Electronic Signature Guide
Why are documents signed?If two or more parties wish to enter into a legally binding agreement, they are, in principle, free to choose the form in which they declare their intent. A signature is one of several ways of making an explicit declaration of intent. Verbal declarations of intent are just as valid as written ones but are difficult to prove in the event of a dispute. Electronic signatures also have a different level of proof depending on their type. When used in practice, the electronic signature offers many advantages and extended application possibilities in the course of advancing digitalisation.
Electronic signature – terminology
What is an electronic signature?An electronic signature is an alternative to a handwritten signature. As a rule, the IT security objectives of authenticity and integrity are pursued by the electronic signature. This means that the signature can be assigned to the signatory and is protected against manipulation. The basis for this is the eIDAS Regulation (electronic IDentification, Authentication and trust Services, (EU) No. 910/2014). This regulates electronic identifications and trust services for electronic transactions within the European Union. It defines the legal framework and sets out the requirements for the individual forms.
The eIDAS Regulation defines the term “electronic signature” as follows:
What types/forms of electronic signatures are there?
The electronic signature is divided into three types:
- The simple electronic signature (SES)
- The advanced electronic signature (AES)
- The qualified electronic signature (QES)
What is a simple electronic signature (SES)?An electronic signature is data in electronic form that is attached to (or logically associated with) other electronic data. The signatory uses these data for signing (Art. 3 No. 10 Regulation (EU) No. 910/2014). This can be a scanned signature or just the mention of the name, e.g. under a document or in an e-mail.
What is an advanced electronic signature (AES)?The advanced electronic signature is uniquely assigned to the signatory and enables the signatory to be identified. It is created using electronic signature creation data. Any subsequent change in the data is recognisable.
Further information on the advanced electronic signature
What is a qualified electronic signature (QES)?The qualified electronic signature is an advanced electronic signature created by a qualified electronic signature creation device and based on a qualified certificate for electronic signatures (Art. 3 No. 12 Regulation (EU) No. 910/2014).
Further information on the qualified electronic signature
What is a trust service?A trust service is provided, among other reasons, if it enables the creation, verification and validation of electronic signatures, electronic seals or electronic time stamps (Art. 3 No. 16 Regulation (EU) No. 910/2014).
The following are a few examples of trust services:
- Electronic signing of documents
- Qualified electronic seals and time stamps
- Secure e-mail communication using digital seals
- Certified electronic receipts
- Secure identification and authentication for websites
- Electronic registered mail
Are there any country-specific features?In almost all industrial nations the electronic signature is a legally binding instrument and e-signature laws are also being enacted in less developed countries. In the USA, the so-called ESIGN Act came into force in 2000, making electronic signatures legally valid for practically all applications. In the EU the EU Regulation No. 910/2014, better known as eIDAS provides the legal framework for electronic signatures and trust-based services for e-commerce in the internal market.
Further information on individual countries
What is the difference between an electronic signature and a digital signature?The electronic signature is not a synonym for the digital signature but is often confused with it and used incorrectly.
The electronic signature is a legal term with the aim of being legally valid. This legal term is based on the definition of the European Electronic Signature Directive and eIDAS. This is understood to be data associated with an identity and attached to a document.
The digital signature is a mathematical or technical term with the aim of pursuing data security. Cryptographic procedures and strong encryption are used in digital signatures to enable identification. The digital signature can be an advanced (AES) or qualified (QES) signature. However, a digital signature can never be a simple electronic signature (SES), because with an SES, the signature cannot be assigned to a person.
What are the different terms of reference for an electronic signature?There are no different terms of reference for an electronic signature. The generally applicable term of reference is always “e-signature”.
What does “text form” mean?Text form is a declaration in which a person making the declaration is named and which is submitted on a durable data medium (Section 126b German Civil Code [BGB]). This can be, for example, an e-mail, a WhatsApp message or even a letter.
What does “written form” mean?The written form is a declaration in text form supplemented by a handwritten signature (Section 126 German Civil Code [BGB]).
Legal aspects of the e-signature
Is an electronic signature legally valid?Yes, within the EU, eIDAS regulates which requirements an electronic signature must fulfil for this purpose. In addition, the eIDAS Regulation stipulates the following:
Is an e-signature verifiable?A declaration of intent by means of an advanced (AES) and a qualified electronic signature (QES) is verifiable, as the identity has been verified before signing, or can otherwise subsequently be verified. Furthermore, advanced and qualified electronic signatures are protected against modification, such as subsequent manipulation. In the case of advanced electronic signatures, one way of identifying the signatory can be through the analysis of so-called biometric data. These are personal characteristics of the digital signature that were captured by the signature software during signing. This biometric data includes the two-dimensional written pattern of the signature and individual characteristics such as writing direction, writing pauses and writing speed. In the case of a simple electronic signature (SES), it is generally not possible to assign the submitted declaration of intent to a specific person. Therefore, an SES is hardly provable.
