Electronic signing allows you to sign document files in a paper-free manner: you don’t need to print a document to sign it because it’s signed using a digital ID, such as an ID-card. Did you know, however, that all signatures given electronically are not digital signatures and their legal validity does not correspond to the handwritten signature?
In Estonia, the term “digital signature” (i.e. digi-signature, digital signing, etc.) refers only to a signature that is legally valid and legally equivalent to a handwritten signature. This means that the identity of the user and the background of the issuer of the certificate have been verified and that the time of issue of the signature is precisely fixed. To put it plainly, it has been identified who signed it and it is ensured that no third party has changed the document to be signed since it was signed.
However, the term “electronic signature” (or “e-signature”) is broader and covers several signature levels, including digital signatures.
It is worth knowing that although only the highest level of electronic signatures, or digital signatures, are used in Estonia, there are also ways of electronic signing that do not have the same meaning as a handwritten signature in the eyes of the law. The validity of the signature given to the electronic document and its level can be seen most conveniently on a computer via the DigiDoc4 Client software or on a mobile via the RIA DigiDoc application.
In July 2016, a directly applicable implementing provision of the European Union came into effect, which brought into force the eIDAS Regulation. As a result, there are four levels of e-signatures:
- Level 1 – QES (Qualified Electronic Signature)
The highest level of e-signatures, which is equal to handwritten signatures and is also called a digital signature in Estonia. The signature meets the technological requirements established in standards. The backgrounds of both the owner of the signature and the issuer of the certificate are checked. Additionally, the signature is given with a means that is deemed suitable (ID-cards, digital IDs, mobile-IDs and qualified Smart-ID accounts in Estonia. Read more about digital documents).
- Level 2 – AdES/QC – Advanced
An e-signature with a qualified certificate. The signature meets the technological requirements established in standards. The backgrounds of both the owner of the signature and the issuer of the certificate are checked.
- Level 3 – AdES (Advanced Electronic Signature) – The signature meets the technological requirements established in standards, but the background of the holder of the certificate used to give the signature as well as the background of the issuer of the certificate may be unknown.
- Level 4 – Other electronic signatures – all other electronic signatures that do not meet valid standards.
- Level 1 – QES (Qualified Electronic Signature)
The easiest way to check the validity and use limits of an electronic signature is with the help of the DigiDoc4 Client. In order to ensure better differentiation, it uses a three-colour system in addition to an explanatory text:
- green means that everything is OK
- yellow means that the user must be careful and decide on the suitability of a specific signature themselves
- red means that the signature cannot be regarded as valid in the given situation
Signature validity marking:
- Signature is valid – marked with green This digital signature is equal to a hand-written signature.
- Signature is valid (with restrictions) – marked with green and yellow. This is used if the signature level is AdES/QC, i.e. it is not a signature equal to a hand-written signature, but it may still be suitable for use in a specific situation. More information can be obtained from the signature details.
- Signature is valid (with warnings) – marked with green and yellow. The warning is usually displayed if the signature is valid, but the container has a specific characteristic. Usually containers acquire such characteristics by accident in the creation process. The warning is displayed because containers cannot be changed without the signature becoming invalid. More information can be obtained from the signature details.
- Signature is unknown – marked with red. This means that the program was not able to check the signature’s validity at the moment. More information can be obtained from the signature details.
- Signature is invalid – marked with red. This means that the digital signature has been declared invalid.
You can read more about this topic from the RIA blog.
We recommend using only officially recognised solutions for digitally signing documents, such as DigiDoc4 for computers or the RIA DigiDoc mobile application. These are national solutions that always meet the highest security and compliance standards and are free to use.
As an alternative, legally valid signatures can also be given via the Dokobit portal and its applications. Dokobit enables you to give digital signatures online (with ID-cards, digital IDs, mobile-IDs and Smart-IDs) and on computers without ID-software.
Electronic signatures in other programs:
It is worth knowing that several programs – such as Microsoft Word, OpenOffice and Thunderbird – offer an electronic signing functionality. Unfortunately, these do not use a time-stamping service upon signing and therefore these signatures are not legally binding.
Paragraph 25 (3) of the Electronic Identification and Trust Services for Electronic Transactions Act states: “determination of the time when the signature is given, and link the digital signature to data in such a manner as to preclude the possibility of changing the signed data or the meaning thereof undetectably after the signature is given”.
Time-stamps and the validity confirmation service are efficient ways to do this. Adding the time of signature alone is not sufficient because it can be forged (e.g. by changing the computer’s time/date). This is why it is necessary to use an external service provider.
Digital signing has become the norm in Estonia. Thanks to this, we have a number of national e-services and the opportunity to vote electronically in elections, declare taxes without going to a Tax Board office, register companies online, make almost all bank operations, access various national registers, etc.
All Estonian public institutions are obligated to accept digitally signed documents and most private sector companies prefer to conduct business via electronic means.
Estonian citizens can choose a suitable method for digital signing themselves. Nowadays, there are four common ways to do so:
- An ID-card, which is a mandatory identity document for all Estonian citizens. The PINs required for electronic signing are issued to you in a security envelope with the card. In order to use your ID-card, you also need a card reader and ID-software.
- A digital ID card: Estonian citizens can use their digital IDs in parallel with ID-cards while foreigners are issued e-resident’s digital IDs.
- A mobile-ID is a SIM card-based solution for electronic authentication and digital signing with a mobile phone. Mobile-ID SIM cards are issued by mobile network operators.
- A Smart-ID is a SIM-independent device-based solution for smartphones.
In 2000, the Digital Signature Act (DAS) entered into force in Estonia. However, digital signing has been possible in Estonia since 2002, when the respective software was published. The DAS became invalid on 26 October 2016 with the adoption of the Electronic Identification and Trust Services for Electronic Transactions Act.
The following news story published in 2002 by SK ID Solutions (the former Certification Centre) on the publication of DigiDoc software might be of interest: Digital signing client program published by Certification Centre.
- Signature formats for electronically signed documents: .bdoc and .asice
- Which digital documents are used in Estonia?
- The issue of digital signatures in Estonia is governed by the Electronic Identification and Trust Services for Electronic Transactions Act.