Fighting cybercrime: why is QES our best chance?
As the wave of digital transformation continues to sweep over companies on a global scale, taking appropriate measures to protect data in online environments is crucial. But progress is apparent on both sides of the fence: cybercriminals are also finding new ways to obtain and exploit private information. And when it comes to identity theft, the stakes are very high, ranging from heavy financial damage to legal issues and more. Having a reliable digital framework that is regulated, protected and future proof is our best bet - and that’s where qualified signing comes in.
For centuries now, signatures lay at the base of legal agreements. In essence, putting one's signature on any document marks two conclusions: that signees trust each other’s identity, and that they’ve both agreed on what they’re signing. In the physical realm, making sure of that is relatively simple. But how do we build that foundation of trust when everything takes place in a virtual environment?
Achieving regulatory harmony in the EU
Issued in 2014, eIDAS regulation marks a big step towards regulatory harmony throughout the EU. It set the legal framework for remote signing by introducing Simple (SES), Advanced (AES) and Qualified (QES) Electronic Signatures. Whereas SES is only suitable in low-risk scenarios where signees already know and trust each other, both AES and QES are deemed as good options for moderate risk scenarios. But when it comes to high risks and agreements that carry significant legal weight, QES isn’t just the default option. Due to the highest security standards, today QES is the only electronic signature that is suitable for interaction with courts of law and public authorities in every EU member state.
Although SES and AES do make a difference on the security front, the multi-layer security network around QES is unmatched. The unique twist here is the presence of a third party - Qualified Trust Service Providers (QTSPs). Certified, regulated and audited by relevant EU authorities, QTSPs establish a trust base for remote signing by independently verifying the identity of the signees before they approach an agreement. That secures the first fundamental part of a signing act: identity-based trust. The second part - integrity - is accounted for through cryptography, which automatically nullifies the signature if any changes are made to a signed document.
That said, whereas AES is secure, not having a third party to verify signees’ identities makes this eSignature type unscalable. QES, on the other hand, is not only reliable but also easily scalable - as long as a strong, consistent regulatory framework is here to support it. According to ZealiD’s CTO and Security Officer Robert Hoffmann, the key to such adaptability lies in the onboarding process that QTSPs use for identity verification. “In the case of ZealiD, everything a user needs to register is a government-issued ID document and a smartphone with biometric authentication, such as Touch or Face ID. Only accepting passports and ID cards means that, as long as we can reliably identify a document as authentic and relating to this user, we have a strong trust base to build upon”, he states. Besides, smooth user experience isn’t the only advantage that driving complete user journeys on a mobile application brings. “Smartphone environments are much more restricted and protected than a regular laptop. Storing credentials in the hardware modules of a modern mobile phone raises security to a level most ordinary users wouldn’t be able to ensure otherwise”, Robert notes.
Regulatory consistency on a global scale: mission impossible?
Although the effect of eIDAS goes to show that QES is secure and perfectly scalable, the situation outside of the EU is very different. Not having standardised legal requirements around eSignatures puts millions of service providers, suppliers, consumers and employees at risk. Besides, given the international character of business, this dilemma will only become more prominent with time.
But according to ZealiD’s CTO and Security Officer, achieving regulatory harmony won’t be easy. “In essence, it all boils down to digital maturity. EU member states have been working on that for years now. Aligning digital processes and regulatory schemes from the ground up takes considerable effort in the political, legal, organizational and infrastructure area.”, Robert says.
While there’s still a long way to go for complete harmonization of the legal and regulatory area (even in the EU), setting consistent international standards is an investment that will ultimately benefit everyone involved. That said, QES is already a very powerful tool that is readily available, easy to use, and very versatile when it comes to remote signing across the EU and other countries that support this level of assurance. As an international supplier, ZealiD offers its unified QES services across countries, so that our customers don’t have to worry about each local regulatory aspect.