ema esignature capabilities: frequently asked …esubmission.ema.europa.eu/doc/esignature/digitally...

7 Westferry Circus ● Canary Wharf ● London E14 4HB ● United Kingdom

An agency of the European Union

Telephone +44 (0)20 7418 8400 Facsimile +44 (0)20 7418 8416

E-mail [email protected] Website www.ema.europa.eu

© European Medicines Agency, 2013. Reproduction is authorised provided the source is acknowledged.

September 2013 EMA/264709/2013 Version 2.0 (revisions dated)

EMA eSignature capabilities: frequently asked questions

relating to practical and technical aspects of the

implementation

This question and answer document aims to address the frequently-asked questions and provide

guidance regarding technical and practical aspects of the European Medicines Agency’s electronic

signature capabilities.

EMA eSignature capabilities: frequently asked questions relating to practical and

technical aspects of the implementation

EMA/264709/2013 /26

Contents

Objectives of the EMA eSignature Capabilities ............................................. 3

Registration Process .................................................................................... 3

Business process ......................................................................................... 3

Technical Questions..................................................................................... 4

Verification and Certificates ........................................................................ 6

How to digitally sign an EMA PDF Form ..................................................... 23

General Questions ..................................................................................... 25

Contact us ................................................................................................. 26



EMA/264709/2013 /26

Objectives of the EMA eSignature Capabilities

1) What are the European Medicines Agency’s eSignature capabilities?

The EMA’s eSignature capabilities enable the EMA to send digitally signed electronic documents (PDF)

to industry. The EMA also have the capacity to verify digital signatures embedded in digitally signed

electronic documents (PDF).

The EMA’s capabilities are in line with the EMA’s strategy for a future electronic only workflow.

These capabilities enable the secure archiving of legally binding digitally signed documents in a more

efficient manner and they reduce the requirement to sign and archive paper documents.

2) Which types of documents can be sent with a digital signature?

The EMA accept digital signatures in portable document format (PDF) electronic documents.

3) Who is the eSignature solution for?

Currently, the EMA’s eSignature capabilities are restricted to electronic documents for Scientific Advice,

Orphan Medicines and Paediatric submissions between EMA and the pharmaceutical industry.

4) How do I send a digitally signed document to the EMA?

You should send digitally signed documents via your usual submission channel e.g. email or Eudralink.

Registration Process

5) Do companies need to register to access EMA’s eSignature capabilities?

There is no registration requirement to send or receive digitally signed documents.

Business process

6) Who should digitally sign a document on behalf of a company?

The signatory of a digitally signed document should be the person authorised to fulfil this role within

the company.

7) What do I do if I cannot provide a digital signature on an EMA PDF electronic document?

You can complete the necessary document, sign it using wet-ink and scan and send it to the EMA via

email or EudraLink. Alternatively you may send the signed document via courier.

8) Does the EMA accept only digitally signed documents?

No, the use of digital signatures is not yet mandatory.

9) How do I know my digitally signed document has been successfully received?

Digitally signed documents will be dealt with in accordance to existing business processes and

therefore no additional notification of receipt will be provided.



EMA/264709/2013 /26

10) Will digitally signed documents submitted to the EMA go through a different process?

All digitally signed documents received by the EMA will be handled in line with current processes.

11) Do we need to digitally sign applications for all procedure types? Updated September 2013

No, the Agency provides specific PDF certified electronic application forms in the areas of Scientific Advice, Orphan

Medicines and Paediatric Medicines for industry to digitally sign and submit using a PDF Reader Application. Details

of the available forms can be found here.

Technical Questions

12) When should I involve my organisation’s IT colleagues in the configuration of the eSignature solution?

Please engage with your technical colleagues from the outset. It is advisable to obtain technical

support with the configuration.

13) Are all types of PDF software supported?

We have successfully tested the solution using Adobe Reader, however the EMA’s eSignature solution

is designed to be compatible with other PDF compliant applications.

