Electronic signature in Europe: standardization of rules as the spearhead of genuine international competition


The last two decades have seen the birth and growth of the electronic signature market via a multitude of local, international, specialist and general players. However, important differences concerning the application of the legislation of the trust services, in particular as regards remote identification, exist within the European countries. This situation severely affects competition. After letting the market take its course, the European Commission has decided to legislate within 12 to 18 months to align the means of remote identification of European citizens.

These developments relate to remote identity verification and the activation of signature mechanisms. Removing this regulatory heterogeneity will have the direct consequence of promoting the international deployment of players.

The eIDAS regulation, the legal basis for trust services at European level

The European Directive 1999/93 / EC was the first European device to attempt to impose regulation on a European scale. It is clear that this was a failure because it set objectives to be reached by member countries, and it is up to them to then transpose them into local law. Each having had a unique interpretation in its transposition, the initial objective of regulatory standardization failed. The European Commission has therefore decided to create the eIDAS regulation of 23 July 2014, the ambition of which was to increase confidence in electronic transactions within the internal market, to facilitate the emergence of a digital single market. The latter therefore repeals Directive 1999/93 / EC.

An application of variable geometry legislation within Europe

While simple and advanced electronic signatures meet 80% of needs under homogeneous regulatory conditions, there are, however, glaring differences in practice from one country to another for qualified signatures. Thus, the regulations want that when a Trusted Service Provider (PSCo) issues a qualified certificate to a citizen, it is recognized throughout Europe with the same legal value. However, remote identification methods are not the same everywhere, so not all certificates provide the same legal guarantees to businesses and citizens. It is becoming urgent to bring digital confidence through harmonization! The risk is indeed important that the overall value of the qualified certificate, essential for the realization of a qualified signature, drops throughout Europe because of less secure methods. The more we defend a high value of the qualified signature shared by all European PSCo, the more we will contribute to the overall confidence of businesses and citizens.

Standardization of rules, a guarantee of security for citizens

If European countries wish to raise safety as a priority, then they must align their application of the eIDAS regulation. The digital security of citizens should not be a competitive argument, but the basis of all offers from European Trust Service Providers. There can be no compromise on the security of the citizen or on their fairness of treatment by the actors of digital trust. This standardization of security from above represents a formidable opportunity for European citizens and for competition. If such a level of market uniformity can make competition even more difficult, market players will then be able to provide even more innovative solutions to differentiate themselves.

The development of international business in the sights

Local specificities in terms of identification are detrimental to the development of international players. This is for example Italy which authorizes the remote video identification of a natural person to create his qualified certificate, the identification being carried out by a robot and not by a human, which is prohibited in France. These peculiarities in terms of legislation lead most companies to turn more naturally to local players in electronic signature, thus thinking of freeing themselves from the inconvenience associated with compliance and regulatory differences between countries. Some companies choose local service providers project by project, subsidiary by subsidiary. Still others prefer to opt for PSCo country by country, hoping to have more guarantees and that the country’s regulations will be respected.

Despite this context, however, we can see that the barriers to market standardization are falling one after the other. The European Network and Information Security Agency (ENISA) and European countries are thus tackling the last obstacles in terms of remote identification in order to generalize qualified signatures throughout Europe.

In France, the National Information Systems Security Agency (ANSSI) is working with other European countries to implement new rules for remote video identification in order to allow the creation of qualified certificates with a remote video face-to-face. ANSSI has just published a reference document on March 1 which could serve as an example for other national supervisory authorities.. This use is doomed to democratize and will go hand in hand with strong quality requirements to avoid fraud and identity theft. We need strong and uniform rules so that remote identification is synonymous with security for citizens. In addition, this digital trust base must not obscure the ergonomics of the signature solution and its speed, two fundamental aspects for companies.

The standardization of the rules will be extremely beneficial for the market in the broad sense and especially for the European citizens. Let us not forget that whoever benefits from the advantages of the electronic signature in the end is the signatory, and that person, as a citizen, has rights.

With regard to the eIDAS regulation, it is the responsibility of States to provide tools that allow their citizens to demonstrate their identity remotely with several levels of security. Once this barrier has been removed, market players will then be able to deploy internationally while guaranteeing a uniform level of compliance and security.