The digitization of business processes requires a trustworthy electronic equivalent of handwritten signatures to execute contracts and agreements. With individuals and organizations adopting paperless workflows, adoption of digital signatures has exploded in recent years.
However, the legality and acceptance of different digital signature standards vary widely across regions. This comprehensive guide examines the validity of PKI-based digital signature laws and regulations across major global markets.
United States
Overview
In the United States, digital signatures enjoy full legal validity and enforceability at federal and state levels.
The Electronic Signatures in Global and National Commerce (ESIGN) Act, enacted by Congress in 2000, officially grants electronic contracts and digital signatures the same legal status as traditional paper documents and handwritten signatures. This law provides the basic framework for legally valid electronic signatures in the US.
In addition, nearly all states have enacted legislation recognizing the legality of digital signatures for business and government transactions within their jurisdiction. Any PKI-based digital signature method can be legally valid in the US as long as it meets specific authentication and security criteria outlined in ESIGN.
Digital Signature Standards
The most common standard used for digital signatures in the US is:
Adobe Approved Trust List (AATL): AATL provides industry guidelines and technical specifications for digital certificate issuance and signatures. Most Certificate Authorities conform to AATL rules so that their certificates work seamlessly with Adobe products and desktop signing workflows.
Signatures applied using AATL compliant certificates and Adobe products like Acrobat are considered secure and legally enforceable under ESIGN at both state and federal levels.
All SSL.com digital signing certificates are compliant with the Adobe trust framework out of the box. Contracts, agreements and other documents signed using our certificates are trusted by Adobe software and gain legal validity under US law. SSL.com’s cloud signing service eSigner also natively integrates with Adobe Sign.
It’s important to note that while SSL.com certificates are AATL compliant and are fully compliant with ESIGN criteria, SSL.com’s cloud signing service eSigner can be utilized with any document signing certificate from any other trusted certificate authority that adhere to other recognized standards such as the European eIDAS standard. This ensures that organizations can use a broad spectrum of digital signature solutions with the assurance of legal validity.
Europe
Overview
The legality of electronic signatures and digital contracts is unified across the European Union under eIDAS – Electronic Identification, Authentication and Trust Services.
The eIDAS regulation, adopted by the EU parliament in 2014, defines standards for electronic identification methods, trust services, and electronic transactions which all member states must adopt. It guarantees the cross-border legal validity of certain types of secure digital signatures across the single market.
Digital Signature Standards
eIDAS defines specific PKI standards for Advanced and Qualified digital signatures. Here are the signature types recognized under EU law:
Advanced Electronic Signatures (AES): AES refers to all digital signatures which meet technical requirements around signer authentication and document integrity. They provide assurance the signature belongs to the person signing and that the document has not changed since signing.
Qualified Electronic Signatures (QES): QES refers to advanced digital signatures which are created using a Qualified Signature Certificate issued by an accredited and audited trust service provider. Due to the high level of security and identity verification required, QES enjoy full legal equivalence with handwritten signatures under EU law.
QES comes in three standard formats recognized across the EU to facilitate cross-border multi-party digital transactions:
PAdES: QES for PDF documents
XAdES: QES for XML documents
CAdES: an enhanced CMS standard for advanced signing
So, any digital signature applied in compliance with these specifications using a qualified signing certificate has identical validity to a wet signature within the EU.
We work closely with European partners to ensure cloud signing is seamless across the EU. While our certificates are designed to be compatible with the PAdES standard for digital signatures in Europe, we are not currently audited for eIDAS compliance. However, the eSigner cloud signing service can be used with document signing certificates from any other certificate authority including those that conform to European digital signature standards.
United Kingdom
Post Brexit, electronic signature regulations in the UK have diverged slightly from the EU while still maintaining high standards of security and enforceability.
Advanced (AES) and qualified digital signatures (QES) meeting eIDAS technical specifications continue to remain valid in the UK even if the signing keys used reside in the EU.
