Open navigation
Search
Search
All expertise
Explore our breadth of expertise.
International Desks
Helping you access overseas markets with support from our country and region-specific experts
Sectors View all
Practice Areas View all
Offices
Discover the scope of our presence in the jurisdiction.
Global Reach
Learn about our capabilities beyond borders.
CMS United Kingdom
All insights
Leverage our expert analysis, intelligence and thought leadership for your strategic advantage.
Personalised updates
Receive tailored insights and intelligence that apply directly to your business.
Topics in focus View all
Insights by type
CMS Spotlight: join our events and webinars!
CMS News
Stay up to date with our growth, evolution and our many successes.
CMS Press Office
Contact us
For all general enquiries.
About CMS
CMS Careers

Select your region

International Europe Africa Asia-Pacific The Americas Middle East
Legal Update

Encryption and digital signatures

12 Apr 2002 United Kingdom 8 min read

What is an electronic signature?

The Electronic Signatures Regulations 2002 defines an electronic signature as:

data in electronic form which are attached to or logically associated with other electronic data and which serve as a method of authentication.

Electronic signatures come in many forms ranging from a typed-in name to a fingerprint or a retina scan.

How does an electronic signature differ from a digital signature?
A digital signature is a form of electronic signature. It is a better quality electronic signature which is based on cryptographic techniques, most commonly those associated with Public Key Infrastructure (PKI).

What is PKI?
PKI is an infrastructure which may be put in place by business organisations to enable them to maintain security in electronic communications and to establish the authenticity of digitally signed messages.

Within the PKI framework is the concept of digital signatures. Digital signatures are based on encryption, the most widely advocated of which is asymmetric cryptography. There are two keys involved in the use of asymmetric cryptography:

  • private key: which is to be kept private by the individual or organisation to which it is issued; and
  • public key: which is known to the public at large.

The keys are essentially two very large prime numbers which are used to allow messages to be encrypted and decrypted.

When you send a message using PKI it is first put through a hashing algorithm. This algorithm –known commonly as the document's "fingerprint" – produces a compressed form of the message. The compressed form of the message is encrypted using your private key and it is digitally "signed". The message is then sent to the recipient who uses your public key to verify:

  • message integrity: that the message is the same as the original and has not been tampered with; and
  • authentication: that the message was signed using your private key.

Corresponding private and public keys are generally issued by independent bodies known as certification service providers (CSPs).

Private keys are stored on a "token" such as a smart card or floppy disc. Public keys are stored on digital certificates called "qualified certificates". Both keys are issued to the subscriber following satisfactory completion of the identification checks and a copy of the public key is posted to a repository for public access.


How have digital signatures and PKI be implemented into law?
Electronic Signatures Directive
The EU Electronic Signatures Directive came into force on 19 January 2000.

It was supposed to be implemented by Member States (including the UK) by 19 July 2001. However, the last of the implementing laws in the UK – the Electronic Signatures Regulations 2002 – only came into force last month.

The Directive introduces the terms:

  • "advanced electronic signature" to cover signatures that are created using the cryptographic process; and
  • "qualified certificates" being the certificates issued by CSPs to back the signature.

The Directive sets out:

  • uniform standards for CSPs that issue the qualified certificates; and
  • uniform requirements for the devices used to create advanced electronic signatures. These devices are known as "secure signature creation devices".

The Directive also addresses the issue of the legal status of electronic signatures. It states that an advanced electronic signature which is backed by a qualified certificate AND created by a secure signature creation device SATISFIES the legal requirement for electronic signatures and will be admissible in evidence.

Electronic Communications Act
The Electronic Communications Act 2000 received royal assent on 25 May 2000.

The Act states that the approval of CSPs is to be a voluntary scheme. There is currently an approvals scheme known as the T-Scheme which is a private, industry led initiative (www.tscheme.org).

The government considers that if the T-Scheme is successful, it will not commence Part 1 of the Act (which imposes an obligation on the Secretary of State to ensure that an approvals scheme is put in place). The government therefore appears to favour a de minimus approach, allowing industry initiatives to take prevalence in dictating what the approvals system should look like.

The Act also gives ministers the power to modify laws which currently require documents to be in "writing" to allow them to be created, signed and stored electronically.

Electronic Signatures Regulations
The remaining provisions of the EU Directive were implemented into UK law by the Electronic Signatures Regulations which came into force on 8 March 2002.

