The electronic signature is progressively becoming established in the professional world. Its numerous advantages are not for nothing: reduction of processing times and costs, increased security with the use of a certificate allowing the authentication of the signatory, integrity of the document once signed, probative value... However, it is important to know that some of these benefits are only accessible from a particular level of security, and that the most advanced stage in the matter corresponds to the qualified electronic signature. What is it exactly? How does it work? In which cases should it be used? We make the point.
The 3 levels of electronic signature
The eIDAS regulation (a regulatory framework for electronic transactions at the European level, which came into force in 2016) defines three levels of electronic signature, which correspond to three degrees of requirements related to the identification of signatories. In detail:
- The simple electronic signature corresponds to the first level of security and legal recognition. It includes all signature systems that do not require prior identification of the signatory. This procedure concerns 90% of signatures.
- The advanced electronic signature corresponds to the second level of security. It is recommended when the legal stakes related to the signed documents are important. The identification criteria are more advanced: the signatory must be formally authenticated by a digital certificate.
- The qualified electronic signature corresponds to the highest level of security. It implies meeting strict conditions for verifying the identity of the signatory, including obtaining a qualified certificate. The eIDAS regulation stipulates that this signature "shall be created using a qualified electronic signature creation device, and (...) shall be based on a qualified electronic signature certificate" (article 3).
The qualified electronic signature is therefore the most secure of the three, and the most suitable for a company that wishes to benefit from the highest guarantees. Nevertheless, it must be kept in mind that each type of signature is legal and valid before the courts of the different European countries. All are legally binding and admissible as valid evidence in court. The only difference is not legal, but security.
The qualified electronic signature
The qualified signature takes up the security criteria of the advanced signature: it must be univocally linked to its signatory, allow the latter to be formally identified, be attached to means of verification that are the personal property of the signatory (a computer or a personal telephone on which he will receive his confirmation codes when validating each signature), and guarantee the integrity of the signed document. These requirements are recalled in Article 26 of the Regulation. But the qualified electronic signature adds two others, which make all the difference in the security of the process: the signatory must first obtain a qualified certificate; the applicant must be given a signature key integrated into a qualified signature creation device (QSCD). This device can be hardware or software and must also meet a series of requirements. As for the qualified electronic certificate, it is issued by a Certification Authority. It is a digital attestation associating the validation data of a signature to a physical person. The identity of the applicant must be verified beforehand and face-to-face, during a physical meeting, or remotely using a video-conference software. In doing so, the qualified electronic signature is also the most complex level of signature to implement (due to the numerous audits that must be carried out) and the most cumbersome to use for the signatories, who must first obtain a certificate. This, in return for a high degree of security. All these constraints make the qualified signature an option that is not recommended for frequent use, especially when it is necessary to have people outside the company (partners, customers or suppliers) sign regularly.
Use cases of a qualified digital signature
The qualified electronic signature is adapted to signature operations which represent important risks or which take place in rigorous legal frameworks (framework which can be different according to the countries). It applies essentially to...
- Authentic instruments (drawn up by notaries, bailiffs, auctioneers, etc.);
- Documents drawn up by lawyers (company articles of association, contracts for the transfer of shares, contracts for the sale of a business, PACS, etc.);
- To dematerialized public contracts;
- Documents whose effects occur outside France or the European Union (subscription of financial products, intra-European banking transactions, etc.).
For all other types of documents, the qualified electronic signature is not essential. It is perfectly acceptable to use an advanced electronic signature, which is simpler to set up, more flexible for the signatories, and nevertheless sufficiently secure (it also requires the prior acquisition of an electronic certificate, without however imposing as many verification constraints). In conclusion, the use of qualified electronic signatures must be limited to specific uses and to particular sectors of activity (banking, insurance, law, finance, etc.). The choice of the level of guarantee must be based on a detailed analysis of the regulatory and legal context, as well as on a detailed study of the risks relating to the documents signed and to the company issuing them (in terms of productivity, reputation, financial risks, etc.). Finally, given the cumbersome nature of the process, it is essential to find a balance between the company's need for security and the flexibility of implementation and use.