The electronic signature in French law
The recognition of electronic signature in France is established byArticle 1367 of the Civil Code which states:
Article 1367
Amended by Ordinance No.2016-131 of February 10, 2016 – Art. 4
The necessary signature to the perfection of a legal act identifies its author. It expresses its consent to the obligations arising from this act. When it is affixed by a public officer, it confers authenticity on the act.
When it is electronic, it consists of the use of a reliable identification process to ensure its connection with the act to which it attaches itself. The reliability of this process is presumed, until proven otherwise, when the electronic signature is created, the identity of the insured signatory and the integrity of the guaranteed act, under conditions set by decree in the Council of State.
The civil code therefore gives us the minimum so that a digital process can be recognized as an electronic signature: the use of a reliable identification process guaranteeing its link with the act to which it attachesitself.
The reliability of this process is therefore presumed until proven otherwise when the conditions set by the Council of State are met, here they are:
Article 1 of Decree No. 2017-1416 of September 28, 2017 relating to electronic signature
The reliability of an electronic signature process is presumed, until proven otherwise, when it implements a qualified electronic signature.
A qualified electronic signature is an advanced electronic signature, in accordance with Article 26 of the aforementioned regulation and created using a qualified electronic signature creation device that meets the requirements of Article 29 of that regulation, based on a qualified electronic signature certificate that meets the requirements of section 28 of this regulation.
Let us sum up what is said in French law:
An electronic signature is the use of a reliable identification process to ensure its connection to the act to which it attaches itself. A qualified electronic signature as defined by eIDAS is deemed reliable until proven otherwise.
Qualified signature therefore has an advantage related to its main disadvantage: it reverses the burden of proof, it is up to the person challenging the act of proving that consent, or the act, is not in compliance. But the flip side of this indisputability is the cumbersome procedure for issuing, handing over and using the qualified certificate, which disqualifies qualified electronic signature in many exchanges where speed and flexibility are sought.
But what interests us here is the unqualified digital signature which can now be used in French law in all cases where qualified electronic signature is not required. That is, in the vast majority of cases.
The eIDAS regulation: definition of electronic signature at European level
Now that we have seen the difference between the two types of signatures in French law, the question arises of their use with third parties located in the European Union.
The eIDAS regulation distinguishes four types of electronic signatures:
The simple electronic signature (defined in Article 3, point 10 of the eIDAS regulation):
This signature includes data in electronic form, which is logically attached or associated with other data in electronic form and which the signatory uses to sign.
Advanced electronic signature (defined in Article 26 of the eIDAS Regulation):
This signature must:
– Be bound to the signatory in a unequivocal manner;
– To identify the signatory:
– Have been created using electronic signature creation data that the signatory can use under its exclusive control with a high level of trust;
– Be linked to the data associated with it so that any subsequent changes in the data are detectable.
Advanced electronic signature based on a qualified certificate (defined in Articles 26 and 28 of the eIDAS Regulation):
This signature must be based on a qualified electronic signature certificate that complies with the requirements contained in Appendix I of the eIDAS Regulation. The processes for verifying the identity of the applicant, issuing and managing the lifecycle of a qualified electronic signature certificate meet important security requirements, which ensure that the certificate is not properly issued only to the legitimate signatory.
Qualified electronic signature (defined in Article 3, item 12 of the eIDAS regulation):
Qualified electronic signature must be based on a qualified electronic signature certificate, implemented through a Qualified Electronic Signature (QSCD) creation device. Such a scheme guarantees, with a high level of confidence, that the signature can only be carried out by the legitimate signatory. This device is the subject of a certification decision by a national authority.
The eIDAS regulation defines confidence levels in electronic signatures more finely than in French law, but it leaves to the assessment of each member state the level required according to the documents to be signed, except for the rare cases where the Qualified electronic signature is required.
The eIDAS regulation will therefore serve as a reference to qualify an electronic signature and the most serious signature platforms such as Docage Signature offers a signature that corresponds to the criteria of advanced electronic signature.