What happens in the event of a dispute?In the event of a dispute, court proceedings are initiated to review the facts of the case. In the case of a simple electronic signature, it is not possible to determine directly from the signature data whether the questionable declaration of intent was actually made by a specific person. The judge may also have to make their decision on the basis of further available evidence or circumstantial evidence. Providing evidence in such a case is difficult. With an advanced signature there is additional data available for subsequent identification. These can be, for example, writing direction, writing pauses, etc. This additional information is usually embedded in the document in an encrypted format. Decryption is ordered by the court. The key required for this is typically in the possession of an independent third party (e.g. signature service, notary, etc.). This person may, on the order of the court, decrypt the data and hand it over to an expert for further analysis. With a qualified electronic signature the identification of the signatory takes place before the declaration of intent. For the QES and for the AES, obtaining evidence in the event of a dispute is quite possible.
Is a scanned signature valid?In principle, any form of declaration of intent is valid. However, there is always the question of verifiability. In the event of a dispute, it is difficult to prove that a scanned signature represents the declaration of intent of a specific person. For this reason, authorities, for example, often require documents in the original in order to be able to archive them in an evidence-proof manner.
Is a faxed signature valid?In principle, all forms of declaration of intent are valid. Faxes are to be treated in the same way as scanned documents (see above). A faxed signature is not verifiable because it does not unequivocally represent the declaration of intent of a specific person.
Are signed documents protected against alteration?PDF documents with an advanced electronic signature (AES) or qualified electronic signature (QES) are recognisable in the event of subsequent changes by means of encryption and electronic seals. Subsequent editing, e.g. with Adobe Acrobat, destroys the electronic seal and the PDF is recognisable as having been changed. The document is marked “Document was changed after signature”. Editing signed PDF documents using the comment function is generally permissible, as the actual content is not changed. The added comments are recognisable as such and the signed document can be displayed without comments at any time. In Adobe Reader the easiest way to do this is to right-click on the signature and select “Show signed version”.
Electronic signature in practice
How to create an electronic signature?Click confirmation
A simple e-signature is often simply a click confirmation. With the Click on a button function such as “Buy now” or “Order now”, you are submitting a declaration of intent which, however, cannot be proven beyond doubt, as no identity check takes place here.
A scanned or typed signature on the keyboard are typical examples of simple electronic signatures. In retrospect, it cannot be determined as to whether a declaration of intent was made and by whom.
Typically, a device with a touch-sensitive surface (touch function) is used. You sign either with your finger or with a suitable pen. If biometric data – such as writing direction, writing speed, etc. – are recorded in the process, it concerns an advanced electronic signature, as the declaration of intent can be subsequently assigned to the creator.
With a qualified certificate-based signature, the identity of the person is already confirmed in a certificate before the digital signature. The qualified certificate is issued by a verified trust service provider. In addition to a document checksum (hash value), a correspondingly signed document also contains a public key for checking the certificate. The authentication of the person directly before the signature process is done by a 2-factor procedure. The signature process itself is carried out by means of a PIN (Personal Identification Number) or TAN (Transaction Authentication Number).
What does an electronic signature look like?Strictly speaking, an e-signature has no appearance, it is only data attached to a digital document or file. But to represent the presence of a signature, there is usually nevertheless a visual representation. One option that is often used is the lettering of the signature; this can be created by keyboard, mouse or also with pen or finger on a touch device.
Which document formats can be signed electronically?In principle, all document formats can be signed electronically. Also, Word, Excel and other formats can be signed electronically. In practice, however, such documents are usually converted into a PDF before being signed. In 2008, the industry standard ISO 32000-1 established the PDF as the standard for closed documents. This standard was last audited and issued with a confirmation in 2018. Other document formats such as Word and Excel are not standard formats.
Further information on PDF documents
When to use electronic signature?The electronic signature can be used in all industries and departments. Depending on the relevance and desired level of proof for a document, the type of electronic signature should be chosen appropriately. The advanced e-signature is the best solution for the majority of business processes and documents because of its practicability and simultaneously high level of security.
What are the advantages and disadvantages of an e-signature?
- Digitise business processes, shorten lead times
- Original quality – even after many years
- Working in an environmentally friendly way
- Save time & costs
- Increase customer satisfaction
- Better organisation
- Different verification value of the signature types
- Technical know-how necessary
- Technical infrastructure required
- Software costs
Does the electronic signature solution also make sense for private individuals?An e-signature solution also entails potential applications for private individuals. For example, signatures can be obtained for membership applications in associations or for forms in other honorary offices.
What does an electronic signature solution cost?There is no one-size-fits-all answer to this, as it depends on the type of electronic signature and the range of services offered by the software. As a rule, companies offer two to three options aimed at different target groups with different needs. There are also free offers, but they provide a lower level of security and are, therefore, not suitable for all business processes.
Which provider is the right one for me?When selecting an e-signature solution, the following questions, among others, should be clarified:
- For which use cases should the electronic signature be used?
- How important is the verifiability of the signature?
- Which type of electronic signature is suitable for my applications?
- What are the legal framework conditions?
- What does the signature process look like? Who should sign the documents?