A. Legal Background
On 1 July 2016, EU Regulation No. 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market establishing a comprehensive legal framework for e-signatures (hereinafter the "Regulation") became directly applicable on all EU Member States, without the need to be implemented into local legislation.
Nevertheless, Cyprus proceeded to incorporate the provisions of the Regulation in its national legislation by enacting Law 55(I)/2018 (hereinafter the "Law").
B. What constitutes an electronic signature (“e-signature”)
The Regulation introduces three types of e-signatures, as follows:
E-signature: This is data in electronic form that is either attached to or logically associated with other electronic data and is used by signatories to sign (such as a signatory’s name typed at the bottom of an email).
Advanced e-signature: This is an e-signature that meets the following essential requirements: a) it is uniquely linked to the signatory; b) it is capable of identifying the signatory; c) it is created using means that the signatory can maintain under his sole control; and d) it is linked to the data to which it relates in such a manner that any subsequent change of the data is detectable.
Qualified e-signature: This is Advanced E-Signature based on a qualified certificate issued by a Qualified Trust Service Provider (“QTSP”), and created by a qualified e-signature creation device.
C. The legal effect of e-signatures
As per article 25(1) of the Regulation, an e-signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is an electronic form or that it does not meet the requirements for a qualified e-signature.
However, as per article 25(2) of the Regulation and section 9(3) of the Law, only a qualified e-signature has equal legal effect to that of a handwritten signature. This type of e-signature is most commonly used across EU, mainly for the following two reasons: (1) it has the most significant judicial value; and (2) it is recognised in all EU Member States. Section 25(3) of the Regulation provides that a qualified e-signature based on a qualified certificate issued in one Member State shall be recognised as a qualified e-signature in all other Member States.
Nevertheless, it should be noted that the legal effect and admissibility of e-signatures remains to be seen, as due to the recent enactment of both the Law and Regulation, there is no relevant case law indicating how documents bearing an e-signature will be treated by Cyprus Courts.
D. Bodies responsible in Cyprus for the certification of qualified e-signatures
The Department of Electronic Communications of the Ministry of Communications and Works of Cyprus has been designated as the competent authority for the implementation of the legislative framework for e-signatures in Cyprus including the monitoring, maintaining a registry and control of all Qualified Trust Service Provider (QTSP) which are to provide high-level security trust services and products under the Law.
Currently, JCC PAYMENT SYSTEMS LTD (“JCC”) is the only Qualified Trust Service Provider in Cyprus.
For more information on the Qualified Trust Service Providers registered in other EU countries please visit: https://webgate.ec.europa.eu/tl-browser/#/
E. Procedure for obtaining a qualified certificate for e-signature via JCC in Cyprus
First approval (identification approval): The first step is to complete a form which needs to be submitted to a local registration authority who will provide the first-level approval of the application. Currently there are two local registration authorities: (1) Bank of Cyprus; and (2) JCC. However, if the applicant is a legal person it can only apply through JCC. Thereafter, the identification of the applicant needs to be approved through the i-banking of the Bank of Cyprus or by physical attendance at the JCC office in Nicosia, whichever is applicable.
Second and Final Approval: JCC will send an email confirmation to the applicant within 2-3 working days from the date of the identification, confirming the rejection or success of the application. In case of the latter, JCC will direct the applicant to a link in order to obtain a qualified certificate.
The above is intended to provide a brief guide only and does not constitute legal advice. Please do not hesitate to contact Margarita Hadjitofi at firstname.lastname@example.org or Maria Demetriou at email@example.com for further information or assistance.