Reading time:
Date of publication:
Digital signature is a special type of electronic signature that offers advanced authorization thanks to adhering to the PKI (Public Key Infrastructure) technology—verifying the signer’s identity, and issuing digital certificates by certified trust parties.
Table of contents
1. How do digital signatures actually work?
2. Digital certificates, document integrity, and Certificate Authorities
3. Timestamps for additional security
4. Digital signatures: legal history and regulations
5. Digital signature: AES
6. Digital signature: QES
7. Autenti as a qualified Trust Service Provider
8. Frequently asked questions
Although the simplified name of “digital signatures” may suggest an action as simple as signing a document on paper—digital signatures go beyond that concept to ensure that the signer’s identity is properly verified and that the document will not be tampered with, no matter the point in its digital journey.
Two e-signature types fall within the digital signature category, and it’s AES (Advanced Electronic Signature) and QES (Qualified Electronic Signature).
In this article, we’ll:
Although understanding digital signatures may seem difficult given they operate on highly technical terms, when explained simply, the whole concept can be easy to grasp.
In short, digital signatures work based on mathematical algorithms, the PKI (Public Key Infrastructure) technology, digital certificates, and Certificate Authorities.
Public Key Infrastructure technology
First, digitally signing a document prompts the digital signature provider to issue a private key associated directly with the person signing the document and the document that’s being signed.
Then, to ensure proper security, the private key is used to encrypt the hash data—a generated string of numbers associated with the document.
Now, the private key can only be accessed by the person signing the document. So to verify whether the signature has not been tampered with after signing, verifiers use a second set of keys issued in accordance with PKI—the public keys.
The public keys decrypt the digitally signed document, basically checking whether the unique strings of numbers (hash codes) of the document match. If they don’t, the signature on the document is deemed invalid.
Because the PKI technology generates unique codes for each signature that can be safely verified, we can even parallel them with fingerprints—unique for each signer.
For comparison, the most simple electronic signatures, such as checking an “I agree” box or the signature you have in the footer of your email, do not offer those advanced verification methods.
But that doesn’t mean that all of the simple electronic signature solutions, like SES (Simple Electronic Signatures) are not secure. On the contrary, SES signatures are legally binding and secure, while being the most universal of e-signatures—allowing you to sign 90% of documents in business transactions.
The connected to the PKI technology part of digital signatures are digital certificates.
Digital certificate is an electronic document, an actual file that holds the public key generated via the Public Key Infrastructure (PKI) technology, which is then used to verify the signer’s identity.
Digital certificates are not issued by themselves, though. This is where Certificate Authorities come into play.
Certificate Authorities are the trusted entities or organizations that issue digital certificates and safely store them. They verify the identity of the person signing the document, and bind that verified identity to the document itself using the keys we talked about earlier.
Binding the identity to the digital certificate ensures unbreakable document integrity and security from any spoofing or tampering during its digital journey.
An additional, although not mandatory part of a digital signature is also a date and time timestamp—specifically qualified electronic timestamps.
It is recommended to additionally time stamp an electronic signature to further ensure no tampering has taken place.
That’s because an electronic timestamp works like a digital seal that confirms a document existed at a specific time and hasn’t been altered since. It can be applied to any type of electronic data, whether it’s a file or a document.
A qualified electronic timestamp links the document to the exact time it was created based on the hash number generated earlier with the PKI technology, but it doesn’t necessarily have access to the content of the signed document or the identity of the signer.
Any changes to the document or the recorded time will be easily detected thanks to the marked time, which is known as integrity protection.
Qualified electronic timestamps are defined by regulations, and come with a strong presumption that the date and time are accurate and that the document’s integrity has been preserved. These timestamps are universally recognized across all EU Member States, making them reliable and interoperable.
Knowing how digital signatures work, we can get into the background of their legal history, focusing on the regulations in the European Union.
Both types of digital signatures, AES and QES were officially recognized by the European Union in 2014 with the eIDAS regulation being passed across the Member States.
eIDAS stands for electronic iDentification, Authentication, and Trust Services and this is the regulation that set out the standards for secure electronic and digital document signing.
The most recent addition to the eIDAS regulation was eIDAS 2.0, which officially entered into legal force in May 2024.
A quick summary for eIDAS 2.0 is that it brings significant updates, including new requirements for non-qualified trust service providers, which ultimately boosts their recognition and credibility. What’s more, to address growing cyber threats, it also enforces stricter security standards and certification processes, with trust service providers now needing to meet NIS2 Directive requirements.
For an in-depth take on eIDAS 2.0, read this article.
