A qualified electronic signature has long ceased to be a tool only for lawyers, accountants or civil servants. Now it is increasingly appearing in everyday situations – from tax reporting to applications to state bodies and signing documents remotely. At the same time, for many, the question remains open as to what legal consequences its use has and where the owner’s liability line is.
In order to understand the legal nature of a qualified electronic signature, its capabilities and risks, our editorial team turned to the lawyers of the Repeshko and Partners law firm for comments. The specialists explained the general approaches of the legislation to a qualified electronic signature, drew attention to the key aspects of its use and outlined what citizens should pay attention to during electronic document flow.
Digitalization is increasingly entering our lives, and now things that no one would have guessed existed fifteen years ago are commonplace. Currently, to use digital services or e-document management, you need to have an electronic signature. This not only makes communication with official institutions easier, but also life in general. Many ordinary Ukrainians consider obtaining an electronic signature to be a complicated and incomprehensible process. In fact, it is not so difficult. A qualified electronic signature (QES) – what was previously called an EDS (Electronic Digital Signature) – can be obtained absolutely free of charge. It is available online and offline.
An electronic digital signature (or abbreviated as EDS) is equated in legal status to a handwritten signature or seal. That is, every citizen can have an EDS/QES owner. It represents data in electronic form, obtained as a result of cryptographic transformation. They are added to other data or documents and ensure their integrity and identification of the author.
Using EDS services, you can sign electronic documents, use electronic services, register on government portals, etc. Documents signed using an electronic signature have the same legal force as regular ones. Under current legislation, an electronic signature has a clear definition. It refers to electronic data that is added to other electronic data or is logically linked to them and used by the signatory as a signature. That is, it is actually a digital analogue of a handwritten signature, which allows you to confirm who signed the document and that its content has not been changed after signing.
Separately, the law defines the concept of a qualified electronic signature. This is an advanced electronic signature that is created using a special qualified electronic signature tool and is based on a qualified electronic signature certificate. It is this type of signature that has the highest level of trust and full legal force, equivalent to a handwritten signature or seal. Thus, the legislation operates with two names for an electronic signature, which are important to distinguish, because they are not identical in their technical and legal content.
In addition, in the field of electronic signature, it is worth distinguishing two more concepts – the provider of electronic trust services and the provider of electronic identification services.
The provider of electronic trust services directly works with electronic signatures and seals. It is he who creates and verifies electronic signatures, issues certificates for them, and also ensures the recording of the time of signing. Such providers, in particular, include services that issue keys Diya.Pydpis or provide relevant services through banks, in particular PrivatBank. In fact, these are the entities that form and issue an electronic signature as a tool.
The provider of electronic identification services performs another function. It uses special schemes, such as the NBU BankID, to confirm that the user is really the person he claims to be. Such providers register users and help use EDS or CEP to identify a person and implement its capabilities in digital services. That is, it is not about creating a signature, but about confirming the person who uses this signature.
However, service users have certain rights and obligations enshrined in legislation.
Users of electronic identification services have the right to:
- receive electronic identification services;
- free choice of electronic identification means with an appropriate level of trust for receiving electronic services;
- sole control over the use of the digital identification wallet and their data;
- free use of the results of the received electronic identification services, taking into account the restrictions established by law and providers of electronic identification services;
- appeal in court the actions or inaction of providers of electronic identification services and bodies carrying out state regulation in the field of electronic identification;
- compensation for the damage caused to them and protection of their rights and legitimate interests.
It should be noted that users of electronic identification services are obliged to:
- ensure confidentiality and the impossibility of unauthorized access by other persons to the electronic identification means identification;
- immediately notify the provider of electronic identification services of the suspicion or fact of compromise of the electronic identification means;
- provide reliable information necessary to obtain electronic identification services;
- timely provide the provider of electronic identification services with information about changes in the identification data contained in the electronic identification means;
- do not use the electronic identification means in case of its compromise.
As we can see, monitoring a person so that someone else does not use his or her digital signature is entirely the responsibility of the owner of the digital signature. Therefore, it is extremely important to store the digital signature separately from other documents, with the condition that no one except you has access to it. Because we emphasize once again – a document sealed with digital signature is equal to one signed by hand.
We strongly recommend storing the EDS or CEP on a separate flash drive and connecting it to the computer only when the signature is really needed. This approach reduces the risk of unauthorized access and is consistent with the logic of the legislation, which places responsibility for the security of the electronic signature on its owner.
It is for this reason that the law defines the obligations of EDS or CEP users. In particular, they are obliged to ensure the confidentiality of the personal key and prevent access to it by other persons. If there is a suspicion or the fact of compromise of the personal key is established, the user must immediately notify the provider of electronic trust services.
