Electronic signatures and legal validity: QES, eIDAS, and audit trails

How to ensure the legal validity of digital documents at the enterprise level: an analysis of legislative requirements, cross-border compatibility, LTV formats, and configuring reliable audit trails.

Ensuring legal certainty in digital processes is critical for modern business. It requires strict adherence to both Ukrainian legislation and European standards. Organizations often face the challenge of establishing the legal validity of electronic documents and signatures while navigating the complexities of local regulatory requirements and cross-border trust services.

The legal validity of a document is based on three principles: authenticity (identification of the author), integrity (unchangeability of content), and non-repudiation. Simply applying a signature without capturing a timestamp and verifying the certificate status undermines the evidentiary basis in the long term. Let's examine how to build a trust architecture in Enterprise Content Management (ECM/DMS) systems in accordance with current regulations.

Paperless legitimacy: what defines the legal validity of a document

The basic regulatory act for the use of qualified electronic signatures (QES) and trust services in Ukraine is Law No. 2155-VIII "On Electronic Identification and Electronic Trust Services." At the same time, Law No. 851-IV "On Electronic Documents and Electronic Document Management" establishes a key rule: the legal validity of an electronic document cannot be denied solely because it is in electronic form.

According to Law No. 851-IV, an electronic document is a document where information is recorded as electronic data, including mandatory fields. An electronic copy with mandatory fields, including the author's electronic signature, is equivalent to the original document. However, legal compliance requires more than just the presence of a signature file. Legislation requires verifying the status of the trust service provider and the validity of the certificate before processing and archiving the document. If these conditions are not met, the legitimacy of the operation may be questioned.

QES and cross-border compatibility under eIDAS

Regulation (EU) No. 910/2014, known as eIDAS, defines the rules for electronic identification and trust services for cross-border electronic transactions within the European Union. The highest level of trust under the regulation is the qualified electronic signature (QES).

The Ukrainian QES is technically similar to the European QES. However, it is important to avoid a common misconception: implementing the standard does not mean that eIDAS automatically and unconditionally recognizes any Ukrainian QES. For full legal compatibility, it is necessary to consider the specifics of technical and bilateral agreements between Ukraine and the EU, as well as to verify the presence of service providers in the relevant Trusted Lists.

Long-term validation (LTV) and timestamping

A standard electronic signature only records the fact of signing but does not contain cryptographic proof of whether the certificate was valid at the moment of the transaction if verification occurs years later. Since public key certificates have a limited validity period, standard verification after expiration will not confirm legitimacy.

In corporate engineering, this problem is solved through Long-Term Validation (LTV) signature formats, which include:

  • Timestamp: Proves that the document existed and was signed at a specific moment before the certificate expired.
  • Certificate status data: Embedding Online Certificate Status Protocol (OCSP) responses or Certificate Revocation Lists (CRL) directly into the signature structure at the time of signing.

Thanks to LTV formats (e.g., CAdES-X Long or PAdES-Long), the system can mathematically prove the validity of a signature throughout the entire lifecycle of the document.

Audit trail as primary evidence in corporate systems

The international standard ISO 15489-1:2016 provides principles for records management in various technological environments. According to it, electronic document management systems must be designed to process records regardless of their specific structure, maintaining context and usage history.

The main tool here is the Audit Trail — a secure log registering all events. In the event of a legal dispute, the signature file alone may not be sufficient; the court needs to see the access history, timestamp records, and certificate verification statuses.

It is important to note: although the international association AIIM promotes the transition from classic ECM to Intelligent Information Management using AI/IDP, these technologies optimize classification and data extraction but do not solve the issue of signature legitimacy on their own. Legal validity is based on cryptography and the preservation of metadata integrity.

Trust architecture for corporate systems

To build an infrastructure that withstands legal audits and supports integration with government services, such as the "Electronic Court" subsystem (for performing legally significant actions and submitting evidence), platforms with built-in deep data control mechanisms are required.

Examples of solutions that support such an architecture are Megapolis.DocNet and Scriptum.DMS. They are built on the UnityBase platform (a low-code framework, which is a joint development of companies within the Intecracy Group; Intecracy Group is an alliance of independent companies linked by partner agreements and share exchanges, not a single company or holding; InBase is a key, but not the only, developer). Using UnityBase mechanisms allows systems to ensure a unified domain model, record-level access control (RBAC/RLS), and continuous DataHistory (audit trail) logging. This enables automatic certificate validation, support for long-term archives, and legitimate integration with external registries.

Signature formatTrust levelScope of applicationLegal risks
Simple ES (no certificate)LowInternal approvals, non-critical operationsEasily refuted in court, does not confirm authorship and integrity
Advanced ES (AES)MediumContracts between counterparties by prior agreementLimited recognition without additional evidence
Qualified ES (QES)HighFinancial reporting, government agencies, cross-border agreements (subject to compatibility)Fully equivalent to a handwritten signature (provided trust service provider statuses are validated)

A full transition to paperless document management requires architects not only to implement QES but also to ensure mathematical proof of every step (via LTV) and maintain a secure audit trail in accordance with international standards.

FAQ

Is the Ukrainian QES recognized in EU countries under the eIDAS regulation?

The Ukrainian QES is conceptually similar to the European QES. However, eIDAS does not guarantee automatic recognition of all Ukrainian QES without considering existing bilateral agreements between Ukraine and the EU and the presence of service providers in European Trusted Lists.

How to prove in court that an electronic document was not changed after signing?

For this, cryptographic verification of the QES is used: any change in the file violates mathematical integrity and renders the signature invalid. A secure audit trail in the ECM system also serves as an important evidentiary factor.

What is the Long-Term Validation (LTV) signature format and why is it needed?

LTV is a format that includes a timestamp and certificate status data at the time of signing. It is necessary to prove that the certificate was valid at the time the signature was applied, even if its validity period has since expired.

Data sources

Sources & materials

Materials and sources used in this article.

  1. Verkhovna Rada of Ukraine: Law of Ukraine On Electronic Identification and Electronic Trust Services — zakon.rada.gov.ua
  2. Verkhovna Rada of Ukraine: Law of Ukraine On Electronic Documents and Electronic Document Management — zakon.rada.gov.ua
  3. EUR-Lex: Regulation (EU) No 910/2014 on electronic identification and trust services — eur-lex.europa.eu
  4. ISO 15489-1:2016 Records management — iso.org
  5. AIIM — Intelligent Information Management — aiim.org