No system, regardless of its level of sophistication, whether based on passwords, platforms or cryptographic keys, can entirely eliminate the gap between the identity attributed to a signature and the person who actually applied it.
Electronic signatures have accelerated the legal transaction cycle. Agreements that once required printing, posting and filing can now be completed within minutes.
In Australia, the law is technology-neutral. It recognises electronic signatures without prescribing how they must be created, leaving the assessment of whether a signing method is sufficiently reliable largely to the users of the signature platforms.
The European Union has adopted a different regulatory approach. Under the eIDAS Regulation, the law defines different levels of electronic signatures based on how much assurance they provide. Rather than leaving reliability entirely to the users, the legal framework sets structured requirements that the technology must satisfy.
Electronic signatures are a range of technologies that connect a person to a document.
Importantly, these technologies are not confined to any single jurisdiction. The difference between legal systems does not lie in the technology itself, but in how responsibility for its reliability is allocated.
Technology of electronic signatures
At the most basic level, a signature may be as simple as typing a name, inserting an image of a handwritten signature, or clicking an “accept” button. Many everyday agreements are completed this way.
More advanced systems add layers of control. These may include logging into an account on the platform, verifying an email address, or entering a one-time passcode. They may also create audit trails, recording when the document was sent and signed, from where, and by which user account.
At a higher level, some systems use cryptographic techniques, commonly referred to as digital signatures. These methods use encryption and digital certificates to bind a document to a specific signing key and to detect any changes after signing.
However, even the most sophisticated systems cannot fully guarantee that the signature has been applied by the intended person. Every method ultimately relies on an assumption, that the intended signer is the person actually using the system at that moment. If login details are shared, a device is accessed by someone else, or control over the signing process is compromised, the connection between the signer and the document can break down.
For this reason, more advanced technology can improve confidence, but it cannot remove uncertainty.
Electronic Signatures Under Australian Law
In Australia, the legal validity of electronic signatures is primarily governed by the Electronic Transactions Act 1999 (Cth) and equivalent legislation enacted by the states and territories.
Under section 10 of the Act, an electronic signature is valid if:
- a method is used to identify the person and indicate their intention
- the method is as reliable as appropriate for the purpose
- the method is accepted by the person receiving the signature
This structure reflects a flexible design. The law does not prescribe any specific technology. Instead, it focuses on the functions of a signature, identifying the person and indicating their intention.
However, this flexibility places responsibility on the user. The law does not define what is “reliable enough” in any given situation. That judgement must be made in context by the user.
User Responsibility in a Technology-Neutral System
For many users, naturally, the primary focus is on the security of the platform. In reality, the issue is broader than software security. It is also about evaluation of the overall signing process. This includes how the signer is identified, how intention is recorded, how easy it would be for someone else to sign on their behalf, and whether the process provides appropriate assurance for the purpose of the document.
In practice, common signing methods may not always meet this standard. For example, in my profession, although simple copy-and-paste signatures are not accepted, and certain controls such as account login and email-based identification are required, platforms may still rely on shared email access where multiple parties jointly own an entity. In such cases, users should consider whether each party has a unique email address to ensure that individual signatories can be clearly identified.
In this framework, the law regulates the use of electronic signatures rather than the technology itself.
The European Union’s Prescriptive Model
The EU framework is functionally prescriptive. It does not dictate the technology to be used, but it defines the conditions that technology must satisfy to achieve legal recognition.
These include:
- Simple electronic signatures
- Advanced electronic signatures
- Qualified electronic signatures
By legal definition, an advanced electronic signature must be uniquely linked to the signatory, capable of identifying the signatory, created using signature creation data under the sole control of the signatory, and linked to the signed data in a way that allows any subsequent change to be detected.
When a platform offers an advanced electronic signature, the law provides clearer guidance on how identity and intent are established, reducing the need for users to assess the process themselves.
A qualified electronic signature is a type of encrypted digital signature discussed above, and it must be issued by an authorised trust service provider that is accredited by government bodies. In this case, a greater degree of reliance is placed on the platform and the certification framework. Although the process is not infallible, a qualified electronic signature has the same legal effect as a handwritten signature across all EU member states.
By establishing these categories, the EU framework creates a structure around predefined reliability.
Conclusion
The contrast between the Australian and European frameworks highlights a fundamental difference in regulatory philosophy.
In Australia, users must assess whether a signing method is appropriate for their purposes. In the EU, the law defines structured levels of assurance, reducing the need for users to make that assessment themselves.
However, no system, regardless of its level of sophistication, whether based on passwords, platforms or cryptographic keys, can entirely eliminate the gap between the identity attributed to a signature and the person who actually applied it.
It should be noted that certain documents usually remain excluded from electronic execution under applicable legislation. In some circumstances, even where not mandated by law, the simplicity of a handwritten signature, particularly when witnessed, may provide a level of assurance that even the most sophisticated electronic systems cannot fully replicate.
Join the conversation!