But electronic and digital signatures are not only regulated in the European Union. Equivalent to eIDAS, we have the E-Sign Act in the United States, the ZertES federal law in Switzerland, or the Electronic Transactions Act in Australia.
Advanced Electronic Signatures are a great example of digital signatures since they validate the signer’s identity in a bit more advanced way than Simple Electronic Signatures (SES) do.
With AES, you can be sure that the signer will prove their identity by verifying their ID document online.
To give you an example: let’s say you own a company that works on a remote-first basis, therefore, you sign the contracts of employment or contracts of co-operation with your contractors completely remotely.
Sure, you could mail the documentation to each employee, wait for them to sign the papers, and send them back or scan their signature. But, a way faster and much more secure option would be to go for AES signing instead.
Choosing Autenti, you get one platform to easily collect AES signatures from your employees while being 100% sure that their identities have been verified.
In that case, each new employee would receive an email prompting them to sign the documentation. But prior to signing, they’d have to confirm their identity using their ID. Once the verification has been done, the signer receives an SMS confirmation code and can complete the signing process.
Common use cases for using AES signatures
Common user cases for using AES signatures include:
But let’s say your remotely-signed contracts of employment are a bit more challenging, for example, involve transferring of intellectual property rights.
In that case, AES signatures will not be sufficient, and a need for using Qualified Electronic Signatures emerges.
As laid out by eIDAS, QES signatures are equivalent to actual handwritten signatures, making them utmost secure.
Qualified Electronic Signatures is where digital certificates come in full force, ensuring proper document integrity.
Now, given you use Autenti’s QES service, you get access to over 170 QES signature providers across the European Union, choosing the one that fits with your localization or preference.
As for the process itself, to create a digital signature like QES, it requires additional identity verification carried out by a trusted third-party. This verification may include confirming your identity via electronic banking or completing a video verification process remotely.
Common use cases for using QES signatures
Common use cases for using QES signatures include:
If you’re unsure of which electronic signature type you should choose, you can always compare them here.
To be absolutely sure that digital signatures are carried out in a secure manner and adhere to the set by the government's regulations, regular persons and entities don’t just complete the signatures on their own. They use Trust Service Providers (TSP).
As regulated, Trust Service Providers must implement technical and organizational measures to manage risks and ensure the security of their services, preventing and minimizing the impact of security incidents.
Providers are required to notify supervisory authorities within 24 hours of significant breaches or integrity losses, inform affected individuals where necessary, and cooperate in cross-border incidents.
Moreover, supervisory bodies must report annual summaries of breaches to ENISA, and the European Commission may establish specific measures and procedures through implementing acts.
Autenti is entered in the register of Trust Service Providers, guaranteeing security and legal recognition. Besides this, the security is granted by full compliance with the eIDAS regulations, compliance with GDPR, proper archiving of the electronically signed documents, or PDF standard compliance.
The Autenti platform is focused on an easy-to-use experience to truly make electronic and digital signatures effortless.
Philippe Enjalbal, the Vice President of Credit Agricole says this about their partnership with Autenti:
"The process of opening an account in our bank fully remotely is a response to our customers’ needs and the next step in the development of our electronic banking services [...]. These new solutions are welcomed by customers, who eagerly use them."
What is a digital signature?
A digital signature is a special type of electronic signature that provides a heightened level of authorization with additional cryptographic techniques used to safe-guard the signed document from tampering. Digital signatures are based on the PKI technology with mathematical algorithms, hash codes, private and public keys, as well as digital certificates acting as a true fingerprint to each signed document.
How is identity verification conducted for AES signatures?
Identity verification for AES signatures is conducted entirely online by verifying the signer’s ID documentation. Once the ID document has been verified, the signer receives an SMS code to complete the signing process.
How is identity verification conducted for QES signatures?
Identity verification for QES signatures is conducted in various ways, depending on the Qualified Electronic Signature provider. It can be as simple as logging in to your bank account electronically or a bit more difficult, requiring a face-to-face video session with a Certificate Authority.
How are AES and QES signatures different from SES signatures?
AES and QES signatures differ from SES signatures mainly in terms of the process they require to sign documents. For example, SES signatures verify the identity of the signer via a simple verification code sent by email, while AES verifies the signer’s ID documentation online, and QES may even require a video session to confirm the signer’s identity.
How do I verify the validity of a digital signature on a document?
The safest way to verify the validity of a digital signature on a document is to use a dedicated tool for it, like Autenti’s validator. Autenti Validator ensures your document is completely authentic and hasn’t been tampered with. Plus, you can download a Validation Attestation—a detailed report of the verification—perfect for use as evidence in legal matters.
Read more
Read more
Read more