In addition, the user is obliged to provide reliable information necessary to receive electronic trust services, as well as to timely pay for such services if it is provided for in the contract between the user and the provider of electronic trust services.
The user is also obliged to promptly inform the provider of electronic trust services about changes in the identification data contained in the public key certificate. In the event of a compromise of the personal key, as well as in the event of cancellation or blocking of the public key certificate, the use of such a key is prohibited.
Why is it important to have an EDS? With the help of this document, it is possible to submit a tax return or a claim to the court from any part of the world, remotely resolve issues in the Pension Fund, receive or order many extracts from state registers necessary in everyday life, and even send applications to official institutions as if you had submitted them in person.
How to obtain an EDS? This can be done both by personally contacting one of the accredited key certification centers (ACSC), the list of which is available on official resources, and online through many services. So, at PrivatBank, bank clients can obtain a KEP free of charge in their personal online account Privat 24 or by contacting a branch. This service is also provided, among other things, by Oschadbank and the Diya website.
It is worth knowing that the validity period of EDS certificates does not exceed two years. After the expiration of this period, in order to impose EDS on documents, it is necessary to re-obtain the services. The reason for this is the information protection requirements that are imposed on the means used to impose EDS.
Identification of a person who has applied for the service of forming a qualified public key certificate is carried out in one of the following ways:
1) in the personal presence of an individual, an individual entrepreneur – based on the results of checking information (data) about the person obtained in accordance with the procedure established by law from the Unified State Demographic Register, according to the passport of a citizen of Ukraine or other documents issued in accordance with the legislation on the Unified State Demographic Register and on documents certifying the identity, confirming citizenship of Ukraine or a special status of a person;
2) remotely (without the personal presence of the person), with the simultaneous use of an electronic identification means with a high or medium level of trust, previously issued to an individual, an individual entrepreneur or an authorized representative of a legal entity in personal presence, and multi-factor authentication;
3) by the identification data of the person contained in a qualified certificate of electronic signature or seal, previously formed (formed) and issued (issued) in accordance with paragraph 1 or 2 of this part, provided that such certificate is valid;
4) using other identification methods specified by law, the reliability of which is equivalent to personal presence and confirmed by the conformity assessment body.
We would like to emphasize separately that not only citizens of Ukraine have the right to obtain an EDS or CEP. The legislation provides for the possibility of obtaining an electronic signature by foreigners and stateless persons. In cases where such persons do not have documents issued in accordance with the legislation on the Unified State Demographic Register or documents certifying identity, confirming citizenship of Ukraine or special status, their identification is carried out on the basis of a duly legalized passport document of a foreigner or a document certifying a stateless person. These documents are used to confirm the identity when obtaining an electronic signature.
The law also establishes certain requirements during the verification of civil legal capacity. This applies, in particular, to cases of forming a qualified certificate of an electronic seal or website authentication, as well as to individuals – entrepreneurs for the purpose of forming the corresponding certificate. In such situations, a qualified electronic trust service provider is obliged to use information about an individual entrepreneur from the Unified State Register of Legal Entities, Individual Entrepreneurs and Public Organizations.
If it is a foreign legal entity, the verification is carried out on the basis of information from the trade, banking or court register of its country of residence. At the same time, the electronic trust service provider must make sure that the scope of civil legal capacity and legal capacity of the legal entity or individual entrepreneur is sufficient to form and issue a qualified public key certificate or to authenticate a website.
It is quite simple to verify the authenticity of an electronic signature. For this purpose, a state online verification is provided, which allows you to verify that the signature is valid and properly applied. Such a tool is especially useful in situations where there are doubts about the legitimacy of the received electronic document.
To use the verification, you need to go to the official website czo.gov.ua/verify, upload a file signed with an electronic signature, and click the “Verify” button. After that, the service will automatically analyze the document and provide information about whether the signature is valid, by whom and when it was applied.
In addition to the state service, electronic signature verification is also available in the “Diya” application and on the websites of qualified electronic trust service providers. This allows users to choose a convenient method of verification and additionally verify the legal validity of the electronic document.
We advise everyone to treat an electronic qualified signature as carefully as they would a handwritten signature or seal. Using a QES greatly simplifies access to government services and document flow, but at the same time places full responsibility on the user for its preservation and safe use. It is important to comply with legal requirements, update certificates in a timely manner, monitor the confidentiality of the private key and immediately respond in case of suspicion of its compromise. Conscious and responsible use of CEP allows you to avoid legal risks and take full advantage of the opportunities of the digital environment.
