Electronic signatures

Electronic signatures are specified in the eIDAS regulation (EU 910/2014).
Signatures are divided into three different levels in ascending order:

  • electronic signature
  • Advanced Electronic Signature
  • Qualified Electronic Signature

A higher level means that the implementations in the background are more secure and that the identity of the signatory can be better verified.

Electronic signature

An electronic signature is electronic information that the signatory can use for signing.
An electronic signature can be, for example, a name at the end of an email message. In that case, however, the signature cannot be irrefutably linked to the person and proven to be authentic.

Advance Electronic Signature (AES)

An AES is an electronic signature individually linked to the signatory.
An AES verifies:

  • the information content of an electronic document
  • the signatory’s identity

If the information content of an electronic document is amended after the document is signed, the signature no longer matches the content of the document.
This means that any amendment or forgery of information afterward can be detected.
A signature made using, e.g., a mobile certificate or a bank identifier is an Advanced Electronic Signature.

Qualified Electronic Signature (QES)

A QES is an advanced electronic signature created with:

  • an eIDAS-approved certificate
  • an eIDAS-approved Qualified Signature Creation Device (QSCD), such as a card chip

Just like the Advanced Electronic Signature described above, the Qualified Electronic Signature verifies the information content of the document and the signatory’s identity. In addition, though, the devices used to create Qualified Electronic Signatures are more closely regulated, monitored, and assessed. They may only be issued by service providers assessed and approved in advance by an EU-accredited assessment institution.

A signature made with the signature certificate of the following certificate cards approved by the Digital and Population Data Services Agency qualifies as a QES:

  • organization card (issued as of December 19, 2019)
  • ID card (issued as of January 11, 2021)

A Qualified Electronic Signature is legally binding and irrefutable within the EU. A QES approved in accordance with the eIDAS regulation must have the same legal effect as a handwritten signature. A Qualified Signature Creation Device (QSCD) is technically highly secure as it is protected from external attacks.

https://ec.europa.eu/digital-building-blocks/sites/display/DIGITAL/What+is+eSignature
https://dvv.fi/en/electronic-signatures-of-different-levels