Article

Back to articles
#electronic signature #electronic signing #KEP #ZEP

What is an electronic signature and how to use electronic signing

06.02.2024 | Autor: Hronček & Partners
11 min

For many of you, signing electronic documents is an everyday matter. Nowadays, the use of electronic signatures in business and administrative communications is nothing unusual, and those who have not yet used an electronic signature will sooner or later discover that it is increasingly necessary and effective to use such signatures in the business world. How and when to use electronic signatures, which certificate to use and on what occasions? You will find all this in our article.

What is an electronic signature and how to use electronic signing

 

REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (hereinafter referred to as the "eIDAS Regulation") regulates and harmonizes rules for transactions and electronic identification of natural and legal persons. From the perspective of entrepreneurs, the most important part of this legislation is the provisions relating to electronic signatures, which will be the focus of this article.

With the aim of ensuring the proper functioning of the internal market and focusing on an appropriate level of security for electronic identification means and trust services, the eIDAS Regulation lays down the conditions under which Member States shall recognize electronic identification means for natural and legal persons which belong to a notified electronic identification scheme of another Member State. The eIDAS Regulation also lays down rules for trust services, in particular for electronic transactions, and establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services for registered consignments, and certification services for website authentication.

For many of you, signing electronic documents is an everyday matter. Nowadays, the use of electronic signatures in commercial and administrative transactions is nothing unusual, and anyone who has not yet used an electronic signature will sooner or later discover that it is increasingly necessary and effective to use such signatures in the business world. Currently, qualified electronic signatures are mainly used when accessing public administration services on the www.slovensko.sk portal. In addition to the slovensko.sk portal, this signature can be used in a number of electronic services intended for both businesses and non-business users (e.g., land registry entries, tax returns, and others).

The aim of the eIDAS Regulation is to facilitate access to electronic interactions and build an EU digital identity. Thanks to the harmonization achieved by the Regulation, entrepreneurs can quickly and securely sign electronic contracts throughout the EU and vice versa. However, the signing of electronic documents also applies to natural persons who are not entrepreneurs, for whom this method of signing greatly simplifies, for example, communication with public institutions.

The eIDAS Regulation entered into force on July 1, 2016, since when its provisions on trust services have been directly applicable and directly binding in all 28 EU Member States. Trust services are no longer regulated separately by the national law of the Member States. In the Slovak Republic, the legal regulation in this area is supplemented by a generally binding legal regulation in the form of Act No. 272/2016 Coll. on trust services for electronic transactions in the internal market (Trust Services Act), as amended, which is the implementing legislation for the eIDAS Regulation.

The eIDAS Regulation states that the following types of signatures can be distinguished:

Electronic signature - data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign

Advanced electronic signature - an electronic signature which, within the meaning of Article 26 of the eIDAS Regulation, is uniquely linked to the signatory; it allows the signatory to be identified; it is created using electronic signature creation data that the signatory can use with a high level of confidence under their sole control, and is linked to the data being signed in such a way that any subsequent change in the data can be detected.

Qualified electronic signature - an advanced electronic signature created using a qualified electronic signature creation device and based on a qualified certificate for electronic signatures.

Within the meaning of Section 2(1) and (2) of the Trust Services Act, quote:

 

"(1) If a qualified electronic signature is used in dealings with public authorities, a qualified certificate for electronic signatures issued by a qualified trust service provider to which the authority has granted qualified status may, as a special attribute, contain the signatory's birth number; if no birth number has been assigned, it may contain the passport number or identity card number.

(2) If a qualified electronic seal is used in communication with public authorities, a qualified certificate for electronic seals issued by a qualified trust service provider to which the authority has granted qualified status may contain the identification number of the originator of the seal as a special attribute.

The Slovak identity card with an electronic chip is a so-called electronic identification card (eID card), which contains:

  • a qualified certificate (ACA), through which it is possible to create a qualified electronic signature (KEP),
  •  
  • The KEP contains the person's first and last name; the certificate may also contain optional information, which is usually the person's birth number or identification card number. A mandatory qualified certificate for electronic signatures must also contain information about the principal and the mandate. According to Section 8 of the Trust Services Act, a mandate certificate is a qualified certificate for electronic signatures issued to a natural person who is authorized by law or on the basis of law to act on behalf of or in the name of another person or public authority, or to a natural person who performs a function or activity under a special regulation.
  •  
  • certificate for signing (PCA), which is used for signing with an electronic signature but does not allow the creation of a KEP, and therefore should not be used in communication with public authorities,
  • certificate for encryption (SCA), which also does not allow the creation of a KEP.