The Regulations deal with the supervision of CSPs. They place a duty on the Secretary of State to keep the activities of CSPs under review.

The Regulations deal with the liability of CSPs. If a CSP issues a qualified certificate to the public AND a person reasonably relies on that qualified certificate AND the person so relying suffers loss AND the CSP would have been liable had a duty of care existed or had the CSP been negligent THEN the CSP shall be liable to the same extent. It is presumed that a duty of care exists between the CSP and the relying person.

The Regulations also deal with the data protection requirements imposed on CSPs. If a CSP issues a qualified certificate to the public AND the CSP is established in the UK AND personal data is processed in the context of that establishment THEN:

  • the CSP shall not obtain the personal data other than directly from the data subject OR after the explicit consent of the data subject; AND
  • the CSP shall not process personal data obtained to a greater extent than is necessary for the purpose of issuing or maintaining a certificate OR to a greater extent than is necessary for any other purpose to which the data subject has explicitly consented.

What are the main challenges for the future?
There are both technical and legal challenges involved with the widespread use of digital signatures and PKI.

The principal technical challenge is to ensure that public keys are in fact associated with the person or organisation with whom they claim to be associated. This is the purpose and function of CSPs.

There is also a concern within government that the security offered by encryption techniques may be used to disguise illegal activities.
The principal legal challenge is whether digital signatures based on PKI technologies meet the criteria contained in the definition of an "advanced electronic signature" as that term is used in the Electronic Signatures Regulations 2002.

The criteria which need to be met in order to a signature to be classified as a "advanced electronic signature" are as follows:

  • the signature must be uniquely linked to the signatory;
  • it must be capable of identifying the signatory;
  • it must be created using means that the signatory can maintain under his sole control; and
  • it must be linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.

The court will need to consider whether this criteria is met in circumstances where a party's private key is compromised. This is perhaps the biggest challenge for PKI. Digital signatures and PKI will ONLY show that the alleged signatory's private key effected the signature. It will NOT prove who used it.

Digital signatures are quite distinct from handwritten signatures. Whereas executing a handwritten signature is a deliberate, ritual action, there is no universally understood way to affix a digital signature. Further, the form of a digital signature is not instantly recognisable (as in the case of a handwritten signature). In light of this, a party to a digitally signed contract could attempt to claim that he or she did not intend to sign, but that he or she simply "pressed" the wrong button.

These are just some of the issues which courts may need to consider in the future when determining whether PKI is enough to prevent a party to a digitally signed contract from being able to repudiate it.

Interoperability of PKI technologies
Looking beyond the UK, there is another challenge which needs to be considered – the interoperability of PKI applications across Member States.

The PKI Challenge is a two year interoperability project which is tackling this problem at the moment. It started in January last year. It is funded by the European Commission and the Swiss Government and is organised by the European Forum for Electronic Business. Its aim is to overcome the interoperability problems between PKI products and to develop specifications and "best practice" in the world standards arena.

The future
Although the EU Directive on Electronic Signatures has now been fully implemented into UK law, there are still challenges to be encountered as we journey down the path and head towards a fully functional e-commerce society. Nevertheless, despite the hurdles, it is only a matter of time before we see a lot more transactions using digital signatures based on private and public key pairs.

For further information on this topic, please contact Matthew McMillan at matthew.mcmillan@cms-cmck.com or on +44 (0)20 7367 3073.

More insights
Cyber TMT - Technology, Media & Telecommunications Communications Media Technology

Explore more

Event United Kingdom

CMS Update Morning: Media, Sports and Entertainment

29 Apr 2026
Expert Guide International

Data protection and cybersecurity laws in the United Kingdom

38 min read
Publication United Kingdom

Cyber risk management for senior leadership teams

02 Oct 2025 1 min read
Back to top Back to top
You will now find all Law-Now content on CMS.law
Explore more
Law-Now, RegZone, LEXplicite and Blogtt have moved to CMS.law. Law-Now has moved to CMS.law. RegZone has moved to CMS.law. LEXplicite has moved to CMS.law. Blogtt has moved to CMS.law.
Learn more Learn more Learn more Learn more
If you want to use third party tools, please enable personalisation cookies as part of your cookie preferences. You can change this setting at any time via the button below or in our Cookie Notice.