Electronic Seal is a legal concept introduced in eIDAS Regulation to enable legal entities to sign documents electronically. The eIDAS Regulation defines an electronic seal as “data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity”. Basically, it is equivalent to a qualified electronic signature, with the difference that it does not refer to a natural person, but to a legal person. In other words, while from a signature we are able to identify with certainty a subject through his name, surname, tax code, etc., from a seal we can trace with certainty to a legal person through its name, VAT number or tax code, but we have no reference to the natural person who materially used the credentials to generate this seal and since the seal is not linked to the natural person, it can be used easily by many individuals belonging to the company organization, always with the appropriate permissions for use.
A qualified electronic seal shall enjoy the presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic seal is linked.
A seal is “generated” by a creator of the seal, possibly completed with related proofs or evidences and validated by the receiver of the sealed document or data and possibly preserved for a long term.
The way these features are used determines the level of strength, assurance and longevity of the qualified seals. In particular, TSPs, qualified or not, can be called for the qualified seal creation, validation and/or preservation.
Electronic seals are created by an electronic seal creation device, which is defined in the eIDAS Regulation as “a configured software or hardware used to create an electronic seal by means of an ‘electronic seal creation data’ that is “a unique data which is used by the creator of the seal to create an electronic seal”.
In these definitions, the “unique data” is to be seen as a personal element not easily reproducible that belongs to the creator of the seal, making it difficult to imitate and difficult to steal. The electronic seal creation data also to be protected, typically, it will be securely stored on a device (e.g. a smart card like a bank card) that can be activated by its owner only, e.g. by means of a PIN code, or biometry. Because the seal represents an organisation, it some cases there may be more than one physical persons authorised to create seals on behalf of the organisation; there may be more than one PIN codes or fingerprint registered to activate a seal creation data.
Electronic seals in general shall not be denied legal effect and admissibility as evidence in legal proceedings and is therefore adequate to perform probative functions, because as established in Article 35 of the regulation, it forms proof of the origin of the data, the IT document or the digital asset of the legal person to which the seal refers.
Within the electronic seal family, the eIDAS Regulation defines subsets of electronic seals that provide increasing legal predictability up to a level, the qualified electronic seal, that benefits from an automatic presumption of integrity of the data and of correctness of the origin (like any qualified service, it benefits from an automatic recognition).
Given that, according to the eIDAS regulation, there are two types of electronic seal:
- The advanced electronic seal (AdESeal) – which requires security features that ensure it is uniquely linked to the signatory, it is capable of identifying the signatory entity and it is linked to the data in such a manner that any subsequent change of the data is detectable.
- The qualified electronic seal (QESeal) – which is an advanced electronic seal which provides additional level of assurance on the identity of the creator of the seal and an enhanced protection and level of assurance on the seal creation. A special device is required for the creation of QESeal (a qualified seal creation device, QSealCD).
Qualified Electronic Seal
Qualified Electronic Seal was introduced into our legal system with the issue of the eIDAS Regulation – Regulation (EU) N ° 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the market.
A Qualified Electronic Seal can be issued in either a USB cryptostick or stored in cloud. Cloud-based electronic seal is stored in a special hardware security module that is included in the European Commission’s administrated list of qualified electronic signature and electronic seal creation devices.
With a cloud-based electronic seal there is no need to have a separate device as it is integrated into the information system and can be accessible in a centralised way. This means that all the organisation users with the access can use it comfortably, without sharing a certain device. Plus, with the cloud-based electronic seal you can seal documents in batches rather than each one separately.
Furthermore a Qualified Electronic Seal is based on a qualified certificate issued by a Qualified Trust Service Provider (QTSP) published in the EU Trust List. It enjoys the “the presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic seal is linked” (Section 5, article 35, eIDAS). In addition, a qualified e-seal is acknowledged and accepted equally within all EU member states regardless of which member state issued it.
Uses of the electronic seal
We can use a Qualified Electronic Seal to: certify the provenance of a document, certify the integrity of the data. It is not possible to use a Digital Seal in documents where a handwritten signature is typically required.
The use cases are therefore those in which you want to be sure of the authorship of a document (such as belonging to the company) and the fact that it has not been modified.
With the application of the Electronic Seals, use cases are also being developed for the protection of copyright and intellectual property. In this case probably more supportive jurisprudence will still be necessary.
The scenarios are therefore manifold, so it is plausible increase in the spread of the use of digital seals, which are a useful tool to support the reorganization and digitization processes currently underway in companies.