The different digital signature levels – explained clearly!
published on 31.05.2023
Electronic signatures are replacing personal signatures in the digital world. Depending on the security level and legal effect, there are three different signature types: Simple Electronic Signature (SES), Advanced Electronic Signature (AES) and Qualified Electronic Signature (QES). We will explain the differences here.
Digital signatures – indispensable for digitisation
Electronic signatures are an important tool for the digitisation of business processes. They prevent the media disruption caused by a manual signature, where documents are printed out, signed by hand, then digitally scanned again. This incurs costs and is time-consuming, as it stops and slows down the process for many customers. Electronic signatures help here by supporting end-to-end digital workflows.
The three signature levels
The legal basis for digital signatures is established in the European eIDAS Regulation. It creates a uniform legal framework throughout the EU for trust services, including electronic signatures.
The regulation distinguishes between three levels of digital signatures:
- the Simple Electronic Signature (SES),
- the Advanced Electronic Signature (AES),
- the Qualified Electronic Signature (QES).
Simple Electronic Signature (SES)
With the simple electronic signature, data in digital form is added to or logically connected with other digital data. For example, this is the case with the email signature. Simple electronic signatures also include scanned signatures inserted into documents as graphics.
Even though simple electronic signatures are still very widespread, they cannot be validated by the recipient or third parties and do not provide security in digital processes.
Advanced Electronic Signature (AES)
The advanced electronic signature provides a higher level of security. It has to meet the following requirements:
- It is unambiguously assigned to the person signing and allows him/her to be identified.
- It is created by electronic means and triggered by a release (such as authentication by means of one factor).
- It is linked to the signed data in such a way to enable any subsequent change or manipulation of the data to be detected.
In practical application, advanced electronic signatures use modern cryptographic procedures, which protect the contents of the documents from subsequent manipulation (integrity). In addition, the identity of the signature holder is verified (authenticity). For recipients or third parties, the identity is correspondingly traceable and can be validated with the AES.
Qualified Electronic Signature (QES)
The qualified electronic signature has the highest level of security and the strongest legal effect. In this case, the identity of the signature holder is confirmed by a trust service provider – such as D-Trust GmbH, a company of the Bundesdruckerei Group – and can be validated at any time for recipients or third parties (authenticity). The signed document cannot be changed unnoticed or the signature transferred to another document (integrity).
Qualified electronic signature: maximum security and highest evidential value
German law requires many contracts and documents to be in written form. Of all three signature levels, only the qualified electronic signature complies with the legally prescribed written form requirement and is thus able to replace the handwritten signature in these cases.
What is the difference between the advanced and qualified electronic signature?
Advanced and qualified electronic signatures differ in the way certificates are issued, in the authentication procedure and in their legal effect.
According to the eIDAS Regulation, qualified electronic certificates may only be issued by qualified electronic trust service providers (formerly known as trust centres). They are subject to particularly strict data protection and IT security requirements. They are regularly audited by national supervisory authorities – by the Federal Network Agency in Germany. A company’s own office can also issue, manage and distribute the certificates for advanced electronic signatures.
The second distinguishing feature is the authentication procedure used. The qualified electronic signature requires two-factor authentication, such as via an app or SMS-TAN.
And thirdly, the burden of proof is legally reversed for the qualified electronic signature: If advanced electronic signatures are subjected to a free judicial assessment of evidence in court, the far-reaching evidentiary value applies in a legal dispute over a QES, both with regard to the assumption of the authenticity of the content and the verified identity. In order to achieve this increased evidentiary value, even where there are high liability risks, a QES can always be used for all electronic documents, regardless of legal regulations. To put it simply, this applies in a double sense: When in doubt, go with the QES.
Areas of Application
The opportunities for using electronic signatures cover a wide range of industries and applications:
- In government agencies and public institutions, for example, signatures are used for funding applications, building permits, public tenders or in the electronic waste verification procedure (eANV).
- In the health care sector, health insurance statements, prescriptions, surgery consent forms or discharge letters can be signed electronically.
- Companies in the free market economy benefit with employment contracts or electronic invoice processing.
As mentioned above, qualified electronic signatures must be used wherever the law stipulates the written form. It has the highest level of security and the strongest legal effect. However, using the QES can be helpful in other situations as well, especially if organisations want to safeguard themselves in business-critical cases or if legal disputes cannot be ruled out.
Digital signatures: technically sophisticated and legally secure
All three digital signature levels can replace handwritten signatures with an electronic alternative. The technologies are sophisticated and widely used. A high degree of legal effectiveness is ensured for the AES and especially for the QES. The eIDAS Regulation is the impetus for rapid dissemination: It sets a uniform, Europe-wide legal framework for digital signatures and defines the signature procedures used today.
One of the procedures is remote signature: This makes electronic signatures possible even on the move, such as via a tablet or smartphone. The D-Trust sign-me product shows how this works in practice.
D-Trust also offers signature cards for qualified electronic signatures. Both products can complement each other depending on the area of application and are tailored to the requirements of each customer.