Asia Pacific Region
In Asia Pacific, the legality of digital signatures varies widely across different countries. Here is an overview of requirements in key APAC markets:
China
China has independently developed encryption algorithms and PKI standards that are distinct from the rest of the world. These include:
SM2 encryption algorithm
GM/T 0013 – standards for electronic signatures using SM2 public/private key crypto.
In China, digital signatures applied using Certification Authority certificates with SM2 algorithm are legally valid and enforceable under the country’s electronic signature law. Foreign visitors may need to obtain COMPATIBLE CA certificates for legal validity.
India
India enacted one of the first nation-wide laws governing digital signatures way back in 2000 with the Information Technology Act, 2000. This granting legal validity to digital signatures using licensed Indian CAs.
An update to the law in 2008 additionally recognized electronic signatures meeting certain technical criteria as legally valid. Only digital signatures issued by a Controller of Certifying Authority licensed by India’s IT Ministry have full legal standing in the country, however.
Japan
Japan was also an early pioneer in digital signature law. Article 3 of Japan’s Electronic Signatures Act passed in 2001 grants Advanced Electronic Signatures generated using public key cryptography the same legal validity as handwritten signatures.
So digital signatures applied using licensed Japanese issuing CAs that meet security specifications around signer authentication are considered fully legally binding in the country.
Singapore
According to Singapore’s Electronic Transactions Act of 2010, digital signatures have identical legal standing to wet ink signatures as long as they are generated using certificates issued by licensed Certificate Authorities.
The country has designated standards across different verticals spelling out the technical requirements digital signatures must meet to gain legal validity in that sector or transaction type. These sector-specific frameworks operate in alignment with the overarching Electronic Transactions act.
Latin America
Many Latin American countries have enacted electronic transactions laws granting digital signatures identical validity to manual signatures:
Mexico
Mexico updated the Mexican Commerce Code in 2003 expressly permitting both individuals and corporations to use electronic signatures and digital certificates to digitally sign all types of commercial agreements, contracts, and transactions.
Advanced or reliable digital signatures – under Article 89 of the Commerce Code – have full legal equivalence with ink signatures if certain technical and security checks are met including:
Uniqueness to the signer
Capacity to be independently verified
Detection of subsequent changes
Peru
Legislated standards for digital certifications and electronic signatures were established in Peru back in 2000. Supreme Decree N° 019-2002-JUS sets outs technical criteria digital signatures generated using licensed Peruvian CAs must meet to gain full legal validity.
The law requires signatures to use public/private key cryptography standard X.509 version 3 and hash function SHA-1. Qualified digital signatures capable of demonstrating signer identity, authenticity, and integrity enjoy identical validity to manual signatures.
Colombia
In Colombia, Law 527 enacted in 1999 explicitly states that both individuals and legal entities can execute binding legal agreements through the use of digital signatures, guaranteeing identical validity to manuscript signatures.
The Colombian government has also established a National System of Electronic Certification to regulate issuing authorities allowed to generate digital IDs and certificates used for legally valid digital signatures in the country.
Argentina
Argentina’s Law 25,506 on digital signature was enacted in 2001. It establishes a legal framework governing licensed Certification Authorities allowed to issue certificates for digital signing in the country.
Digital or electronic signatures applied using such regulated certificates and meeting stipulated technical standards enjoy full legal equivalence with paper contracts signed under traditional signature laws.
Conclusion
There is a clear global trend towards recognizing electronic signatures as legally valid across both developed and developing nations.
While specifics vary across countries, PKI standards like digital certificates, public/private key cryptography, hash functions, trusted identity verification, and tamper evidence provide the technical backbone to gain legal validity in most jurisdictions.
By selecting the right document signing certificate from trusted CAs, such as SSL.com and implementing the right method to apply digital signatures using that certificate, such as cloud signing services like eSigner, organizations can securely adopt paperless workflows worldwide and apply digital signatures with the same legality as wet signatures at scale.