different.
Uses of electronic signatures
Uses include “simple” validation of documents from a company, online contract signing, direct debit, and signing an administrative act.
The required level of guarantee must be determined (low, substantial or high) prior to embarking on a signature project.
In other words, you need to define which degree of trust to offer on the signatory’s identity or alleged identity.
You need to start by identifying the planned uses, the required security levels and the signing parties. The latter can be internal personnel, the ecosystem of clients, partners and suppliers, professionals or private individuals. The architecture will vary depending on their status and if they belong to the company implementing the electronic signature project.
In-house, two types of signature can be used: server stamp and the personal qualified or non-qualified signature. A server stamp is similar to an electronic stamp and can be easily integrated into a third-party system. It can be used to sign purchase orders, joined with an ERP system, or employment contracts if used with the company’s HRIS.
Personal signature, on the workstation or via an embedded certificate in a device, can be used to get employee consent. On the workstation, the signature can be via the personal certificate registered in the Windows store, while a qualified signature uses a device-embedded certificate.
For online contract-signing with third parties, the server personal signature needs to be used. A temporary certificate is generated in the name of the signing party. This person then receives a one-time password -OTP- to confirm their consent. The system appends two signatures, one for the person and one for the company.
To increase the level of security, two-factor strong authentication can be added upstream of the electronic signature system and the security keys can be protected with an HSM (Hardware Security Module).
The three types of electronic signature technology
From a technology point of view, there are several possible approaches for generating certificates. SaaS solutions can provide the service at a reasonable cost for occasional use or a limited signatories number. However, if the electronic signature needs to be deployed on a large scale for numerous users, its own system is required.
In this situation, the required architecture has at least three systems, depending on the targeted level of security. The first is a Public Key Infrastructure (PKI) for issuing digital certificates and which is also used for authentication and encryption. A signature server is essential as it enables the signatures to be appended and verified. A document archiving system with legal value is required to guarantee the correct long-term retention and integrity of the signed documents.
Here again, for a higher security level, strong authentication mechanisms can be added upstream as well as key-protection in an HSM.
Whatever the use case, the complexity of an electronic signature project means that careful preparation is needed. The requirements, constraints and legal obligations must be clearly defined from the outset in order to design an appropriate and scalable technological foundation able to absorb the exponential growth in use.