This Friday, new regulations will take effect in Europe that could have significant implications for organizations that do business on both sides of the Atlantic.
Called the eIDAS Regulations, they set forth rules for digital signatures and the way they are used. In essence, they create a new set of standards that enterprises will have to adhere to if they wish to use digital signatures in legal, financial and other highly regulated industries.
Enter the Cloud Signature Consortium
The new rules are supposed to address Europe's rigorous requirements for secure signatures. But while the intention is good, today's technical environment makes it difficult to create and securely manage digital identities, according to the Cloud Signature Consortium, a newly founded organization led by Adobe.
Adobe and other members of the consortium caution that "it’s necessary to develop solutions for mobile devices and the web, as is expected and demanded by today’s marketplace. Furthermore, we need to create and securely manage digital identities. Today’s standards don’t make it easy."
“The eIDAS regulations raise the bar to an entirely new level when it when it comes to compliance. This has been a focus for us [at Adobe] for a long time. And as we looked at that we started to think that eIDAS could possibly pave the way for the global adoption for digital signatures beyond what it is today,” Lisa Croft, senior product marketing manager at Adobe told CMSWire.
There are several things to note here, including the fact that eIDAS is pushing the compliance standards in Europe, which in turn will push them in the US. In addition, Croft is specifically talking about digital signatures.
The distinction between e-signatures and digital signatures is important, especially given that digital signatures in the cloud could, in fact, make e-signatures globally accessible.
“Some customers are using electronic and digital signatures interchangeable without understanding the different between the two,” she said.
“From a security perspective e-signatures are secure, but there is a problem and that problem is identity. That is the biggest thing that we are hearing from our customers. They need a way of making sure that they have a way to identify and authenticate who is signing the documents and potentially prove that identity at some point.”
Digital Signatures vs. E-Signatures
Digital signatures require the use of a digital ID issued by a trusted certificate provider, which often requires an in-person visit to the provider itself.
The digital ID is an encrypted string of characters stored on a secure device, such as a smart card or USB drive, which plugs into a computer loaded with special software.
The software is often difficult to use on a desktop or laptop and impossible to use on a tablet or phone without the proper ports for a card or USB.
“The problem at the moment is that they are desktop-based. They have been designed not to support mobile devices. Some of them are vendor specific which means that that vendor itself is the certificate authority itself. It is not interoperable, it is not ideal,” she said.
The eIDAS (electronic identification and trust services for electronic transactions) is an initiative that stems from the Europe Commission’s Digital Agenda, on which the European Union's strategy for developing digital commerce and business is built.
“With eIDAS, the EU has managed to lay down the right foundations and a predictable legal framework for people, companies (in particular SMEs) and public administrations to safely access to services and do transactions online and across border in just one click,” the European Commission explained in a statement. There are two specific elements:
- Interoperability: eIDAS encourages European countries to develop a common framework that will enable the exchange of digital documents across European borders
- Transparency: eIDAS provides a clear and accessible list of trusted services that may be used within the centralized signing framework
Adobe has taken the bull by the horns with the new consortium and plans to take it global.
“The consortium is initially focusing on the EU, but it will impact all countries as the need for secure digital signatures grows. The new standard specifications are planned for the end of 2016, with the first cloud-based implementations to follow shortly after,” Croft said.
As of this week there are twelve organizations, in addition to Adobe, involved in developing the standard in countries including France, Germany, Italy and Poland.
The consortium "has the ability to drive a global standard so we are providing an opportunity for other people to get involved,” she added. “It will be interoperable, not just about vendors and devices and countries. We want to make sure that this is possible, and also making sure that it is a great experience and that it is not making things more difficult."