For many of you, signing electronic documents is a daily routine. Nowadays, using electronic signatures in business or administrative communications is nothing out of the ordinary, and anyone who hasn’t used an electronic signature yet will sooner or later discover that it is becoming increasingly necessary and effective to use this type of signature, especially in the business world. How and when to use electronic signatures, which certificate to use, and on what occasions? You’ll find all of this in our article.
REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (hereinafter referred to as “eIDAS Regulation”) regulates and harmonizes the rules for transactions and electronic identification of natural and legal persons. From the perspective of businesses, the most important part of this legislation is the provisions concerning electronic signatures, and it is precisely these that we will focus on in this article.
The eIDAS Regulation, with the aim of ensuring the proper functioning of the internal market and focusing on an appropriate level of security for electronic identification means and trust services, sets out the conditions under which Member States recognize means of electronic identification of natural and legal persons that belong to a notified electronic identification scheme of another Member State. The eIDAS Regulation further establishes rules for trust services, in particular electronic transactions, and creates a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic delivery services for registered mail, and certification services for website authentication.
For many of you, signing electronic documents is a daily routine. Nowadays, the use of electronic signatures in business or administrative communications is nothing out of the ordinary, and anyone who has not yet used an electronic signature will sooner or later discover that it is becoming increasingly necessary and effective to use this type of signature, particularly in the business sector. Currently, qualified electronic signatures are primarily used when accessing public administration e-services on the www.slovensko.sk portal. In addition to the slovensko.sk portal, this signature can be used in several electronic services intended for both businesses and individuals (e.g., entries in the real estate cadastre, filing tax returns, and others).
The aim of the eIDAS Regulation is to facilitate access to electronic interactions and to establish a digital identity for the EU. Thanks to the harmonization achieved by the Regulation, entrepreneurs can quickly and securely digitally sign electronic contracts throughout the EU and vice versa. However, the signing of electronic documents also applies to natural persons—non-entrepreneurs—for whom this method of signing significantly simplifies, for example, communication with public institutions.
The eIDAS Regulation entered into force on July 1, 2016, since when its provisions on trust services have been directly applicable and directly binding in all 28 EU member states. Trust services are no longer regulated separately by the national laws of member states. In the Slovak Republic, the legal framework in this area is supplemented by a generally binding legal regulation in the form of Act No. 272/2016 Coll. on Trust Services for Electronic Transactions in the Internal Market (the Trusted Services Act), as amended, which constitutes the implementing legislation for the eIDAS Regulation.
The eIDAS Regulation states that the following types of signatures can be distinguished:
Electronic signature - data in electronic form that is attached to or logically associated with other data in electronic form and which the signatory uses to sign
Advanced electronic signature - an electronic signature that, within the meaning of Article 26 of the eIDAS Regulation, is uniquely linked to the signatory; it enables the identification of the signatory; it is created using electronic signature creation data that the signatory can use under their sole control with a high level of confidence, and it is linked to the data being signed in such a way that any subsequent alteration of the data can be detected.
Qualified electronic signature - an advanced electronic signature created using a qualified electronic signature creation device and based on a qualified certificate for electronic signatures.
Pursuant to Section 2(1) and (2) of the Trust Services Act, cit.:
“(1) If a qualified electronic signature is used in dealings with public authorities, a qualified certificate for electronic signatures issued by a qualified trust service provider to whom the Office has granted qualified status may, as a special attribute, contain the signatory’s birth number; if the signatory has not been assigned a birth number, it may contain the passport number or the identification card number.
(2) If a qualified electronic seal is used in dealings with public authorities, the qualified certificate for the electronic seal issued by a qualified trust service provider to whom the Office has granted qualified status may contain the seal creator’s identification number as a special attribute.
The Slovak ID card with an electronic chip is a so-called electronic identification card (eID card), which contains:
- a qualified certificate (ACA), through which it is possible to create a qualified electronic signature (KEP),
- The KEP contains the person’s first and last name; the certificate may also contain optional data, which is usually the person’s birth number or ID card number. A mandated qualified certificate for electronic signature must also contain data on the principal and the mandate. According to Section 8 of the Trust Services Act, a mandate certificate is a qualified certificate for electronic signatures issued to a natural person who is authorized by law or pursuant to law to act on behalf of another person or a public authority, or to a natural person performing a function or activity under a special regulation.
- signing certificate (PCA), which is used for signing with an electronic signature but does not allow the creation of a KEP, and therefore should not be used when communicating with public authorities,
- encryption certificate (SCA), which also does not allow the creation of a KEP.
