Electronic signature

In the wake of COVID-19, teleworking has increased significantly and remote business exchanges have become the norm. In this respect, the electronic signature (e-signature) offers a simple and efficient alternative for people and companies who need to execute documents or agreements remotely.

E-signature

Until recently, a signature was only applicable as a handwritten note on a durable medium.

However,  for more than 20 years, according to the law, a signature can also be electronic.

In practice it grants the possibility to execute documents without the necessity of travelling. Nonetheless business exchanges require security. Thus it is crucial to clearly determine the legal value of a signature in its electronic version.

In a nutshell, an e-signature is constituted of data (a sequence of numbers) associated with other data (files) and linked to the person executing the document. In some instances this sequence of numbers is not visible on the document. It is attached as an encrypted certificate. It can also be a scanned image of a handwritten signature.

This definition remains very succinct and needs to be clarified.

From a legal standpoint, three levels of e-signature can be identified (simple, advanced and qualified). The distinction enable to differentiate in each case its level of security and legal recognition. In its most advanced version, the qualified e-signature is recognised as being equivalent to a handwritten signature.

Regulatory Framework

In Luxembourg law, the existence of e-signatures originates from Directive 1999/93/EC on a Community framework for electronic signatures.

This directive was transposed into Luxembourg law by mean of the law of 14 August 2000 on electronic commerce, as amended from time to time (the « Law »).

The directive has been repealed by Regulation No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market (the “eIDAS Regulation”)¹ entered into force on 1 July 2016.

The Legal framework for e-signatures is subject to the eIDAS Regulation.

Since its entry into force, the Law has been amended several times, most recently on 17 July 2020, in order to be fully compliant with the provisions of the eIDAS Regulation.

The scope the eIDAS Regulation is wide and could be subject of in-depth developments on many topics such as website authentication, electronic time stamping or the sending of qualified registered mail.

The different categories of e-signatures

The Luxembourg legal framework distinguishes between three types of e-signatures:

– simple e-signature;

– advanced e-signature; and

– qualified e-signature.

Simple e-signature

The first level of e-signature is the so-called simple signature. It consists of a set of data in electronic form, which are attached to or logically associated with other data in electronic form and which the signatory uses to sign².

In practice this may be the signature block of an e-mail or the scanned image of the handwritten signature sent by e-mail.

It cannot guarantee that the person executing the document is who she or he claims to be and does not provide details of the signature (such as time, date, etc.).

This form of e-signature, which is the most common in practice, has a low level of security and reliability in the event of a dispute. 

If such a signature is challenged, it will often be treated as a clue that needs to be supported by other elements.

Advanced e-signature

The advanced e-signature is (i) solely linked to the signatory, (ii) allows the signatory to be identified, (iii) created using electronic signature creation data that the signatory can, with a high level of confidence, use under his exclusive control, and (iv) linked to the data associated with that signature in such a way that any subsequent change to the data is detectable³.

Advanced e-signatures are based on a PKI (Public Key Infrastructure) which allows the certification of the identity of the signatory (via a personal digital certificate).

In practice, the advanced e-signature consists, for instance, in the use of a website or software on which the signatory will place the document to be signed and then validate a signature process (during which the signatory will receive, for example, a one-time code sent by SMS).

At the end of this process, all the information is encrypted and the digital signature is integrated into the document.

This type of signature guarantees the identity of the signatory. The system also detects if the data has been falsified after the signature, in which case the e-signature is invalid.

The advanced e-signature has a higher level of trust than the simple signature. In  case of dispute, however, it is up to the party claiming the signature to prove its validity.

Qualified e-signature

The qualified e-signature requires additional requirements.

It is a signature that (i) meets the requirements of an advanced e-signature and (ii) is generated using a qualified e-signature creation device and is based on a qualified e-signature certificate⁴.

This level of signature requires the following two conditions to be met:

-the identity of the signatory shall be validated upstream (physically or remotely under certain conditions) by a qualified trust service provider;

– the signature key shall be a qualified e-signature creation device.

A qualified trust service provider is an entity that meets strict standards and has been granted qualified status by the supervisory body⁵. Due to its status it is regularly audited and monitored to ensure that it provides the highest level of security⁶.

A cryptographic key (“token”) is used by the signatory (USB key, badge, smart card, one-time password generator, etc.) and this tool will enable the documents to be signed.

In practice, the signature process will be more or less similar to the one applicable to an advanced e-signature, with the difference that the encryption key shall come from a qualified trust service provider.

Two organisations are currently certified in Luxembourg, namely LuxTrust S.A. and BEINVEST International S.A.⁷ (lastly accessed : September 2021).

This type of e-signature is the most demanding and secured of all e-signatures and is the only one to have the legal equivalent of a handwritten signature.

Legal recognition of the qualified e-signature

The eIDAS Regulation establishes the principle of non-discrimination. The legal admissibility of a signature cannot therefore be refused on the ground that it is in electronic format. Any e-signature can be accepted as evidence in legal proceedings within the European Union⁸.

Moreover, according to the eIDAS regulation, the legal value of a qualified e-signature is equivalent to a handwritten signature⁹.

Many documents can be executed electronically (commercial agreements, purchase orders, decisions taken by company bodies where the intervention of a notary is not requested by law).

It is worth mentioning that not all documents are eligible for e-signature. Among others, (i) notarial deeds (incorporation of a company, amendment of the articles of association, etc.), (ii) deeds transferring real estate ownership and (iii) agreements requiring by law the intervention of courts, authorities or public officers, cannot (yet) be executed electronically.

Last but not least, the electronic version of the electronically signed document represents the “original” of the document and therefore these documents must be kept in an electronic format, otherwise they lose their legal value.

The printed document does not benefit from electronic mechanisms to protect the integrity of the document, nor does it have the means to verify the validity of the various e-signatures contained in it (the legal value and authenticity of the e-signature can therefore be easily challenged in court where it applies to the printed version).

***

1 Regulation No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing directive 1999/93/CE, is available at : L_2014257EN.01007301.xml (europa.eu);

2 Article 3 (10) of eIDAS Regulation;

3 Article 3 (11) and article 26 of eIDAS Regulation;

4 Definition is available at article 3 (12) of eIDAS Regulation;

5  Article 3 (20) of eIDAS Regulation;

6 In Luxembourg, this is the Institut luxembourgeois de la normalisation, de l’accréditation, de la sécurité et qualité des produits et services (ILNAS): ILNAS – Acteurs – Portail Qualité – Luxembourg (public.lu);

7 List of authorised trust service providers is available at : Trusted List Browser (europa.eu);

8 Article 25 of eIDAS Regulation;

9 Article 25 (2) of eIDAS Regulation.

***