What is eIDAS ?
eIDAS (electronic IDentification, Authentication and trust Services) is an EU regulation, or a set of standards, for electronic transactions in the European Single Market.
It went into effect September 17th, 2014 and since July 1st, 2016 the major part of the eIDAS regulation applies.
eIDAS oversees electronic identification and trust services for electronic transactions in the European Union’s internal market. It regulates eSignatures, electronic transactions, involved bodies and their embedding processes to provide a safe way for users to conduct business online like the transfer of electronic funds or transactions with public services.
eIDAS created standards for eSignatures, qualified digital certificates, electronic seals, timestamps, and other authentication mechanisms that enable electronic transactions, giving them the same legal standing as transactions that are carried out on paper. All EU nations are regulated by eIDAS. It enables recognition and acceptance of electronic identification regarding the following:
• Time Stamps
• Website Authentication
eIDAS defines three categories of eSignatures
Electronic Signatures (ES) Applied by the person associated with the signature. Applied in a manner that demonstrates the intent of the signer. Associated with the document or data the signer intended to sign.
Advanced Electronic Signatures (AES) Uniquely linked to the signer Identify the signer Under the sole control of the signer Detect changes to the document or data after the application of the AES
Qualified Electronic Signatures (QES) Created using a QES creation device Supported by a qualified certificate (that is issued to the signer in a form that can be kept under control) Achieved by digital certificate issued to signer by a certifying authority
eSignature Requirements Applied by the person associated with the signature Applied in a manner that demonstrates the intent of the signer Associated with the document or data the signer intended to sign
MSB Coverage Only intended signers can receive email notification with unique URL Custodian must place signature tags for each signer on the document requested for signature Signer must click on signature tag and must confirm their action before applying the signature Unique ID of document and signer is preserved in the audit trail of each signature request
Advanced eSignatures (AES)
Advanced eSignature Requirements Uniquely linked to the signer Capable of identifying the signer Created using electronic signature creation data that the signer can, with a high level of confidence, use under his or her sole control Linked to the signed data in such a way that any subsequent change in the data is detectable
MSB Coverage Signer must have a unique email address MSB maintains a UUID for each signer and document Each signer must be authenticated by MSB to apply their electronic signature data to sign a document Each resulting signature contains signer’s email address, UUID, name and it’s linked to the document which has its own UUID – linking to the signer Each signer is identifiable via email address, which MSB requires MSB maintains UUID for each signer Signatures are only applied after valid identification of the signer Each signer can access their account only after a successful authentication MSB has strong password policies and supports multiple methods of authentication Signature data is only applied after valid authentication For 21CFR polices, logged in users are authenticated again before applying their signatures At the end of the signing workflow, documents are digitally signed preventing any further change. Any change after that will notify users that the document has been altered after signatures were applied and users can access the version after signing was completed
Qualifed eSignatures (QES) via Transped-issued certificates
MSB Coverage A qualified electronic signature is defined by Article 3(12) of eIDAS regulation as an advanced electronic signature that is created by a qualified electronic signature creation device. To be considered a QES, the signature must be based on qualified certificate. A qualified certificate is issued by a qualified trust service provider – after identity verification of the concerned natural person. Examples of a qualified electronic creation device include a smart card, a USB token or cloud based HSM. MSB has partnered with Transped, a trusted issuer of qualified certificates. MSB supports all kinds of digital certificates: USB token or cloud based, including Transped cloud based qualified certificates.