The misconceptions preventing wider adoption of digital signatures

In this Help Net Security interview, Thorsten Hau, CEO at fidentity, discusses the legal validity of qualified digital signatures, demonstrating their equivalence to handwritten signatures when backed by robust identity verification.

Opting for certified providers that adhere to standards like eIDAS or ZertES ensures forgery-proof security. The balance between certification and user experience is crucial to achieving seamless onboarding.

In your opinion, what misconceptions about digital signatures prevent wider adoption, and how can these be effectively addressed?

Many providers offer convenient digital signature solutions, allowing users to sign documents with just a few clicks. But these signatures are neither secure nor legally valid, and people have learned from their legal councils that they need to use paper for relevant signatures. Qualified electronic signatures based on solid identity verification and strict security standards are legally equivalent to handwritten signatures and can be used for any kind of contract. To drive adoption, we are promoting that once you have gone through the onboarding and identification process, electronic signing is much faster than any paper-based process.

How would you assess the current level of security provided by digital signature platforms, and how can they effectively tackle the issue of signature forging and fraud?

The variety of providers is huge, and the quality of signatures is completely opaque to non-experts. A digital signature without the identification of the signer is useless. To give signature forgery and fraud no chance at all, only certified providers should be used. I’m not talking about ISO certification for hosting but about providers who can prove certification for eIDAS or ZertES by an accredited certification authority such as KPMG and who work with established trust service providers.

Since industries like government, healthcare, and banking are heavily regulated, how have these sectors responded to the legality concerns surrounding digital signatures? What steps have they taken to integrate digital signatures into their operations?

Organizations and companies can be categorized into three levels of maturity:

• Denial: These organizations choose to ignore development and stick to outdated and costly paper processes.
• Bleeding: These organizations acknowledge the need for digitalization but often struggle through a challenging learning curve. They invest heavily in bespoke solutions that are expensive to conceptualize, install, and maintain. Unfortunately, these solutions are not scalable and cannot be applied to different processes.
• Trusting: These organizations place their trust in competent and certified providers who understand their unique requirements, possess the technical expertise and knowledge of regulatory requirements to offer identity-based signing, which enables them to eliminate paper-based processes.

What advice would you give to organizations in highly regulated industries that are hesitant to adopt digital signatures due to legality concerns?

In my opinion, two aspects are crucial. On the one hand, organizations should rely on a service provider that is certified according to eIDAS or ZertES standards. On the other hand, user experience should never be underestimated as it plays a crucial role in the onboarding process. Providing an intuitive and seamless user experience not only enhances acceptance but also boosts the conversion rate, empowering organizations to achieve their goals more effectively.

What are the major compliance challenges that organizations face when implementing e-signatures, and how can they prepare for these challenges to avoid fines or sanctions?

When it comes to digital signatures, organizations should not be easily swayed by providers who simply boast extensive PDF handling capabilities. While PDF management is important, the real essence of digital signing lies in the accurate identification of the signer and the subsequent secure authorization of individual signatures. It’s crucial to have a seamless integration between the identification process and the signing itself, ideally facilitated by a single provider from end-to-end (e2e). By ensuring a comprehensive solution that covers the complete signing journey, organizations can guarantee a robust and secure digital signature process.

Considering the upfront costs of implementing a digital signature system, can you share any data or examples highlighting the long-term ROI organizations have experienced after adopting this technology?

There’s a common misconception that digital signatures require huge upfront costs. However, by choosing the right provider, you can achieve a remarkable 10x reduction in expenses compared to traditional paper-based processes. This leads to a significant ROI, which can be even achieved during the ramp-up period.

Can you provide insights into how the eSignature Directive in Europe has impacted the legal recognition and usage of electronic signatures across member states?

The importance of the eSignature Directive cannot be overstated. It has brought legal clarity and even influenced anti-money laundering (AML) regulations in numerous states. Consequently, we now have a situation where the standard of identity assurance is equivalent for AML and digital signatures. This has streamlined the implementation of digital signatures for banks and other financial service providers since they can kill two birds with one stone: They identify the new client once and put a qualified signature on the contract. This way they comply with AML regulation and have a contract in place that does not place any limitations on services that can be provided.