The transition of French society from paper to digital formats paved the way for the development of electronic signature technology. The trend is so strong that even public organizations now allow citizens to electronically sign administrative documents.
How can you be sure that your electronic signature software has legal validity?
Aside from a small number of exceptions, practically any document can be signed electronically. However, one factor that is holding back more widespread adoption of the technology is the fact that the legally validity of electronic signatures is not a subject that the general public tends to know about.
Contrary to popular belief, inserting an image of one’s signature on a digital document is not sufficient for it to have legal validity. To avoid legal disputes, the electronic signature software must have irrefutable legal validity in a court of law. In practical terms, this means the electronic signature must be produced using software developed by an accredited trusted third party.
Let’s discover together how to use the electronic signature properly!
Well-defined regulations applicable in France and Europe
The concept of the electronic signature is not new from a legal point of view. In France, electronic signatures have had legal validity since 2000 by virtue of article 1316-4 of the French civil code (article 1367 since 2016). French law sets out the specific conditions under which an electronic signature is legally valid. It must clearly identify the signatory and guarantee their unique link (that of the signature) with the document or deed in question. In 2016, the European eIDAS (Electronic IDentification And Trust Services) regulation strengthened the legal security of electronic signatures by providing a clear, authoritative, and uniform legal framework for them across all of the then 28 EU Member States. Article 25.1 of the European regulation establishes the principle of non-discrimination. In other words, it reiterates that electronic signatures have a definite legal effect and are admissible in legal proceedings.
From a technical point of view, it defines three types of electronic signature: simple, advanced, and qualified electronic signatures, which may be used in EU Member States and which provide for additional regulation dictating their use. Their level of security and reliability, as well as the conditions for using electronic signatures are different for each category.
Four levels of electronic signature: simple, advanced, advanced-qualified, qualified
From a technical point of view, the European eIDAS Regulation defines three types of electronic signature, which can be used in EU Member States and which provide for additional regulation dictating their use. Their level of security and reliability, as well as the conditions for using electronic signatures are different for each category.
The “simple” signature
This is the least reliable category of e-signature, and yet the most commonly employed because it is quick and easy to use. This level does not require the implementation of a process to verify the identity of the signatory. This type of signature is suitable for documents with low legal risk (e.g. general conditions of a website, inventory of fixtures, etc.). Important point: this category of e-signature is not acceptable under French company law.
The “advanced” signature
More secure than the simple signature, the advanced signature must meet several criteria, such as employing techniques to verify the identity of the signatory, the creation of a certificate including the data collected from the identity document of the signatory, a documentary evidence file intended to prove various elements of security of the creation of the electronic signature, and traceability of the signed document. The advanced level is suitable for commercial, legal, and administrative documents that carry a low risk of litigation.
Advanced e-signatures backed by a qualified certificate
This is an advanced electronic signature based on an accredited e-signature certificate. That accredited e-signature certificate attests to the identity of the signatory established by means of a process that meets the requirements that guarantee the validity of the signature, the identity of its signatory, or at least their name, pseudonym, or registration number in the case of a company. The accredited e-signature certificate is issued by an accredited trusted service provider and meets the requirements set out in Annex 1 of the eIDAS regulation.
The “qualified” signature
Guaranteeing the highest level of security, the “qualified” signature requires visual verification of the signatory’s identity by a certification authority, document security (encryption), and the addition of a qualified certificate issued by a service provider authorized by the French Network and Information Security Agency (ANSSI). This category of e-signature is ideal for regulated transactions.
How to choose a trusted service provider
In order to pursue your development within a precise legal framework suitable for your organization, it is advisable to turn to the expertise of an approved and accredited e-signature service provider.
Decision-makers should be aware that in France, a list of service providers meeting those criteria and complying with legal requirements is maintained and updated by the French Network and Information Security Agency (ANSSI), which also sends a copy of that list to the European Commission. It is highly recommended to work with a service provider that is compliant with the eIDAS regulation and certified by the ANSSI.
Beyond the ANSSI accreditation, the e-signature tool should be chosen with a set of criteria in mind, in order of priority. Obviously, compliance with the laws of other countries will be a critical consideration if your company does business internationally, or plans to do so in the future. The next factors to consider are how easily your teams will be able to learn how to use the tool, the degree of customization possible, and its flexibility.
Another point to consider: how easy or difficult would it be to integrate the software into your existing IT architecture. A tool that can be connected seamlessly to the other systems used in your company (SAP, Microsoft, etc.) requires less effort and makes it easier for your employees to start using it. Lastly, the ability of the service provider to understand your signature needs based on the level of complexity required is critical. A tool that lets you easily switch between categories of e-signature (simple, advanced, qualified) according to the legal risk of a document is preferable. Lawmakers have clearly set out the legal framework for using e-signatures, both in France and at the European level, so that their legal validity will be recognized just the same as with handwritten signatures. While there is a growing range of e-signature products available on the market, organizations should choose the right one for them based not solely on legal criteria, but also technical and organizational considerations, to be prioritized according to the organization’s line of business, its exposure to legal risks, and what it needs signatures for.