26 Oct Our electronic signature audit under the EIDAS and LSEC regulations. Phase 1.
As auditors and electronic signature implementation advisors, we want to discuss in this article the phases we are undertaking in our latest successful case. Our client has software that generates documents for employees and customers to sign in a non-presential and unattended manner, thereby requiring compliance with EIDAS and LSEC regarding electronic signatures. This signature is achieved through various methods, including biometric signature tablets, drawing signatures on a touch screen, and other unique codes possessed by the signatory. Our role is to accompany them throughout the process of developing the technical and legal measures required to offer this service as an unqualified trust service provider for electronic signatures. In this article, we explain Phase 1, which encompasses, among other things, gathering requirements and use cases, along with risk analysis, evaluation, and treatment.
Phase 1. Unqualified Trust Service Provider for Electronic Signatures.
Trust services are regulated under Regulation (EU) No 910/2014 of the European Parliament and the Council of July 23, 2024, concerning electronic identification and trust services for electronic transactions in the internal market. In Spain, it is complemented by Law 6/2020 of November 11, which regulates certain aspects of electronic trust services (LSEC).
It is important to understand that EIDAS does not provide a definition but rather enumerates the types of services, such as:
• Creation, verification, and validation of electronic signatures, electronic seals, and certificates related to these services.
• Creation, verification, and validation of certificates for website authentication.
• Preservation of electronic signatures, seals, or certificates related to these services.
In this successful case, our work in Phase 1 includes:
1. Gathering requirements and defining use cases, including processes like:
a. Employee onboarding process
b. Data provisioning for authentication process
c. Authentication process
d. Document creation for signature process
e. Document signing and submission process (1 signer, …)
f. Signature process
g. Subsequent access process.
h. Employee offboarding process
i. …and others.
2. Analysis of the applicable legal regulations and norms.
3. Nature and classification of the type of signature.
4. Evaluation of the trust, strengths, and weaknesses of the signatures generated by the solution.
5. Action plan.
6. Data protection (privacy by design and by default).
Once Phase 1 of this 6-phase collaboration is completed, the scope or coverage of the software, fundamental requirements, use cases in UML notation to describe key processes, legal framework, and key technical requirements to implement, as well as an action plan that the company will follow to develop this electronic document signature solution based on EIDAS, will be fully defined.
Conclusion
If you need to implement electronic document signatures in your software, do not hesitate to comply with EIDAS and LSEC. Contact us for comprehensive technical and legal advice, with a pragmatic and 360-degree perspective based on other audits where we lead the way nationally in electronic document signing, such as in private electronic medical prescriptions.
eidas@luisvilanova.es
911277300