Compliance with eIDAS, SEPBLAC, and Other Laws in Remote Document Signing Software: Non-Qualified Trust Provider

Introduction

For remote document signing software to operate as a non-qualified trust provider in the European Union, it is essential to comply with strict regulations, including eIDAS, SEPBLAC, and other specific laws concerning security, privacy, and data retention. This article outlines the phases and processes necessary to ensure compliance with these regulations in a document signing system, especially for accredited professionals who require security in their digital signing processes.

Phase 1: Onboarding – Professional Verification and Identity Theft Prevention

The first step is unattended user onboarding through the portal. To achieve this, the software must include automated processes that meet eIDAS and SEPBLAC security and identity verification standards. Key points include:

• Identification Requirements: The user must meet certain verifiable professional requirements, such as a professional membership card and verification of their active registration with the relevant professional body. The eIDAS regulation requires measures to prevent identity theft, while SEPBLAC mandates controls to prevent fraud in digital transactions.
• Automated, Unattended Validation: This onboarding process should be robust and automated, eliminating the need for human intervention. Once the user provides their professional ID, the system must automatically verify the document’s validity and confirm their professional association, ensuring no identity theft attempts.
• Data Protection: Compliance with the General Data Protection Regulation (GDPR) at this stage is critical to ensuring user privacy, guaranteeing that information used for validation is utilized only for this purpose and not unnecessarily stored.

Phase 2: Credential Provision and Secure Access Authentication

Once onboarding is complete, the next step is providing credentials and authentication to ensure secure access. To meet eIDAS security requirements, the software must offer at least a “substantial level” of access security through reinforced authentication:

• Credential Provision: Credential creation and provision should be done securely, ideally through centrally managed credentials following encryption protocols.
• Substantial Level Authentication: Under eIDAS, authentication must robustly verify user identity, generally through multifactor authentication (MFA). This may involve using a password along with a one-time passcode (OTP) or a second trusted device-based authentication factor, meeting the required “substantial” level of authentication.
• SEPBLAC Security Review: If the software is used in SEPBLAC-regulated sectors, such as finance, it must follow the required controls and reporting measures to prevent money laundering by implementing user identification and traceability techniques.

Phase 3: Long-Term Storage of Signing Actions

Once users start signing documents, the system must securely store each transaction for the legally mandated period:

• Activity Logs: Each signature should be logged with details such as the date, signer identity, and signed documents. These records must comply with eIDAS, which requires that digital signatures be tied to the signer’s identity data, preventing alterations without invalidating the signature.
• Secure Storage and Anti-Tampering Measures: eIDAS mandates that signature data storage must be protected against unauthorized modification or deletion. Advanced encryption and digital signatures on each signing transaction are recommended to ensure record immutability.
• Evidence Retention for SEPBLAC Audits: If regulated by SEPBLAC, the software must allow access to audit logs, evidencing the traceability of each signature, if necessary for external audits or legal proceedings.

Phase 4: Data Deletion After Mandatory Retention Period

Finally, user data and completed transactions must be deleted following the mandatory retention period:

• Data Retention and Deletion Policy: GDPR and national regulations require a clear data retention policy to ensure that data is deleted once the necessary period has passed. This is crucial for user privacy and meeting GDPR’s data minimization requirements.
• Secure Deletion Procedures: eIDAS and GDPR mandate secure data deletion at the end of the retention period, including methods that prevent unauthorized data recovery.
• Transparency and User Notification: Under GDPR, users must be informed of their data’s deletion and, if possible, offered a copy before the final deletion.

Conclusion

Operating as a non-qualified trust provider in the EU requires meticulous attention to compliance with eIDAS, SEPBLAC, and GDPR. From onboarding to data deletion, each phase of the user’s lifecycle and signature transactions must meet the required regulatory and security standards. With a system that integrates these requirements in an automated and secure way, digital signature providers can guarantee a reliable and regulatory-compliant user experience.