30/07/20

Luxembourg law on e-signature and other trust e-services now fully consistent with the eIDAS Regulation

Bill No 7427 was adopted on 17 July 2020 and published on 28 July 2020 (click here). The new law modifies the Luxembourg Act of 14 August 2000 on electronic commerce (the e-Commerce Act) to bring it into line with Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (the eIDAS Regulation). 

Although not groundbreaking, the new law represents the last piece in Luxembourg's comprehensive and robust legal framework on trust services (including e-signatures) and e-archiving.

a. Why was a new law necessary? 

Twenty years ago, the provisions of Directive 1999/93/EC on electronic signatures (the e-Signature Directive) were incorporated into the e-Commerce Act.  

The fact that the EU provision were enshrined in a directive, which must be transposed into national law by the Member States, resulted in various discrepancies in e-signature rules across the EU, thereby discouraging companies from using electronic signatures.

To resolve this issue, the eIDAS Regulation on electronic identification and trust services (which include e-signatures, e-seals, e-time stamps, electronic registered delivery services and website authentication) was adopted on 23 July 2014. The eIDAS Regulation repealed the e-Signature Directive and entered into force on 1 July 2016. The e-Commerce Act, based in part on the repealed e-Signature Directive, was inconsistent with the eIDAS Regulation on some points but could not be amended until now.

The new law seeks to eliminate these inconsistencies while adding certain rules to complement the eIDAS Regulation.

b. What changes in terms of e-signatures? 

i) Clearer requirements for electronic signatures and their legal effect 

The eIDAS Regulation establishes three levels of electronic signatures, each with different requirements and legal effect:

  • Simple electronic signatures, e.g. a standard e-mail signature or a photo or scan of a handwritten signature attached to a PDF (SES).
  • Advanced electronic signatures (AES), an intermediate level of electronic signature which may or may not use a certificate (see below). There are many mechanisms and devices qualifying as AES. Most cloud-based electronic signature platforms offer this type of e-signature. 
  • Qualified electronic signatures, e.g. a LuxTrust token or smartcard (QES). 

The new law repeals or dusts off outdated provisions of the e-Commerce Act and formally incorporates the eIDAS Regulation definitions of e-signatures and other trust services. 

The relevant non-discrimination principle, which applies to all electronic signatures within the EU, can be found in Article 25 of the eIDAS Regulation. Pursuant to this provision, an EU court cannot deny the legal effect and admissibility as evidence of a document simply because it was signed with an e-signature. 

The amendments introduced by the new law also confirm the requirements which electronically signed private documents (notarial deeds being outside the scope of the law) must meet in order to have the same evidentiary value as those signed by hand. These requirements can be found in Article 1322-1 and 1322-2 of the Luxembourg Civil Code. SES do not meet these requirements, meaning private documents signed with an SES will constitute prima facie evidence (commencement de preuve par écrit), which must often be supported by other evidence (e.g. testimony or presumptions). AES and QES do however meet these requirements. The difference between AES and QES is that if, in the context of litigation, the counterparty disputes the electronic signature's validity: 

  • the party relying on an AES bears the burden of proving that the requirements are met; but 
  • pursuant to Article 25(2) of the eIDAS Regulation, the party relying on a QES need only prove that a QES was used, with the burden of proving that the requirements are not met shifting to the party disputing the e-signature's validity.    

It is especially important for an electronically signed private document, whether it be unilateral such as an NDA or PoA or bilateral such as terms and conditions or a commercial contract, to have the same evidentiary value as one signed by hand where one of the signatories is not a commercial party or when the value of the agreement exceeds EUR 2,500. This will be less important in the context of B2B relations or when the value of the agreement is below EUR 2,500, in which case prima facie evidence can suffice.

ii) Possibility to make e-signing mandatory 

The new law removes the provision of the e-Commerce Act according to which "no one can be forced to sign electronically". The reason for this change is that the provision contradicted Luxembourg laws that required certain documents to be signed electronically (e.g. filings with the Luxembourg Trade and Companies Register as well as communications in public procurement procedures). Organisations will no longer have to arrange for a fallback procedure to sign documents in hard copy, although consumer law could impose certain restrictions on this freedom. This change should encourage companies to design fully dematerialised procedures, such as digital on-boarding processes.

c. What will change in terms of trust services? 

i) Changes regarding the supervision of trust services providers

Companies that provide trust services are either non-qualified trust service providers (TSP) or qualified trust service providers (QTSP) under the eIDAS Regulation. Only QTSP may offer qualified trust services (such as QES or qualified electronic time stamps), the most secure form of trust services. 

