Electronic signatures
This is data in electronic form which is attached to other electronic data, or logically connected with it, and which a signatory uses as a signature (as defined in Art. 3 clause 10 of the eIDAS Regulation).
An electronic signature is used to attribute a document to the signatory. With an electronic signature, electronic data is attached to an electronic document which confirms the identity of the signatory and the integrity of the document being signed.
The electronic signature is used for authentication purposes and has nothing to do with a scanned handwritten signature or the encryption of readable clear text in order to convert it into a non-readable document (encoded text). However, an electronic signature can be combined with encryption of readable clear text.
The legal basis for this is Regulation (EU) No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market, repealing Directive 1999/93/EC, Official Journal No. L 257/73 dated 28 August 2014 (eIDAS Regulation) and the Federal Act on Electronic Signatures and Trust Services (Signature and Trust Services Act – SVG).
To simplify and speed up administrative processes, it is necessary to be able to reach legally effective agreements electronically and for people to be able to uniquely identify themselves. That is what Austria's concept of the Citizen Card is designed to do, which combines the elements of electronic identification and electronic signatures. The main purposes of an electronic signature are to be able to correctly attribute a document to the signatory and ensure that the signed document has not been forged.
Variants in (legal transaction-related) communication
- Business to Business (B2B) – between businesses
- Customer to Customer (C2C) – between citizens
- Business to Customer (B2C) – between businesses and citizens
- Administration to Business (A2B) – between administrative agencies and businesses
- Administration to Citizen (A2C) – between administrative agencies and citizens
- Administration to Administration (A2A) – between one administrative agency and another
The signatory can only be a natural person, so even qualified electronic signatures can only be created by natural persons. Qualified electronic signatures are essentially the equivalent of handwritten signatures. For legal entities, the eIDAS Regulation (Regulation on electronic identification and trust services for electronic transactions in the internal market) provides for the use of electronic seals.
Certificates
Creating an electronic signature always requires a certificate.
A certificate is an electronic form of confirmation that links the identity data of a particular person (the signatory) with a public key.
In addition to the extra information they provide, certificates also differ in relation to different legal requirements, the security level that is guaranteed in the issuing process and the trustworthiness of the issuer (the provider of trust services).
Supervision of the providers of trust services is the responsibility of the Telecoms Control Commission, which uses the Austrian Regulatory Authority for Broadcasting and Telecommunications (Rundfunk und Telekom Regulierungs-GmbH, RTR) to exercise its responsibilities in accordance with the SVG.
To be able to fulfil their function, certificates have to include the following basic data:
- Name of the user
- An electronic signature from the provider of the certification service
- The user's public key
- The public keys are attached to the signature (certificates in the certificates database of the trust services provider can be viewed)
Simple certificat
According to Art. 3 clause 14 of the eIDAS Regulation, a certificate for electronic signatures is an electronic form of confirmation that links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person.
Qualified certificate
A qualified certificate has to meet certain requirements (Art. 28 in association with Appendix I of the eIDAS Regulation), including at least the following information:
- A statement that the certificate was issued as a qualified certificate for electronic signatures, at least in a form suitable for automatic processing
- A dataset that uniquely represents the qualified trust services provider issuing the qualified certificates and at least states the member state in which the provider operates and
- In the case of a legal entity: the name and, where applicable, the registration number according to their official registration
- In the case of a natural person (private individual): the name of the person
- At least the name of the person signing, or a pseudonym; if a pseudonym is used, it must be clearly identified as such
- Electronic signature validation data that matches the electronic signature creation data
- Details of the start and end of the certificate's period of validity
- The identity code of the certificate, which must be unique to the qualified trust services provider
- The advanced electronic signature or seal of the issuing qualified trust services provider
- The place where the certificate underlying the advanced electronic signature or seal in accordance with letter "" is available for viewing free of charge
- The place where services can be used to check the validity status of the qualified certificate
- If the electronic signature creation data that corresponds to the electronic signature validation data is located in a qualified electronic signature creation unit
Under Section 4 paragraph 1 of the E-Government Act, the Citizen Card is used in electronic official transactions to prove the unique identity of the initiator of the request and the authenticity of the request being submitted electronically.
- Authenticity is guaranteed by the qualified electronic signature held on the Citizen Card.
- A natural person can be uniquely identified through their Citizen Card by what is called identity linking. This is necessary because even the qualified certificate only gives the name of the person.
- Similar names, name changes and different ways of spelling names can cause some uncertainty with certificates.
- That is why, for identity linking, another unique identifying feature for the person (their sourcePIN) is combined with the certificate.
- The sourcePIN is derived from their number in the Central Register of Residents and must not be traceable for data protection reasons.
- Consequently, the Citizen Card consists of the relevant certificate linked to the card holder's sourcePIN.
Types of electronic signature
There are different types of electronic signature. Depending on the security level and certificate which were used and applied when the signature was created, signed documents have different legal effects.
Simple digital signature
Art. 3 clause 10 of the eIDAS Regulation defines the electronic signature as data in electronic form which is attached to other electronic data, or logically connected with it, and which a signatory uses as a signature.
The definition of an electronic signature is designed to be technology-neutral and is not confined to any one signature method. The security of electronic signatures is based on cryptographic processes which are used when the signature is generated.
Documents bearing a "simple" electronic signature must be accepted as evidence under Art. 25, paragraph 1 of the eIDAS Regulation and are therefore subject to judicial evaluation ("non-discrimination clause").
Qualified electronic signature
Art. 3 clause 12 of the eIDAS Regulation defines a qualified electronic signature as "an advanced electronic signature, created by a qualified electronic signature creation unit and based on a qualified certificate for electronic signatures".
An advanced signature is one which
- is assigned exclusively to the signatory
- enables the signatory to be identified
- is created using resources that the signatory can keep under their sole control
- is linked to the data to which it relates in such a way that any subsequent amendment of the data can be seen
In addition to having the legal effects of "simple" electronic signatures, according to Art. 25, paragraph 2 of the eIDAS Regulation in association with section 4 paragraph 1 sentence 1 of the SVG, qualified electronic signatures – with a few exceptions – meet the legal requirement for a handwritten signature. This applies in particular to the written form in the sense of Section 886 of the Austrian Civil Code (ABGB), unless otherwise specified by law or agreement between the parties. Qualified electronic signatures help all stakeholders to communicate amongst themselves and so replace handwritten signatures.
Exclusive electronic signatures for authorities and professional groups – official electronic signatures
Under Section 19 paragraph 2 of the E-Government Act, official electronic signatures make it easier to identify the origin of a document from an authority or particular professional group (notaries, solicitors, civil engineers).
It is possible to act on the basis of an organisational understanding, i.e. in the case of a local municipality, one official signature certificate is sufficient for all the municipality's activities – even if the municipality acts indirectly for the federal government or federal province. Nevertheless, the municipality may also use a separate official signature certificate (or figurative mark) for each individual activity.
Information about ordering an official electronic signature and the figurative mark for public administration bodies can be found here: Official electronic signatures.