14) When I try to open one of the EMA PDF forms with my web browser, I see a message on screen indicating that my web browser cannot open the PDF. Why does this occur? Updated September 2013

Please save the PDF in a suitable location and open it with your chosen PDF reader. Depending on the browser you use and the way in which your computer has been configured, the

message you see on screen may differ. If you are using Firefox you might see the message below:

If you are using internet explorer you might see the following:

http://esubmission.ema.europa.eu/esignature_certified_application_forms.html



EMA/264709/2013 /26

15) Do we need an external software provider in order to send or receive documents containing an electronic signature?

The use of a software provider is not necessary to digitally sign and receive documents. If your

organisation does not currently have the facility to embed a digital signature, you may choose to seek

technical guidance to acquire the appropriate technology.

16) How do I digitally sign a PDF?

The EMA will provide PDF certified electronic documents that are reader extended. You may use a PDF

compliant reader application, e.g. Adobe Reader Version 9.1 plus.

17) How do I know a PDF is digitally signed?

There is normally a visual representation in the electronic document; however, the actual digital

signature is embedded within the PDF file. When you open the PDF file your PDF reader application

should notify you that the file contains digital signatures. Please look at the image below to see an

example of a digital signature.

Figure 1.

18) Which PDF standards do the EMA conform to?

All electronic documents to be digitally signed will conform to the portable document format file (PDF)

version 1.7 ISO 32000-1:2008 standard. It should be noted that ISO/IEC 32000-2 may further clarify

the use of digital signatures. This standard is currently under development.



EMA/264709/2013 /26

Verification and Certificates

19) Where do I obtain a Qualified Certificate? Updated September 2013

Supervised or accredited trust service providers (TSPs) in EU Member States supply Qualified

Certificates to corporate entities and also to citizens. TSP supervisory bodies or TSP scheme operators

maintain a list of TSPs that are authorised or accredited to supply Qualified Certificates.

TSPs are supervised by their indigenous TSP supervisory body, which is normally a government

department. Some EU Member States also delegate the TSP supervision to a national TSP scheme

operator that undertakes trust services accreditation. Table 1 shows the trust service providers (TSPs)

supervisory body or scheme operator for each EU Member State.

EU Member

State

Supervisory Body and/or Trust Scheme Operator Lists Country

Code

Belgium FPS Economy, SMEs, Self-employed and Energy - Quality and Security - Information Management

BE

Bulgaria Communications Regulation Commission BG

Czech Ministry of the Interior of the Czech Republic CZ

Denmark Danish Agency for Digitisation DK

Germany Federal Network Agency DE

Estonia Estonian Technical Surveillance Authority EE

Ireland Department of Communications, Energy and Natural Resources IE

Greece Hellenic Telecommunications and Post Commission (EETT) EL

Spain Ministerio de Industria, Energía y Turismo ES

France Direction Générale de la Modernisation de l'Etat (DGME) FR

Croatia To be determined HR

Italy Agenzia per l’Italia Digitale IT

Cyprus Department of Electronic Communications, Ministry of Communications and Works

CY

Latvia Data State Inspectorate LV

Lithuania Communications Regulatory Authority of the Republic of Lithuania LT

Luxembourg Institut Luxembourgeois de la Normalisation, de l'Accréditation, de la Sécurité et qualité des produits et

services (ILNAS)

LU

Hungary National Media and Infocommunications Authority HU

Malta Malta Communications Authority MT

The Netherlands Authority for Consumers & Markets NL

Austria Rundfunk und Telekom Regulierungs-GmbH AT

Poland National Bank of Poland PL

Portugal National Security Cabinet of Portugal PT

Romania Ministerul Comunicatiilor si Societatii Informationale RO

Slovenia Republic of Slovenia, Ministry of Education, Science and Sport SI

Slovakia National Security Authority SK

Finland FICORA - Finnish Communications Regulatory Authority FI

Sweden Swedish Post and Telecom Agency (PTS)

