Today an electronic signature has the same legal standing as a written signature insofar as it meets certain criteria.
European directive no. 1999/93/CE of 13/12/99 pertaining to electronic signatures, which gives legal recognition to electronic signatures, now forms part of French law.
Since the passing of the law of 13 March 2000 electronic signatures are legally binding. This law has been the subject of several decrees and orders which give added precision to conditions of use, these are:
- the decree of the 30 March 2001
- the decree of 18 April 2002
- the order of 26 July 2004 (replacing the order of 31 March 2002 which was repealed)
- the law of 21 June 2004 concerning confidence in the digital economy.
1) Law no. 2000-230 of 13 March 2000 dealing with the modification of laws of proof to include IT and concerning signatures
The law which updates the Civil Code:
- defines, in general, a signature
- recognises the legal value of an electronic signature as being the equal of a written signature and lays down a presumption of reliability under the conditions set out in the Civil Code:
- to be able to identify the person from whom the electronic signature emanates by means of a reliable procedure
- to ensure that the electronic communication has been created and preserved in conditions that enable its integrity to be guaranteed
- a reliable procedure has been used the guarantee the link between the electronic signature and the document to which it attached.
The demonstration of the reliability of the electronic signature procedure is the responsibility of the signatory.
2) Decree no. 2001-272 of the 30 March 2001 concerning the application of article 1316-4 of the Civil Code and relating to electronic signatures.
This decree is a technical text; it distinguishes an electronic signature from a secure electronic signature:
- An electronic signature is one which meets the conditions set out in the Civil Code.
- A secure electronic signature is one which meets, over and above the conditions set out in the Civil Code, the requirements of the decree. A secure electronic signature is the one presumed reliable, which reverses the requirement for proof of reliability if there is a legal dispute and the matter is taken to court.
The decree defines these requirements and they have a bearing on:
- The materials and software used to create a secure electronic signature which will need to be certified by the authorities (security of materials used to create an electronic signature).
- The content and quality of the electronic certificates delivered by those that offer certification services (use of a recognised digital certificate.
This decree also lays down the conditions under which these suppliers can freely undertake their business. As soon as they meet all the requirements listed, these suppliers can ask to be recognised as eligible, which presumes compliance with all the requirements of the decree.
3) Decree no. 2002-535 of 18 April 2002 concerning the evaluation and certification of the security offered by IT systems and technology.
This decree institutes a voluntary procedure for the evaluation and certification of IT systems and products which includes those measures used for the creation of electronic signatures.
This procedure relies on:
- Evaluation centres, themselves qualified, which monitor and test and publish the results obtained in an evaluation report
- The DCSSI - Central Information Systems Security Division which draws up a certification report for the Prime Minister.
The certification is delivered by the Prime Minister.
4) Order of 26 July 2004 concerning the recognition of digital certification providers' qualifications and the accreditation of bodies who undertake their evaluation.
This order revises the 2002 decree and specifies the body in charge of the accreditation of organisations that evaluate those offering certification services, namely the COFRAC (French Accreditation Committee) as well as the standards to be adhered to. COFRAC offers a reasoned decision which is sent to the requesting body as well as to the DCSSI - Central Information Systems Security Division. The accreditation delivered cannot be for a period longer than 5 years.
This order also deals with the conditions under which a request for evaluation can be made by those offering certification services. When the accreditation body recognises the qualifications of a certification service provider, it will deliver a certificate describing the services that the provider can offer as well as the length of time that these can be offered for, this cannot exceed three years. A copy of this certificate is transmitted to the DCSSI - Central Information Systems Security Division.
For more information please go to the légifrance web site http://www.legifrance.gouv.fr