In Luxembourg, there are currently two qualified trust services providers, LuxTrust SA and BE INVEST International SA. However, organisations are free to use other EU-based QTSPs that offer the same level of protection, based on the eIDAS Regulation's mutual recognition principles. 

Trust service providers are supervised in Luxembourg by the Institut luxembourgeois de la normalisation, de l'accréditation, de la sécurité et qualité des produits et services or ILNAS, a public authority overseen by the Ministry of the Economy. The new law introduces detailed provisions on the role and powers of the ILNAS. 

The authority's role is substantially different for QTSP and TSP. The former are subject to ex ante and ex post checks to ensure they meet the requirements of the eIDAS Regulation, the e-Commerce Act and its implementing regulations while the latter are only subject to ex post controls. Regarding the authority's powers, the new law allows the ILNAS to impose administrative penalties including a fine of up to EUR 15,000 on trust service providers (e.g. for refusal to cooperate with the ILNAS). 

ii) Changes affecting trust service providers and their users (i.e. certificate holders)

The new law introduces provisions applicable to trust service providers and certificate holders. A certificate is comparable to a digital ID card linked to the trust service. All QES and certain AES devices (smart card, token, etc.) are based on a certificate containing information to allow identification of the signatory. Certificate holders are subject to certain obligations under the e-Commerce Act such as a duty to notify the trust service provider when the information contained in the certificate (e.g. age or date of birth) changes. These obligations are slightly modified by the new law to reflect the provisions of the eIDAS Regulation. 

The new law clarifies the obligations of trust service providers . It states that the applicable liability rules, previously found in the e-Commerce Act, are now those set out in the eIDAS Regulation, including Article 13 which provides that trust service providers are liable for damage caused intentionally or negligently to any natural or legal person (such as certificate holders and other trust service users) due to a failure to comply with the eIDAS Regulation, with negligence or intent being presumed for QTSP.  

iii) Inclusion of trust services in the scope of the e-Commerce Act

The new law extends the scope of the e-Commerce Act to all trust services defined in the eIDAS Regulation in order to bring Luxembourg law into line with the latter. 

Trust services at the EU level do not currently include electronic archiving, even though this is key to ensuring that electronically signed documents maintain their evidentiary value over time. On 25 July 2015, the Luxembourg legislature adopted the Electronic Archiving Act which, together with its implementing grand ducal regulation, allows organisations to store electronically signed documents and digitise hard copies in a way that maintains their evidentiary value. 

The Commission's evaluation report on the eIDAS Regulation, which was expected by 1 July 2020, should shed some light on whether the regulation will be amended to introduce provisions on electronic archiving and whether such archiving will be considered a trust service. If this approach is taken, the Luxembourg Electronic Archiving Act could well be used as a model, due to the fact that it is largely based on internationally recognised standards and other best practices.

d. What should you take away from this reform? 

The Covid-19 crisis has brought trust services and especially electronic signatures into the spotlight as social distancing and teleworking have made signing documents more complicated. The new law does not significantly change the existing rules (apart from those applicable to trust service providers) which were either directly applicable by virtue of the eIDAS Regulation or already contained in the e-Commerce Act or the Luxembourg Civil Code. The reform is however useful as it makes it easier for organisations to understand the applicable rules when embarking on a digitisation process involving a trust service (e-signature, e-time stamp or other) and effectively removes the obligation to provide a fallback "wet ink" signature option when implementing e-signing procedures. 

dotted_texture