The Electronic Signatures Act (“ESA”) is the general law regulating the validity of electronic signatures in Taiwan. Pursuant to Paragraph 1, Article 9 of the ESA, where a physical signature or seal is required by law for a certain document, only a qualified electronic signature has the same legal effect as a physical signature or seal on said document. Under the ESA, an “electronic signature” refers to a signature attached to, integrated into, or logically associated with an electronic record and can be used to identify and verify (i) the signatory’s identity/qualification and (ii) the electronic record’s authenticity. Hence, it is generally acknowledged that a qualified electronic signature should be “undeniable” and “unfalsified”. However, there has been no clear guidance as to what types of algorithms and cybersecurity technologies would meet the above-mentioned requirements for “electronic signatures” under the ESA.
For the convenience of practical application, on 2 December 2022, the Administration for Digital Industries, the Ministry of Digital Affairs (“ADI”) issued a ruling to illustrate qualified electronic signatures with the following internationally common algorithms and cybersecurity technical standards (Ref. No.: Chan-Jing-Zi No. 1114000229):
1. The electronic signatures using PKI (Public Key Infrastructure) technology and structure, such as standards established by the IETF PKIX Working Group.
2. The electronic signatures using signature formats or algorithms established by international organizations or major countries, such as:
(1) The signature formats established by the ETSI, including CAdES (CMS Advanced Electronic Signatures), XAdES (XML Advanced Electronic Signatures), PAdES (PDF Advanced Electronic Signatures), ASiC (Associated Signature Containers), JAdES (JSON Advanced Electronic Signatures), etc.
(2) The signature algorithms established or approved by the NIST or ISO.
The ADI hopes this ruling will facilitate the practical application of electronic signatures, and it encourages electronic signature service providers to self-certify that their solutions comply with any of the technology listed above.