United Kingdom tScheme UK

Iceland To be determined IS

Lichtenstein The Office for Communications (AK) LI

Norway NPT - Norwegian Post and Telecommunications Authority NO

Table 1 – List of EU Member States TSP Supervisory Body or TSP Scheme Operator

You will need to clarify in your enquiries that you are specifically seeking TSPs that issue Qualified

Certificates. The European Commission Trusted Lists of Certification Service Providers LOTL and each

states’ lists are updated as and when there is a need for such a change.

http://tsl.belgium.be/

http://tsl.belgium.be/

http://www.crc.bg/index.php?lang=en

http://tsl.gov.cz/

http://www.digst.dk/

http://www.nrca-ds.de/en/index_e.html

http://sr.riik.ee/en/TrustedList/EstonianTrustedList

http://www.dcenr.gov.ie/Communications/Business+and+Technology/Trusted+List.htm

http://www.eett.gr/opencms/opencms/EETT_EN/Electronic_Communications/DigitalSignatures/TrustedList.html

https://sede.minetur.gob.es/prestadores/paginas/inicio.aspx

https://references.modernisation.gouv.fr/fr

http://www.digitpa.gov.it/firme-elettroniche/qcsp-english

http://www.mcw.gov.cy/mcw/DEC/DEC.nsf/a66c5082a384dfdac22576a100296b8c/146e36da8d517e04c22576a10040de5e?OpenDocument

http://www.mcw.gov.cy/mcw/DEC/DEC.nsf/a66c5082a384dfdac22576a100296b8c/146e36da8d517e04c22576a10040de5e?OpenDocument

http://www.dvi.gov.lv/eng/legislation/

http://www.rrt.lt/lt/vartotojui/elektroninis-parasas_358/tsl-1.html

http://www.ilnas.public.lu/fr/actualites/evenements/2011/01/liste-confiance-nationale/index.html?highlight=Trusted



http://www.nmhh.hu/

http://www.mca.org.mt/general/electronic-signatures

https://www.acm.nl/en/tsl/

http://www.signatur.rtr.at/en/directory/tsl.html

https://www.nccert.pl/tsl.htm

http://www.gns.gov.pt/gns/pt/tsl/

http://www.mcsi.ro/Minister/Domenii-de-activitate-ale-MCSI/Tehnologia-Informatiei/Servicii-electronice/Semnatura-electronica

http://www.mizs.gov.si/en/services/information_society/register_of_certification_service_providers/trusted_list/

http://www.nbusr.sk/en/electronic-signature/aca-list.1.html

https://www.viestintavirasto.fi/tietoturva/sahkoinentunnistaminenjaallekirjoitus/rekisterilaatuvarmenteitatarjoavistavarmentajista.html

http://www.docstoc.com/docs/29453871/Sverige-(Sweden)-Trusted-List

http://www.tscheme.org/directory/appserv.html

http://www.ak.llv.li/

http://www.npt.no/tsl_en

https://ec.europa.eu/digital-agenda/en/eu-trusted-lists-certification-service-providers



EMA/264709/2013 /26

20) Who is the EMA’s Qualified Certificate Provider?

The EMA shall be using the certification services provided by the Spanish Royal Mint (Fábrica Nacional

de Moneda y Timbre (FNMT) – Real Casa de la Moneda) under Contract EC Framework Contract No

DI/06750-0 PKI Services.

21) How do I ensure our certificates are compliant with the EMA’s requirements?

The Directive of the European Parliament and of the Council on a Community framework for electronic

signatures (1999/93/EC) defines requirements on a specific type of certificate named `Qualified

Certificates’, which are given a specific relevance for the acceptance of electronic signatures and their

legal effects Article 5. The Directive’s ANNEX I describes the Requirements for qualified certificates and

ANNEX II describes the Requirements for certification-service-providers issuing qualified certificates“

The link below provides specific details for those that require the profile specifications on Qualified

Certificates.

22) Who is the EMA’s PDF Certify Certificate Provider?