Example of advanced electronic signature with Docage Signature
| Advanced Signature Criterion | Signature Docage |
|---|---|
| Be bound to the signatory in a unequivocal manner | Issued by a European trusted provider a certificate on behalf of the signatory |
| Identifying the signatory | Using dual-factor email/sms identification |
| Have been created using electronic signature creation data that the signatory can use under its exclusive control with a high level of trust | The certificate is issued only when the signatory enters the SMS code that he can only view on his phone for which he has exclusive use |
| Be linked to the data associated with it so that any subsequent changes in the data are detectable | The unalterability of the document, consent and link between them is guaranteed by a certificate issued by a European trusted provider |
| Method of identification | safety | easiness | Cost |
|---|---|---|---|
| Invitation to sign by email without code | 1/5 | 5/5 | 1/5 |
| Invitation to sign by email – Single-use code received by email | 2/5 | 5/5 | 1/5 |
| Invitation to sign by email – Single-use code received by SMS | 3/5 | 4/5 | 2/5 |
| Handwritten signature on a touch screen | 0/5 | 2/5 | 1/5 |
| Scanning an ID | 3/5 | 3/5 | 1/5 |
| Scanning ID – ID Verification System | 4/5 | 3/5 | 3/5 |
| Voice print | 2/5 | 3/5 | 1/5 |
| Using a qualified certificate | 5/5 | 2/5 | 5/5 |
Comparison of identification methods for electronic signature
If the eIDAS regulation defines the conditions of advanced electronic signature, the method of identification of the signatory is appreciable by each provider and each user, so everyone can choose his method and can strengthen it as he sees fit in the technical limitations offered by the signature platform.
Here are the possible ways to identify an electronic signature as it stands:
| Method of identification | safety | easiness | Cost |
|---|---|---|---|
| Invitation to sign by email without code | 1/5 | 5/5 | 1/5 |
| Invitation to sign by email – Single-use code received by email | 2/5 | 5/5 | 1/5 |
| Invitation to sign by email – Single-use code received by SMS | 3/5 | 4/5 | 2/5 |
| Handwritten signature on a touch screen | 0/5 | 2/5 | 1/5 |
| Scanning an ID | 3/5 | 3/5 | 1/5 |
| Scanning ID – ID Verification System | 4/5 | 3/5 | 3/5 |
| Voice print | 2/5 | 3/5 | 1/5 |
| Using a qualified certificate | 5/5 | 2/5 | 5/5 |
To better guide you here are the pros and cons of each identification method that can be used by electronic signature:
Invitation to sign by email without code:
-
- Benefits:
– You can sign with a single device on which you have access to your inbox. - Disadvantages:
– You can inadvertently sign because a simple click of a button is all it takes.
– Mono-identification system
- Benefits:
Invitation to sign by email – single-use code received by email:
-
- Benefits:
– You can sign with a single device on which you have access to your inbox. - Disadvantages:
– You can inadvertently sign because a simple click of a button is all it takes.
– Mono-identification system
- Benefits:
Invitation to sign by email – single-use code received by SMS:
-
- Benefits:
– You can sign on the move.
– Dual authentication system - Disadvantages:
– A third party with access to the signatory’s phone can sign in its place
– The signatory must use a phone whose line is in his name or in the name of his company
- Benefits:
Handwritten signature on a touch screen:
-
- Benefits:
– Action similar to a handwritten signature - Disadvantages:
– The signature generated is digital and of poor quality, so it can easily be reproduced and challenged by the signatory.
- Benefits:
Scanning an ID:
-
- Benefits:
– Simple action to take with a smartphone - Disadvantages:
– Need to have identification at the time of signing.
– Access to the signatory’s ID or a previously scanned copy allows you to sign in its place.
- Benefits:
Scanning ID – ID verification system:
-
- Benefits:
– Simple action to take with a smartphone - Disadvantages:
– Asks for more time because the system goes through a third-party auditor
– The correspondence between the photo on the ID and the photo of the signatory is not always recognized especially when the ID is several years old
- Benefits:
Using a qualified certificate:
-
- Benefits:
– Only identity verification presumed reliable by law - Disadvantages:
– Requires a qualified device delivered by a qualified trusted provider
– Requires the use of a computer to use the device
– Few signatories have them, even among professionals
- Benefits:
As you can see, any method has its pros and cons, but the methods are cumulative to eliminate some disadvantages and gain reliability.
It should be noted that all the systems cited have a legal value (more or less strong you will understand) as long as they are backed by certificates issued by a trusted provider such as and a record of evidence tracing the course of the transaction as The fact Signature docage.
It is up to the user to choose the method most appropriate for his use case.
To learn more about the state of the art when it comes to remote identification, you can read this full article published by the Bank of France.