Cloud consortium says simpler EU electronic signature rules aren't simple enough
- 29 June, 2016 00:15
European Union rules for electronic signatures change on Friday to make a clear distinction between the identity of the person signing, and that of the authority guaranteeing the integrity of the data, but the technology needs to be still simpler, vendors say.
The new rules are intended to simplify the process of electronically signing contracts between businesses, or between businesses and persons, and across international borders where different and often incompatible electronic signature rules apply today.
But while the new rules will simplify the legal environment, today's technical environment makes it too difficult to create and securely manage digital identities, according to the Cloud Signature Consortium.
Defining an electronic signature that satisfies the laws of 28 countries is one thing, but creating one that is accepted seamlessly by desktop applications such as Adobe Acrobat Reader and Microsoft Office, and by enterprise applications such as Salesforce, Workday, Microsoft Dynamics CRM or Ariba, is entirely another, according to the consortium.
The newly founded organization, led by Adobe Systems, is drafting a new technical standard that it hopes to publish by year-end and implement early next year.
Existing legislation, derived from the 1999 eSignature directive, allows certificates for electronic signatures to be granted to natural persons (people) and legal persons (organizations), and makes little distinction between authenticating the content of a document and expressing consent to that content.
That will change on July 1, when the 2014 eIDAS Regulation enters force.
From that date, only certificates issued to natural persons will be able to make electronic signatures (eSignatures) that are legally binding. Those issued to legal persons will only be valid for guaranteeing the integrity of documents (eSeals).
The new legislation thus makes a clear distinction between the two colloquial uses of the term "digital signature," for the quite different processes of guaranteeing the integrity of a document and of agreeing to its content.
The eIDAS Regulation applies to businesses and not to European Union bodies such as the Commission or Parliament, despite their role in creating it. However, when the regulation was approved in October 2014, Neelie Kroes, then European Commission vice president, called on incoming Commission President Jean-Claude Juncker to make every transaction with the Commission and other EU institutions possible electronically.
"Whether you're bidding for an EU procurement contract or submitting your invoice for payment, it should be possible to do it completely online, without having to resort to piles of paperwork -- or indeed any -- from the beginning to the end of the process," she said.
Like other EU regulations, eIDAS automatically becomes directly applicable, without the need for new national laws, in all EU member states within two years of its approval.
That means it will apply in the U.K., too. And should the government there choose to heed the message of last week's referendum to end its EU membership, the regulation will continue to apply for two years from the date of the U.K.'s notification of its intention to leave the EU. After that, unless the U.K. government and the European Commission have agreed otherwise, it will not be possible to make legally binding agreements using eIDAS-compliant eSignatures between a U.K. person and an EU person.
Adobe and its consortium partners want their new specification to bridge far more than just the EU-U.K. divide. Their ambition is to have their specification adopted globally, by making it compliant with the most demanding electronic signature regulations in the world.
So far, though, Adobe seems the one most likely to profit from that ambition, as it is the only member of the consortium with a global reach. The others hail from EU member states Austria, France, Germany, Italy, Poland, and Spain, and from neighboring Norway and Switzerland, and include German state printer Bundesdruckerei, Infocert in Italy, and Docapost/Certinomis in France.