Digital Signatures & Remote Signing

March 03, 2017
Digitally signed documents were elevated to a new status in international business transactions with the publication of the eIDAS Regulation (910/2014). In particular within the European Union, the Directive enforces that electronic signatures, electronic seals, time stamps, electronic delivery services and website authentication will work across borders and have the same legal status as traditional paper based processes.

The immediate impact of this provides a huge boost not just to the online economy, but also to any transborder business activity as it contributes to the most basic element necessary for any type of deal, that is, Trust. It also delivers practical relief to citizens and businesses entangled into countless bureaucratic processes, where sealed and signed papers used to be the only type of acceptable fuel. Digital signatures combined with solid workflow and document management platforms can help simplify and automate transactions, leading to optimized, efficient operations and processes. This is the core value proposition of our WORKSTREAM platform, for which more details can be found here.

A secondary effect of eIDAS is that it fosters growth of the market for electronic Trust Services and enhances the role of electronic Trust Service Providers. It is relatively safe to assume that in the not-too-distant future, any legal entity or individual participating in economic life will make use of digital signatures, based on digital certificates issued by a certified Trust Service Provider.

Such certificates are typically stored in a secure, purpose-built storage device (such as a USB token), and remain under the responsibility and control of the certificate owner. Things, however, can get somewhat more exciting and interesting, when a remote signature service is offered. With the popularity of smartphones and tablets, who can overlook the convenience of adding valid, legally binding signatures to documents without the need to connect a secure USB token to a PC?

The issue we need to keep in mind here is that when we make use of a remote digital signature service, our digital certificates are not stored in our personal devices, but on infrastructure provided by the Remote Digital Signature Service Provider! This is exactly why eIDAS includes the following provision (opening Chapter, par. 52):

"... in order to ensure that such electronic signatures receive the same legal recognition as electronic signatures created in an entirely user-managed environment, remote electronic signature service providers should apply specific management and administrative security procedures and use trustworthy systems and products, including secure electronic communication channels, in order to guarantee that the electronic signature creation environment is reliable and is used under the sole control of the signatory. Where a qualified electronic signature has been created using a remote electronic signature creation device, the requirements applicable to qualified trust service providers set out in this Regulation should apply".

In plain language, Remote Digital Signature Service Providers must have the status of a Qualified Trust Service Provider, if they are to offer a service that results legally binding signatures! This means that they must be certified, by an accredited conformity assessment body and are subject to regulation by the relevant Regulatory Authorities who maintain and publish a Qualified Trust Service Providers List.

There are several remote signature service providers in the market today. It is important to take caution when making use of such services, so that the signed documents are legally valid.