December 15, 2016

Estonian electronic signature creation devices are listed as SSCD – qualified signatures under eIDAS

by Karina Egipt
Electronic Identity, Electronic Signature

In the past only hand-written signatures were legally binding. The Directive 1999/93/EC (eSignature Directive) extended that legal recognition to signatures in an electronic form. The goal was to create a reliable system of electronic signatures that would work across all EU countries, make electronic signatures easier to use, and help them become legally recognised within the member states. The Directive did not favour any specific technology.

Adapting the eIDAS Regulation to ensure legal certainty

By the time (23 July 2014) the EU adopted Regulation (EU) N°910/2014, on electronic identification and trust services for electronic transactions in the internal market (eIDAS Regulation) there were already a variety of different formats and solutions for electronic signatures in use across the member states.

To ensure the legal certainty of the validity of a signature, and to reach the ultimate goal – enabling secure and seamless electronic interactions between businesses, citizens and public authorities; it was essential to specify the components of an electronic signature, which should be assessed by the party carrying out the validation. Unlike the previous Directive, the eIDAS specified the electronic signature formats that could be technically supported by member states when they receive electronically signed documents.

Qualified electronic signature creation devices

Among other things, the regulation sets out the requirements for the security of qualified electronic signature creation devices. As defined by eIDAS, electronic signature creation devices are software or hardware that has been configured to generate an electronic signature. However, for such a device to be considered a qualified signature creation device (QSCD), it must meet the specifications that are stipulated in Annex II, which lists the minimal requirements that must be followed in order to consider an electronic signature creation device as a QSCD. The QSCD principle is that the token (for example smart card or USB token) must remain under the control of the signatory. These requirements also include that the device must reasonably assure the confidentiality of the signatory’s private signing key; used to create an electronic signature, by way of appropriate technical and procedural means. The data used for electronic signature creation must be unique and kept under the sole control of the user.

The eIDAS regulation provides transitional measures (article 51) to ensure the continuity and legal certainty of products and services associated with electronic signatures under Directive 1999/93/EC. In a nutshell, secure signature creation devices and qualified certificates for electronic signatures for natural persons that are deemed compliant with the Directive before 1 July 2016, will be deemed compliant with the Regulation until they expire.

The European Commission has published a list of Secure Signature Creation Devices, Qualified Signature and Seal Creation Devices notified by member states.

All eID documents issued by the Estonian Police and Border Guard Board that were valid in up to July 2016 are listed as SSCDs: ID and Resident Permit card, Digi-ID issued to residents and e-Residents, Mobile-ID. By notifying SSCDs Estonia benefited from transitional measures set in the Article 51(1).