The Electronic Signatures Directive under the spotlight

What is it? The Electronic Signatures Directive, adopted by the European Parliament in December 1999, establishes a legal framework for the use of...

What is it? The Electronic Signatures Directive, adopted by the European Parliament in December 1999, establishes a legal framework for the use of electronic signatures, promotes the interoperability of electronic signature products and aims to build trust in electronic signatures. It must be implemented into UK law by 19 July 2001. This will be through the Electronic Communications Bill and regulations due to become law by May 2000.

What's in the fine print?

The directive is intended to be technologically neutral and thus does not favour cryptography over other potential means of creating or verifying electronic signatures, eg biometrics such as iris patterns or fingerprints. The central provision of the directive, Article 5, recognises two classes of electronic signatures:

1. Article 5.1 signatures: advanced electronic signatures based on a qualified certificate issued by a certification service provider and created by a secure signature creation device. These signatures satisfy the legal requirements of a signature as if they were handwritten and must be admissible as evidence in legal proceedings.

2. Article 5.2 signatures: other electronic signatures. These cannot be denied legal effect, validity or admissibility as evidence, solely on the grounds that they are in electronic form or are not based on a qualified certificate or a certificate issued by a certification service provider.

A "qualified certificate" links a particular signature verification device used to verify the electronic signature to a signatory and contains the following information:

  • that the certificate is a qualified certificate

  • the name of the signatory or their pseudonym

  • the identity of the certification service provider, their advanced electronic signature, the validity period of the certificate, and an identifying number for the certificate

  • signature verification data corresponding to the signature creation data under the control of the signatory

  • any limits on the scope of use of the qualified certificate,

  • any limits on the value of transactions to which the electronic signature can be used, if applicable

  • specific attributes of the signatory may be included, if relevant, eg creditworthiness, authority to sign for a company. VAT number were examples appearing in earlier drafts of the directive.

    A qualified certificate must be issued by a certification service provider meeting the requirements of Annex 2 of the directive - reliable, financially stable, secure, trustworthy, technically expert providers. Any accreditation scheme for certification service providers created by EU member states must be voluntary and non-compulsory. Thus the security, probity and technical expertise of the certification service provider is paramount, as developers of secure signature creation hardware or software, or of signature verification devices must consider not only whose qualified certificates their products will support, but who will be trusted by their customers.

    What are the implications?

    Electronic signatures are likely to become extremely important, both in business-to-business and business-to-consumer e-commerce. As a means of online identification, they are potentially means of combating fraud, especially credit card fraud, as they will enable both merchants and credit providers to verify the identity of the person using an electronic signature , as well as the authenticity and integrity of the electronically signed message.

    In practice, the use of electronic signatures in financial transactions may favour the use of advanced electronic signatures, even though Article 5.2 electronic signatures without qualified certificates are recognised by the directive. Indeed an advanced electronic signature and its qualified certificate gives more information about the signatory than any handwritten signature ever can.

    For information contact Jane Rawlings of DLA's e-commerce team on 08457-262728.

  • Read more on IT risk management