The simple, straight-forward answer is: yes, we do.
Scrive is a considered a “Trust Service Provider” by eIDAS terms. We are required to comply with eIDAS, and the services we provide are valid and sufficient for basically any business needs.
That being said, if you dig deeper into what eIDAS is all about, you will find that there is more to it than that.
The details don’t make a difference as far as your ability to use Scrive, but to help you understand a statement like “we need to use an eIDAS-compliant solution”, let’s try to straighten this out:
First of all, eIDAS is a recent set of standards put in place by the European Union (EU), and the purpose of those standards is often misunderstood.
In simple terms, the main purpose of eIDAS is to enable EU-citizens to identify themselves electronically – across the EU – in the same secure way. It’s a good idea, and it will be nice when there are certified eID-solutions in all EU-countries so that you, as a citizen, can interact electronically with public authorities in other EU-countries.
However, it is more important to understand that the eIDAS Regulation does not change the requirements for entering into a valid, binding contract using an electronic signature.
In contract law, the most fundamental part is being able to prove the signatory’s intention to sign, which has nothing to do with eIDAS. The regulation focuses solely on the identification of the person who is signing (the “signatory”). That’s an important difference!
Essentially, you should not look at eIDAS for guidance about the legal validity of an e-signed contract. For that, be more concerned with the quality of electronic evidence – in particular, the evidence of intent – that the e-signing service provides.
That being said, the authentication of a signatory’s identity is also important, of course, and the standards set forth by eIDAS do relate to different levels of security involved in that process. According to eIDAS electronic signatures can be basic, advanced, or qualified. “Qualified” signatures have the highest level of security. Advanced or Qualified signatures might be required, for example, to identify yourself when logging into a web-service of a public authority in another EU-country.
As you can see, this is complicated stuff, but hopefully, it makes sense so far: eIDAS is about identification rather than the legally binding electronic signatures, and there are different levels of security to consider for your business.
So, you might be thinking, does eIDAS require a “qualified” electronic signature for any kind of transaction? The simple answer is: no, and it’s the same whether you are a private person or a business.
The vast majority of business transactions don’t need anything more than “basic” identification, and that has been true since before eIDAS was implemented. There are exceptions of course and for some types of contracts and documents specific regulation may require at least an “advanced” level of identification.
Scrive can provide both, depending on your needs.
By default, every Scrive process includes “basic” authentication, which is used for thousands of business contracts signed with Scrive every day. We also offer additional forms of security, like PIN via SMS or Swedish and Norwegian BankID (“advanced”).
Our approach to eIDAS is pragmatic: we plan to offer more advanced/qualified authentication methods as soon as it makes real business sense to our customers (and us). By using Scrive, you don’t have to build a custom solution around a specific advanced/qualified electronic signature technology for each workflow. Instead, you configure everything in our system at no or very low cost of implementation.
So, the first things you should consider when selecting an e-signing solution provider are:
- the quality of evidence
- the flexibility to support different workflows across your real business processes
- the user experience
Secondly, with regards to eIDAS and authentication: consider your actual business needs and applicable regulations rather than going for the highest eIDAS security standards by default.
A flexible solution like Scrive will allow you to use the appropriate methods of authentication for your business. However, a solution that always requires advanced or qualified methods might actually reduce usability outside your country, slow down adoption, and be less user-friendly.