The legal regime of the electronic signature

Articles 1366 and 1367 of the Civil Code provide that the electronic signature has the same legal value as the handwritten signature. It is therefore admissible as evidence in court. 

The eIDAS regulation, governs the electronic signature in the European Union. 

The regulation has become applicable: 

• September 29, 2015 for notification and voluntary recognition of electronic means of identification by member states; 

• July 1, 2016 for trust services and electronic records; 

• September 29, 2018 for mandatory mutual recognition of electronic means of identification by member states. 
  

‍

1. Security levels of electronic signatures

The eIDAS regulation defines four levels of security for electronic signatures.

The first two levels are :

• The simple (or basic) electronic signature

The simple electronic signature does not require any particular security or identification of the signatory, making it the lowest level of security.

It is very often used because it allows to sign a document in a simple and fast way. It is admissible in court, but it will be impossible to prove the identity of the signatory in case of litigation.

• The advanced electronic signature

The advanced signature has a higher degree of security than the simple electronic signature because of the verification of the identity of the signatory. It must meet the following requirements:

• Be uniquely linked to the signatory;

• To identify the signatory;

• Have been created using electronic signature creation data that the signatory can, with a high level of confidence, use under his exclusive control;

• Be linked to the data associated with that signature in such a way that any subsequent changes to the data are detectable. 

Where additional levels of signature validity are required, some vendors offer two additional levels of electronic signatures that comply with eIDAS requirements. Indeed, the regulation defines two types of signatures based on certificates, for which an authentication of the identity prior to its issuance is mandatory and which therefore constitute two levels with higher security than a simple electronic signature or an advanced electronic signature.

These two levels are :

• Advanced electronic signature with qualified certificate

Defined in Articles 26 and 28 of the eIDAS Regulation, the advanced electronic signature based on a qualified certificate requires a higher level of security, identity verification and authentication to establish a link with the signatory. 

It therefore has the same properties as an advanced electronic signature defined by article 26 of the eIDAS regulation but must also be based on a qualified certificate, issued by a qualified trust service provider meeting the requirements set out in Annex I of the same regulation.

• The qualified electronic signature

A qualified signature is the most secure type of digital signature. It must meet these two requirements:

• The process of issuing the digital certificate is only possible once theidentity of the signatory has been verified in person (face-to-face).
• The signature is created using a very secure device called QSCD(Qualified Signature Creation Device). It is in this device that the qualified signature certificate is located. The QSCD was a physical device based on smart card technology. Nowadays, it is legal for this QSCD to be a cloud system managed by a trusted service provider.

This device is subject to a certification decision by a national authority. The legal effect of a qualified electronic signature is equivalent to that of a handwritten signature.

2. The issuance of qualified certificates

In order to obtain a qualified electronic signature certificate, the signatory must contact an Electronic Certification Service Provider (Certification Authority) or a Registration Authority approved by the latter, so that his identity can be verified. Thus, Article 2 of theOrder of March 22, 2019 on the electronic signature of public order contracts states that:  

"The qualified electronic signature certificate falls into at least one of the following categories:
1° A qualified certificate issued by a qualified trust service provider meeting the requirements of the above-mentioned regulation; 

2° A certificate issued by a French or foreign certification authority that meets the equivalent requirements of Annex I of the above regulation." 

In addition, under Annex II of the eIDAS Regulation, "any naturalperson may request a qualified electronic signature certificate issued by a qualified trust service provider. Similarly, any legal person may request an eIDAS-compliant electronic seal certificate issued by a qualified trust service provider." 

When the qualified electronic signature is issued by a certification authority, its process is presumed reliable. The control of these certification authorities is carried out by theANSSI (Agence Nationale de la Sécurité des Systèmes d'Information) in France and by equivalent bodies in each European country. The ANSSI intervenes in two ways in the application of the regulation: as a security guarantor in the context of "electronic identification" and as a control body in the context of "trust services". 

3. The legal effects of the electronic signature

Article 25 of the eIDAS regulation specifies the legal effects of the electronic signature according to its nature. It provides that : 

• The simple electronic signature cannot be refused in court just because it is not qualified; 

• The qualified electronic signature has the same legal value as the handwritten signature; 

• If this signature is certified by a member state, the qualified nature of this signature is necessarily recognized by all countries of the European Union.
  

Axiocap has teamed up with Signaturit to make advanced electronic signatures reliable.

Signaturit uses a biometric data processing system, which allows a unique identification of the signatory, in particular thanks to specific and precise data such as the acceleration and speed of the signatory's trace and the pressure exerted on the device when he signs. The consent of the signer is mandatory and indispensable for the processing of biometric data.  

In accordance with the General Data Protection Regulation (GDPR), which came into effect on May 25, 2018, Signaturit has implemented various security measures to ensure the proper processing of personal data and therefore complies with the recommendations of the French National Commission on Information Technology and Civil Liberties (CNIL) on the processing of biometric data .

Biometric data is particularly important during litigation. Signaturit can decrypt the signatory's biometric data so that it can be presented to the relevant court in the event of legal proceedings.