eIDAS Trustmark Logo

The legitimacy of qualified electronic signatures

 

 eIDAS Regulation

As of 1 July 2016, trust services may be offered in all 28 EU member states in accordance with "Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC", or eIDAS Regulation for short.

The eIDAS Regulation provides binding European rules relating to "electronic identification" and "electronic trust services". The Regulation creates a uniform framework for cross-border use of electronic identification and trust services.

As an EU Regulation, it becomes directly applicable law in all 28 EU member states and takes precedence over national signature laws.

According to Article 25 of the eIDAS Regulation, a qualified electronic signature has the same legal effect as a handwritten signature and is recognised in all member states.

Generating a qualified electronic signature

A qualified electronic signature is an electronic signature based on a qualified certificate that is generated by a qualified signature creation device.

A signature creation device is a configured software or hardware used to create an electronic signature. In the web ID procedure, the hardware security module (HSM) located in A-Trust's high-security centre serves as a qualified signature creation device.

A qualified certificate is a certificate issued by a qualified trust service provider and contains specific information as laid out in Annex I, III and IV of the eIDAS Regulation. The essential quality attributes of a qualified certificate are:

  • that the identity of the natural or legal persons for whom the certificate is issued has been reliably verified[1], and that
  • strict requirements are applicable for the trust service provider and, in particular, to the technical components used by such a trust service provider.

The supervisory body, which is established by national law, grants the qualified trust service provider its status by entering its name in a trusted list in acc. with Article 22 eIDAS Regulation. For this purpose, the qualified trust service provider must submit a conformity assessment report issued by a conformity assessment body (Art. 20 eIDAS Regulation). It is also for the conformity assessment body to certify the qualified signature creation device (Art. 30 eIDAS Regulation).

A-Trust GmbH has been accredited by the Austrian supervisory body (Telekom-Control-Kommission) following an evaluation by the conformity assessment body "A-SIT Secure Information Technology Center" (in accordance with Regulation No 765/2008) and set up on the basis of regulation of the Federal Chancellor and included in the Austrian trusted list. Furthermore, A-SIT has certified all the qualified signature creation units used by A-Trust GmbH. Evaluations are repeated every 24 months in order to ensure compliance of the qualified trust services.

Full compliance of A-Trust GmbH with the provisions of the eIDAS Regulation and the Austrian Signature and Trust Services Act [2] (SVG) warrant the technical integrity and legitimacy of the qualified signatures created by means of the process described above.

To warrant legal certainty with respect to the validity of the signatures, qualified electronic signatures can be validated at all times using the signature verification service made available free of charge by the Austrian supervisory body in acc. with sec. 14(2) SVG. Alternatively, qualified electronic signatures can also be verified using the validation service of A-Trust GmbH..

 

A-Trust GmbH is an Austrian company that provides secure communication services for the digital and mobile world. Its focus is on confidentiality, integrity and convenience, as well as the creation of secure digital signatures. The company has been accredited as a certification service provider since 2002 and has been active as a qualified trust service provider for qualified certificates since July 2016 (eIDAS). A-Trust Gesellschaft für Sicherheitssysteme im elektronischen Datenverkehr GmbH is subject to regular inspections by the Telekom-Control-Kommission.

 

 

 [1] In the web ID procedure, WebID Solutions GmbH verifies the identity in compliance with German law (German Money Laundering Act; GwG). Admissibility of the procedure has been confirmed by the German Federal Ministry of Finance (BMF) and the German Federal Financial Supervisory Authority.

 [2] The Austrian Signature and Trust Services Act (SVG) transposes the eIDAS Regulation into Austrian law and became effective as of 1 July 2016.