Seven EU tools to secure digital communications
With the eIDAS Regulation, the European Union has created a legal framework to enable digital business and administrative processes that are open to technology and standardized throughout the EU. These seven tools can secure electronic communications in Europe and build confidence in the digital world.
Speaking the same digital language
Qualified eIDAS trust services today already have an important role to play in securing services, for example, in the case of the PSD2 payments directive, the ‘once only’ principle or the General Data Protection Regulation (GDPR). The eIDAS tools are the key to trusted and secure electronic legal transactions throughout Europe. They enable a so-called trust space in the digital world where people, software and machines can interact in a secure environment.
Just as the euro is a means of payment for Europe, eIDAS trust services could be used throughout the EU for all legal administration and business processes – and thus speak the same digital language. But how do the seven tools differ and what are they used for?
The Qualified Electronic Signature (QES)
A QES is based on a qualified certificate. The QES is linked to the electronic file in such a way that changes made to the signed document after it has been signed cannot go unnoticed. What’s more, the certificate shows who signed the document. A QES is generated by or on behalf of a natural person. It is often used for declarations of intent by natural persons. A QES is responsible for securing the application level.
The qualified Seal (QSeal)
A QSeal is also based on a qualified certificate. A QSeal works in much the same way as a QES. The main difference is that a QSeal is assigned to a legal entity, such as a company, rather than to a natural person. The sealed electronic file is given a matching proof of origin but not by a declaration of intention. Like the QES, the QSeal is responsible for securing the application level.
Qualified Website Certificates (QWACs)
A QWAC is the digital identity card of a website or cloud application. QWACs are used to reliably identify website operators. This technology is based on SSL/TLS encryption and is used the world over. Unlike in the case of ‘pure’ SSL/TLS encryption where the browser or OS manufacturer determines the trustworthiness of the underlying certificates, the EU Trusted List determines the trustworthiness of these certificates. This is particularly important when it comes to establishing trusted, authenticated and encrypted communication relationships, for instance, between EU citizens and websites or between IT systems. QWACs can be used not only on the server side, but also on the client side, so that a server can also identify itself as a client to another server. A QWAC is responsible for securing the application level.
These services are geared to the QES and QSeal. They make it possible to independently verify the mathematical and legal validity of a QES or a QSeal. The verification result, i.e. a special check report, is issued listing the verification steps and results. If technically supported, this check report can be embedded in the document so that the independent verification result can be traced over a long period of time.
The registered letter and delivery service
This service brings the posting of registered letters into the electronic world. Both the sender and the recipient are identified, and the message is protected against unnoticed manipulation by at least one advanced electronic signature. The date and time of dispatch and receipt or of a change to the message are protected by a qualified timestamp. This service already became known in comparable form with the De-Mail Act.
A qualified electronic time stamp works in much the same way as a QES. The timestamp records in a binding manner the time at which the electronic file was submitted. It therefore clearly shows when the electronic file existed and in which status. No qualified certificate is used here.
A QES or QSeal, once generated, remains permanently valid. Verifiability can be strongly limited over the years, since the technical development determines the trustworthiness of the underlying cryptographic algorithm. That’s why the qualified preservation service preserves the condition of the qualified signed and/or qualified sealed file.