Signing without limitations - sure thing!

The digital transformation of all areas of life and work is progressing inevitably and on a daily basis. This also includes signature processes, which have already been translated into digital workflows in many places. The advantages are obvious: digital signature processes are far more efficient and replace tedious and lengthy processes in which documents are printed, scanned, faxed or even sent by post. In addition to an extreme acceleration of internal processes, it allows users far greater flexibility in their own actions by making them independent of time and place when issuing signatures. A nice bonus: Electronic signatures save resources and contribute to sustainability.

Not all digital signatures are the same however. In general, there are three different types of electronic signatures, which differ in terms of their security and legal validity.

From a technical point of view, electronic signatures are based on an asymmetric cryptography process in which documents or data are encrypted with a so-called private (and therefore secret) signature key, or short: private key. The public key can then be used to decrypt the data to check whether the signature is genuine and whether the document has been subsequently altered.

The most important terms relating to electronic signatures: eIDAS, TSP, SES, AES & QES

With the many abbreviations used in IT jargon relating to electronic signatures, it is easy to lose track. The most important terms relating to electronic signatures are therefore listed below:

The eIDAS Regulation is the European legislation for electronic identification and trust services - which includes e-signatures - and creates a legal framework for transactions in the European market. It defines electronic signatures as " data in electronic form which is attached to other electronic data, or logically connected with it, and which a signatory uses as a signature" and distinguishes between three types of digital signatures: simple, advanced and qualified signatures.

TSPs (trust service providers) are organizations that offer so-called trust services - services to ensure the confidentiality, authenticity and non-repudiation of digital information - which include the creation, verification and validation of electronic signatures, seals or time stamps. Qualified trust service providers are subject to strict legal framework conditions and requirements and are regularly checked in so-called monitoring audits.

Types of electronic signatures

1. Simple Electronic Signature (SES)

The SES is not defined in more detail in eIDAS, which is why we have to fall back on the very basic definition of electronic signatures - i.e. electronic data that is linked or logically connected to other electronic data. A simple electronic signature can therefore be, for example, a signature scribbled on a PDF with a stylus pen, a scanned image of your own signature or even a checkbox in an online form.

The problem with this kind of signature is, that there is no way to identify the person signing, which is why the signature cannot be clearly assigned to a person and therefore allows little traceability. In addition, subsequent changes to the document cannot be detected or proven.

2. Advanced Electronic Signature (AES)

The eIDAS Regulation defines a number of technical security criteria as prerequisites for the AES. According to eIDAS, advanced signatures must be uniquely assigned to the signatory and enable the signatory to be identified. They must be created using electronic signature creation data and be under the sole control of the person signing. It must also be possible to detect subsequent changes to data.

3. Qualified Electronic Signature (QES)

The highest security level is the qualified electronic signature. The difference compared to the AES is that it also requires a secure signature creation device - for example by means of a hardware security module (HSM) - and a monitoring audit. A qualified electronic signature may only be issued by a so-called qualified trust service provider (QTSP).

Only the QES therefore fulfills the highest security requirements and provides state-of-the-art technical security, which is why only the qualified electronic signature is legally equivalent to the classic, manual signature throughout Europe.

Better safe than sorry: qualified electronic signatures as a business solution.

The qualified electronic signature is the most secure way to sign (digitally) and is the only electronic signature that is equivalent to a handwritten signature throughout Europe. Users are thus guaranteed to sign in a legally secure manner throughout Europe and rely on the best traceability and probative value. In Austria, the ID Austria (formerly Handy-Signatur) provides all citizens with a QES free of charge and this option is already used by more than 3.8 million people (as of 01/2024). There are also various options for people without an Austrian residence to easily obtain a QES (e.g. xIDENTITY).

It is therefore definitely worthwhile for companies to rely on the QES, because once implemented in your own business, there is no additional effort and documents can be signed in compliance with eIDAS within a very short time.