These certificates can also be uploaded online via the eID Client application without the need to visit the document department in person. To upload certificates, you must have an eID card, an eID card reader, a computer, and the eID Client application downloaded. If the eID card is an ID card, every citizen of the Slovak Republic can have certificates for qualified electronic signing issued or uploaded to it free of charge. Based on our own experience, we would like to inform you that if you have a new biometric ID card, it is possible that an older card reader will not be compatible with this ID card, and you will not be able to log in to www.slovensko.sk or upload your signature certificates. For the reader to function properly, you will need to install several drivers depending on your computer’s operating system. If you want to avoid unnecessary complications and upload your signature certificates to your new ID card as quickly as possible, we recommend that you purchase a reader from the list of compatible readers published by the Ministry of the Interior of the Slovak Republic, or alternatively, we recommend purchasing a reader with Plug & Play technology, which does not require the installation of additional drivers and recognizes the hardware immediately. If you already have the correct reader, all you need is your BOK (the code you selected at the document office, which is already automatically “loaded” onto the eID card).
When creating certificates for the eID card, you must select a six-digit code (KEP PIN) and an eight-digit code (KEP PUK) for the ACA qualified certificate. Using PCA and SCA certificates, you can only create an advanced electronic signature, which has no legal force in the Slovak Republic, but under the eIDAS Regulation, it is a usable format that may be accepted, for example, by other EU Member States if they permit such a level of security and do not simultaneously require an ACA certificate. With regard to other countries, Article 6 of Chapter II of the eIDAS Regulation is important, pursuant to which, if, under national law or administrative practice, access to a service provided online by a public sector entity in one Member State requires electronic identification using electronic identification means and authentication, electronic identification means issued in another Member State shall be recognized in the first Member State for the purposes of cross-border authentication for that online service, provided that the following conditions are met:
- the electronic identification means have been issued under an electronic identification scheme (listed in the list published by the Commission pursuant to Article 9),
- the security level of the electronic identification means corresponds to a security level that is equal to or higher than the security level required by the relevant public sector body for access to the online service in the first Member State, provided that the security level of the electronic identification means in question corresponds to the “advanced” security level or “high,”
- the relevant public sector entity uses the “advanced” or “high” security level in relation to access to the given online service.
And what exactly is a qualified certificate? According to the glossary of the central public administration portal slovensko.sk, it is “an electronic document by which the certificate issuer confirms that the public key specified in the certificate belongs to the person to whom the certificate is issued (the certificate holder), which is stored on a chip-enabled ID card.” Such a certificate is valid for 5 years; a certificate for signing and encryption is issued for the duration of the ID card’s validity—10 years.
What happens when a qualified certificate expires? According to the slovensko.sk portal, expiration does not mean the end of the ability to log in to the central portal or specialized portals.
A qualified electronic signature allows for the clear and precise identification of the natural person who created it. A QES is an electronic alternative to a handwritten signature used to authenticate paper-based documents in electronic communication via the central public administration portal with public authorities and in communication with the commercial sector.
The KEP of an electronic document, as defined by the slovensko.sk portal, ensures:
- “authenticity – the identity of the entity that created the signature can be unequivocally verified;
- integrity – it can be demonstrated that, after the document was signed, no intentional or unintentional changes were made to the document’s content as it existed at the time of signing;
- non-repudiation – the author cannot claim that they did not create the signature on the electronic document.”
Under Article 25(2) and (3) of the eIDAS Regulation, a qualified electronic signature has the same legal effect as a handwritten signature. A qualified electronic signature based on a qualified certificate issued in one Member State is recognized as a qualified electronic signature in all other Member States. The eIDAS Regulation establishes numerous technical requirements that must be met in order to use this type of signature. This translates into advanced IT encryption solutions, making the forgery of an electronic signature virtually impossible in practice.
If you have ever heard the term ZEP (guaranteed electronic signature) instead of KEP, we would like to point out that there is no difference between KEP and ZEP. The term ZEP is merely an older term that appeared in Act No. 215/2002 Coll. on Electronic Signatures, as amended, which was repealed effective October 18, 2016, by Act No. 272/2016 Coll. on Trust Services for Electronic Transactions in the Internal Market (the Trust Services Act), as amended. Under European regulations, the correct terminology is the term KEP.
Pursuant to Section 17(2) of the Trust Services Act, if the following terms are used in generally binding legal regulations:
- “guaranteed electronic signature” means a qualified electronic signature,
- “guaranteed electronic seal” means a qualified electronic seal,
- and “time stamp” means a qualified electronic time stamp.
The term “electronic signature” is also associated with the term “electronic seal,” which refers to a seal that may be used primarily by legal entities—companies, organizations, or institutions. This seal consists of data that, by being linked to or appended to a specific document, ensures its integrity and authenticity—that is, it ensures that the document originates from the given legal entity and cannot be attributed to any other person. The term “electronic time stamp” refers to integrity protection, meaning that an electronic time stamp links the document to real time in such a way that any subsequent change to the secured document will be visible and traceable.
If, even after reading this article, you are still unsure about electronic signing via a qualified electronic signature provider (QESP) and need to start using it as soon as possible, please do not hesitate to contact our law firm, Hronček & Partners, s. r. o., where we will be happy to provide you with legal advice in this area.
