A qualified electronic signature is the same in the digital world as a handwritten signature is in the analog world. By law, the qualified electronic signature (QES) is the highest-value form of digital signature. It differs from the simple electronic signature (SES) and the advanced electronic signature (AES).

The basis for all forms of electronic signature is the eIDAS Regulation of the European Parliament and the Council of the European Union. eIDAS is the English abbreviation for electronic IDentification, Authentication and Trust Services. The name stands for REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, which was in force until then.

Legal security through eIDAS Regulation
As an instrument of legal harmonization, the eIDAS Regulation simplifies electronic signatures and promotes the expansion of digital solutions on a pan-European level. QES is defined in Article 3 (12) as “an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures”.
The eIDAS Regulation provides the legal security that has motivated investment in transformation processes in many places. Article 25, Paragraph 2 of the eIDAS Regulation stipulates that the qualified electronic signature has the same legal effect as a handwritten signature.

Trust Center
Qualified electronic signatures are always based on a qualified certificate. This can only be issued by a secure signature creation device. A state-recognized Trust Service Provider, a so-called Trust Center such as D-Trust (Germany) or A-Trust (Austria), provides the personal certificates. Swisscom is a special case in this context because it is bound by the Swiss signature law ZerEs and not by the eIDAS regulation. But here, too, personal certificates are used. They fulfill the essential requirement for a qualified electronic signature, namely that the signer can be identified beyond doubt and that the content of the document in question remains unchanged. Recognized Trust Service Providers can be identified by the fact that they comply with the catalog of requirements formulated in the eIDAS Regulation.
Qualified, and thus state-certified, Trust Centers are, for example, A-Trust (Austria), D-Trust (Germany) or Swisscom (Switzerland). They ensure the maximum evidential value of a QES. They generate legally secure qualified signatures by issuing electronic certificates. In Article 24, Paragraph 1, the eIDAS Regulation specifies: “When issuing a qualified certificate for a trust service, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom the qualified certificate is issued.”

The key tasks of a Trust Center are:
– Issuing qualified certificates for electronic signatures
– Electronic time stamping
– Validation of electronic signatures
– Archiving of electronic signatures

The eIDAS regulation differentiates between qualified and non-qualified Trust Service Providers. Orientation is provided here for companies and private individuals by the so-called “Trust List”. This list contains all providers and services that have qualified status in the relevant EU countries. Anyone not on this list is excluded from qualified trust services. Registration and certificate creation are free of charge; at the main Austrian Trust Center A-Trust, for example, the mobile signature app is also free for users.
Companies that use electronic signatures of any signature quality in their processes, for example with MOXIS, pay for qualified electronic signatures via the number of MOXIS licenses purchased (link to pricing model). The electronic signature folder from XiTrust supports every form of electronic signature. Thanks to its depth of integration, MOXIS users can remain on the familiar interface of their preferred office system (e.g. SAP) and generate signatures of any quality. MOXIS then runs “in the background”.

Which digital signature quality for which document?
The necessary signature quality always depends on the individual case. As a rule of thumb, not all digitally signed documents must necessarily have a qualified electronic signature, i.e. with the same legal effect as a handwritten signature. In many cases, a simple electronic signature or an advanced electronic signature is sufficient.

1. Simple electronic signature for
Delivery offers (suppliers)
Purchase orders and goods orders (purchasing)
Internal company documents
Internal approval processes (“routing slips”)
Announcements
Documents that use a simple electronic signature are not subject to any legal formal requirements and have only a low liability risk.

2. Advanced electronic signature for
Purchase and rental agreements
Account openings
Simple forms of employment contracts
Like simple electronic signatures, documents that are to be provided with an advanced electronic signature are not subject to any legal formal requirements and have a calculable liability risk.

3. Qualified electronic signatures for
Temporary employment contracts
Employment contracts
Consumer loan agreements
Various official documents
Documents that require a qualified electronic signature are subject to a legal formal requirement and are characterized by a comparatively high liability risk. The legislator stipulates the qualified electronic signature in Section 492 (1) of the German Civil Code (BGB) for consumer loan agreements. Section 12 of the AÜG prescribes the qualified electronic signature for employee leasing contracts.

Written form requirement
The legislator in Germany formulates the mandatory use of the qualified electronic signature in Section 126 of the German Civil Code as a “written form requirement”. Whenever this is given, a digitally signed document only achieves its validity through the QES. But beware: although signatures may not be rejected by a court of law under the eIDAS Regulation because they are executed digitally, there are individual cases in which electronic signatures are not permitted. The most important example of this is notarial certification, but also the termination of employment contracts!

Requirements for qualified electronic signatures
The QES is the only electronic signature that requires a digital identity. Users must identify themselves once, especially with video-based identification procedures (Video-Ident-Procedure), the digital passport is issued by various service providers and platforms. The online identification process requires a valid ID document, a computer and a cell phone. The identification process on the screen takes about ten minutes. One of the most important platforms for the online-based issuance of cell phone signatures is xIDENTITY.eu, a service provided by XiTrust.
Alternatively, individuals can have their digital identity issued in person through the service of a public identification office. In contrast to the video ID process, this solution is more time-consuming and cost-intensive because fees are charged for official identification. Companies usually use their own registration officers: these are specially trained personnel who are authorized to register digital identities within the company.

Double encryption
Digital identities are usually issued for five years before they are renewed by repeated confirmation of the personal data. Further, companies and government agencies issue digital identities in a face-to-face, in-person process. Authorized to do so are Registration Officers who have acquired a personal authorization to issue digital identities. In most cases, individual company employees have taken on this task.
A qualified electronic signature is created by means of two-factor authentication. This is based on the exchange of a public key and a non-public key: The public key is accessible to everyone. It enables the signature to be verified. In contrast, the use of a private key can only be authorized by the signatory. The key pair ensures data integrity and authenticity.

Conclusion
QES are not necessary for all documents; they are required by law only in the individual cases described above. Nevertheless, QES put an end to any form of legal uncertainty right away, because they are the digital equivalent of handwritten signatures. QES also save time, because there is no longer any need to check the individual case. In the end, QES stands for an “all-round carefree” package.