Decoding AES and QES to Ace your E-signature Usage

With all business transactions – be it corporate contracts, distribution deals, or government records – moving online, electronic signatures are finding their place under the sun. Besides reducing dependence on handwritten signatures and physical documentation processes, digital signing increases security, reduces costs, and helps businesses save time. The icing on the cake is, of course, the huge cutback on the environmental damage that digital signing has brought about.

However, in this revolutionary new space of e-signatures, corporates can choose from a host of signing styles – depending on their technical complexity, and security and usage requirements. The eIDAS (Electronic Identification, Authentication and Trust Services), an EU regulatory body defines 3 types of electronic signatures: Simple Electronic Signatures, Advanced Electronic Signatures (AES), and Qualified Electronic Signatures (QES).

In this blog, we will look at the two most popular and widely used e-signatures – the AES and the QES. We’ll delve into what makes them stand out, their unique security advantages, how they differ, and how businesses can opt for a big-fitting e-signature.

What is an Advanced Electronic Signature?

Advanced electronic signatures use certificates that identify unique signatories, who exercise sole control over the signing key. While simple electronic signatures follow very basic e-signing norms, a signature can make the cut as an AES only by meeting stringent identity verification standards, technical and legal requirements, and strict security protocols.

The eIDAS lays out some rules for signatures to qualify as AES. These include:

• The e-signaturemust be uniquely linked to the signatory.
• The private key must be under the sole control of the signatory and the e-signatureshould be capable of identifying the signatory.
• If there is any data tampering after a document has been signed, an AES must be able to identify the occurrence and invalidate the signature.

When digital signatures are based on Public Key Infrastructure (PKI), they usually qualify as an AES as they meet all the requirements stipulated by the eIDAS. It also enables the e-signature to provide high levels of security to the signing and contracting process and ensure no out-of-turn changes are made to the document.

To put it in a nutshell: AES guarantees the integrity and authenticity of a document, and when properly implemented, it proves to be just as good as a traditional wet-ink signature. However, if the validity of an AES comes under the scanner, the burden of providing proof of its legitimacy lies with the signatory.

What is a Qualified Electronic Signature?

The QES is considered the gold standard of digital signatures, as it provides absolute integrity and authenticity, in line with the eIDAS rulebook. It comes loaded with several high-level security layers. For instance, to qualify as a QES, an e-signature must store all creation and signature data on extremely reliable and assured devices like cryptographic USB tokens or Hardware Security Modules (HSMs), which are considered top-level security standards for cryptographic modules.

What’s more, to make the cut as a QES, an electronic signature’s data must be based on a qualified certificate for electronic signatures. Such a certificate can be purchased from a certificate authority that is accredited as a Qualified Trust Service Provider (QTSP).

With such stringent security protocols in place, the QES is recognized by all member states of the European Union. It’s also considered legally at par with wet-ink signatures unless there is a compelling reason to suspect the authenticity of the underlying certificates. In such a scenario, the burden of proof rests with the party that doubts its validity.

AES vs QES: How they differ

Let’s get a quick rundown of the key differentiators between the AES and the QES:

• A QES requires specific and regulated hardware – a qualified electronic signature device – for its creation.
• While a QES follows all the same protocols of an AES, it is considered more secure.
• When a signatory disputes the use of a QES, the burden is on them to prove its validity.
• A signer must be verified through a face-to-face meeting, or an equivalent process like a video call, before they can sign their first QES.

Which e-signature is the best for your business need?

AES or QES? What should you go for? The short answer is to analyze your business needs. As the implementation of the QES comes with a complex procedure it is usually recommended to be used in specific cases. The AES, on the other hand, follows a less nuanced and simpler implementation.

Security should be another big deciding factor. If your business document requires that security take precedence over user experience, then QES is the way to go. While QES are usually used for signing large commercial and sales agreements and mortgage documents, AES works well for employment contracts, banking documents, and sending OTPs.

Here is a 3-step process that businesses are recommended to follow before they zero in on a right-fitting e-signature:

1. Identify the constraints and risks that can be associated with the use of e-signatures in your specific business case.
2. Do a SWOT analysis to understand how an e-signature will impact your company image, productivity, and financial stakes.
3. Pick what is more critical for your business requirement: better user experience or security needs.

How the world views AES and QES

While most nations across the world recognize e-signatures, different countries have different standards for digital signatures as well as the methods to be used to authenticate a signer. For instance:

• In the Americas, Brazil follows the Code of Civil Procedure. Mexico subscribes to a Civil Code.
• In the US, digital signatures are typically used in regulated industries like life sciences. US Federal government employees are issued a personal identity verification (PIV) card that contains a PKI digital certificate for signing. It complies with the US Federal Processing Standards.
• In Europe, the European Union’s Electronic Identification, Authentication and Trust Services regulation (eIDAS) is the primary regulatory authority. It provides comprehensive governance of electronic signatures and establishes requirements for each type of e-signature.
• In Switzerland, the Electronic Signature Act lays out the regulatory requirements and also allows a supplementary type of e-Signature(regulated e-Signature) which follows a middle path between the AES and QES.
• In Australia, the Electronic Transactions Act lays down the continent’s e-regulation norms.
• In many countries, where wet ink signatures still rule the roost, only QES or a local equivalent, carries legal weight.

With such diversity in the laws, businesses need to conduct a comprehensive nation-specific assessment to ensure their e-signature policies are admissible and valid. What should they look into?

• Legal aspect: Nature of contract, industry regulations, litigation risks.
• Geographical aspect: Law of contract execution and of the counterparty.
• Operational aspect: Post-signing steps, communication with third parties, including public authorities.

Sum Up: Know your business requirement to ace your e-sign usage

Before opting for a digital signature solution, organizations must understand their business requirements, check which documents and processes they want to handle digitally in the future, and know the number of transactions that are to be incurred for the respective signature type. A comprehensive idea of the two main types of e-signatures goes a long way in zeroing in on the usage of your signature software.

Looking to Book a Demo with Certinal? Sign up now

Follow Certinal