The above certificates can also be uploaded online using the eID client application without the need to visit the document department in person. To upload certificates, you must have an eID card, an eID card reader, a computer device, and the eID client application downloaded. If the eID card is an identity card, every citizen of the Slovak Republic can have certificates for qualified electronic signing issued or uploaded to it free of charge. From our own experience, we would like to point out that if you have a new biometric ID card, it is possible that an older reader will not be compatible with this ID card and you will not be able to log in to www.slovensko.sk and upload your signature certificates. For the reader to work properly, you will need to install several drivers depending on the operating system of your computer. If you want to avoid unnecessary complications and upload your signature certificates to your new ID card as quickly as possible, we recommend that you purchase a reader from the list of compatible readers published by the Ministry of the Interior of the Slovak Republic, or we recommend that you purchase a reader with Plug & Play technology, which does not require the installation of additional drivers and recognizes the hardware immediately. If you already have the right reader, all you need to know is your BOK (the code you chose at the document department and which is automatically "loaded" onto your eID card).

When creating certificates for your eID card, you must choose a six-digit code (KEP PIN) and an eight-digit code (KEP PUK) for the ACA qualified certificate. PCA and SCA certificates can only be used to create an advanced electronic signature, which has no legal force in the Slovak Republic, but in accordance with the eIDAS Regulation, it is a usable format that can be accepted, for example, by other EU Member States if they allow this level of security and do not also require an ACA certificate. In relation to other countries, Article 6 of Chapter II of the eIDAS Regulation is important, according to which, if, under national law or administrative practice, access to a service provided online by a public sector body in one Member State electronic identification by means of electronic identification means and authentication is required, electronic identification means issued in another Member State shall be recognized in the first Member State for the purposes of cross-border authentication for that online service, provided that the following conditions are met:

  • the electronic identification means were issued under an electronic identification scheme (listed by the Commission in accordance with Article 9)
  • the security level of the electronic identification means is equivalent to or higher than the security level required by the relevant public sector body for access to the online service in the first Member State, provided that the security level of the electronic identification means corresponds to the security level 'advanced' or "high",
  • the relevant public sector entity uses the "advanced" or "high" security level for access to the online service in question.

And what exactly is a qualified certificate? According to the glossary of the central public administration portal slovensko.sk, it is "an electronic document by which the certificate issuer confirms that the public key specified in the certificate belongs to the person to whom the certificate is issued (certificate holder) and is stored on a chip ID card."Such a certificate is valid for 5 years, and certificates for signing and encryption are issued for the validity period of the ID card – 10 years.

What happens when a qualified certificate expires? According to the slovensko.sk portal, expiry does not mean the end of the login function for the central portal or specialized portals.

A qualified electronic signature allows the physical person who created it to be clearly and accurately identified. KEP is an electronic alternative to a handwritten signature, which is used to authorize documents in paper form in electronic communication via the central public administration portal with public authorities and in communication with the commercial sector.

The KEP of an electronic document within the meaning of the slovensko.sk portal ensures:

  • "authenticity – the identity of the entity that created the signature can be clearly verified;
  • integrity – it can be proven that no intentional or unintentional change has been made to the content of the document after it was signed;
  • non-repudiation – the author cannot claim that they did not create the signature on the electronic document."

Within the meaning of Article 25(2) and (3) of the eIDAS Regulation, a qualified electronic signature has the same legal effect as a handwritten signature. A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognized as a qualified electronic signature in all other Member States. The eIDAS Regulation introduces many technical requirements that must be met in order for a given type of signature to be used. This is reflected in advanced IT encryption solutions, making it virtually impossible to forge an electronic signature in practice.

If you have ever heard the term ZEP (guaranteed electronic signature) instead of KEP, we would like to point out that there is no difference between KEP and ZEP. The term ZEP is just an older term that was included in Act No. 215/2002 Coll. on electronic signatures, as amended, which was repealed by Act No. 272/2016 Coll. on trust services for electronic transactions in the internal market (Trust Services Act), as amended. Under European regulations, the correct terminology is KEP.

Within the meaning of Section 17(2) of the Trust Services Act, if the term

  1. guaranteed electronic signature is used in generally binding legal regulations, it means a qualified electronic signature,
  2. guaranteed electronic seal means a qualified electronic seal,
  3. time stamp means a qualified electronic time stamp.

The term electronic signature is also associated with the term "electronic seal", which is a seal that can be used in particular by legal entities - companies, organizations or institutions. This seal consists of data which, by being linked to or added to a specific document, ensures its integrity and authenticity – i.e. it ensures that it originates from the legal entity in question and that the document cannot be attributed to another person. The term "electronic time stamp" refers to integrity protection, i.e. an electronic time stamp links a document to real time in such a way that any subsequent change to the secured document will be visible and traceable.

If, after reading this article, you still do not feel confident about electronic signing via KEP and need to use it as soon as possible, please do not hesitate to contact our law firm Hronček & Partners, s. r. o., where we will be happy to provide you with legal advice in this area.

Hronček & Partners

Hronček & Partners

"Quality content is not created by copywriters, but by experts."