Legal implications, which vary from country to country, mean that there is much more to consider than the technology when it comes to electronic signature projects. Meticulous preparation is needed so that companies can precisely identify their requirements and constraints relating to electronic signatures, which are a key component of digital transformation.
Varying regulations relating to electronic signature security and legal value
Legally speaking, the principle of the signature remains the same: confirm the signatory’s consent. But depending on the scope of the commitment implied by the signature, it alone may not be enough. This is the case in France, for instance, where the signatory’s identity must be verified when signing a notarized deed. On the other hand, accepting the general terms of sale when making a purchase on an e-commerce website requires no such formalities.
In other words, a signature only has legal value and only really confirms the signatory’s consent if the relevant regulations are observed. These vary according to the type of document, the sector of activity and, of course, the jurisdiction and therefore the country.
These principles apply whether the signature is handwritten or electronic and all electronic signature projects must comply with the applicable regulations and standards, whether these are mandatory or optional (in a bid to strengthen digital trust). In Europe, and therefore in France, it is European regulation eIDAS (Electronic IDentification And Trust Services) which governs electronic signatures. Introduced in 2016 to promote the development of digital trust, the regulation defines three main types of signature: simple, advanced and qualified electronic signatures. Outside Europe, in North Africa in particular, the regulation is different.
Uses of electronic signatures
Uses include “simple” validation of documents issued by a company, online contract signing, setting up a direct debit, and signing an administrative act. The required level of guarantee must be determined (low, substantial or high) prior to embarking on a signature project. In other words, you need to define which degree of trust to offer on the signatory’s identity or alleged identity.
You need to start by identifying the planned use(s), the required levels of security and, of course, the signing parties whether they be internal personnel, the ecosystem of clients, partners and suppliers, professionals or private individuals. The architecture to put in place will vary depending on their status and whether or not they belong to the company implementing the electronic signature project.
In-house, two types of signature can be used: server stamp and the personal qualified or non-qualified signature. A server stamp is similar to an electronic stamp and can be easily integrated into a third-party system. For example, it can be used to sign purchase orders, in conjunction with an ERP system, or employment contracts if used in conjunction with the company’s HRIS. The personal signature on the workstation (via the personal certificate registered in the Windows store) or via a certificate embedded in a device (for a qualified signature) can be used to obtain consent from employees.
For online contract-signing with third parties, the server personal signature needs to be used. A temporary certificate is generated in the name of the person who needs to sign it. This person then receives a one-time password to confirm their consent. The system appends two signatures, one for the person and one for the company.
To increase the level of security, two-factor strong authentication can be added upstream of the electronic signature system and the security keys can be protected with an HSM (Hardware Security Module).
The three types of electronic signature technology
From a technology point of view, there are several possible approaches for generating certificates. SaaS solutions can provide the required service at a reasonable cost as long as use is relatively occasional or there is a limited number of signatories. However, if the electronic signature needs to be deployed on a large scale and used by numerous users, its own electronic signature system is required.
In this situation, the required architecture has at least three systems, depending on the targeted level of security. The first is a Public Key Infrastructure (PKI) for issuing digital certificates and which is also used for authentication and encryption. A signature server is essential as it enables the signatures to be appended and verified. A document archiving system with legal value is required to guarantee the correct long-term retention and integrity of the signed documents.
Here again, to increase the level of security, strong authentication mechanisms can be added upstream of the signature and keys can be protected in an HSM.
Whatever the use case, the complexity of an electronic signature project means that careful preparation is needed. The requirements, constraints and legal obligations must be clearly defined from the outset in order to design an appropriate and scalable technological foundation able to absorb the exponential growth in use.