The EMA is using a certificate from GlobalSign as part of the Adobe Certified Document Services

Scheme for Certifying EMA documents.

23) How do I verify an EMA digital signature?

In order to verify an EMA digital signature you must make sure your system is configured to trust the

root certification authority certificates used by EMA, see question "Who is the EMA's Qualified

Certificate Provider?" Please refer to your organisation's security policies.

24) How do I ensure that Certification Authority Root certificates, associated with EMA digital signatures, are available to my PDF application?

You need to ensure that Certification Authority Root certificates, associated with EMA digital

signatures, are available to your PDF application. The points below describe the steps to follow in order

to import those certificates to your local Windows environment and Adobe Reader as an example.

A. This capability is achieved by downloading the three certificates from the EMA eSignatures web

pages, as shown in Figure 2.

http://www.fnmt.es/index.php?lan=en

http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2000:013:0012:0020:EN:PDF

http://www.etsi.org/deliver/etsi_ts/101800_101899/101862/01.03.01_60/ts_101862v010301p.pdf

http://www.etsi.org/deliver/etsi_ts/101800_101899/101862/01.03.01_60/ts_101862v010301p.pdf

http://www.adobe.com/misc/pki/cds_cp.html

http://www.adobe.com/misc/pki/cds_cp.html

http://esubmission.emea.europa.eu/esignature_certificates.html

http://esubmission.emea.europa.eu/esignature_certificates.html



EMA/264709/2013 /26

Figure 2.

B. Download each certificate and use the “open” option and the install option, as shown in Figure 3, to

import the FNMT Root CA Certificates, using the certificate import wizard.

Figure 3.

C. When you have installed all three FNMT certificates click on the file to open the EMA PDF Form in

your PDF application.



EMA/264709/2013 /26

D. You now need to accept these installed certificates into your PDF applications trusted certificate

store. An example of this task is shown in Figure 3, using PDF reader application. This task is

required to be complete once only for all EMA digitally signed EMA PDFs. Click on the signature

tab, with the green tick in the side bar. Then click on “signature details” to expand the attributes to

show certificate details. Then highlight FNMT-RCM and then click on the trust tab. Then click on the

“add to Trusted Identities” button, as shown in Figure 4.

Figure 4.

In the next dialogue box, as shown in Figure 5, click OK to accept these FNMT Root CA certificates.

Figure 5.



EMA/264709/2013 /26

In the next pop-up dialogue box, as shown in Figure 6, ensure that the accept root certificate box is

checked and then press OK

Figure 6.

E. Now verify all the digital signatures by clicking the “Validate All” button. Figure 7 shows the result

of verifying the digital signatures in an EMA PDF.



EMA/264709/2013 /26

Figure 7.

25) How do I confirm if I have the required certificates in the trust store?

If you are using Adobe software you can start by Checking the Adobe Certificate Authority Root

Certificate Trust Configuration in Adobe Reader / Adobe Acrobat:

1. Open the PDF in Adobe Reader or Acrobat.

2. Open the signature tab.

3. Right click on the Certification signature named “Certified by EMA Certify”.

4. Select “Show signature properties…”

Figure 8.

5. Click “Show Signer’s Certificate…”



EMA/264709/2013 /26

Figure 9.

6. From the List on the left select the top most certificate called “Adobe Root CA”.

7. Select the Trust tab.

8. You should now see that this certificate is trusted for “Signing documents or data” and “Certifying

documents”. The “Add to Trusted Certificates…” button should be greyed out and disabled.



EMA/264709/2013 /26

Figure 10.

9. Without changing the Tab click on the second certificate name from the top in the left panel called

“GlobalSign Primary SHA256 CA for Adobe”.

10. You should see in the trust tab that the permissions are inherited from the parent certificate

granting “Sign documents or data” and “Certify documents”. This time however the “Add to

Trusted Certificates…” button is not disabled. You don’t need to do anything here.



EMA/264709/2013 /26

Figure 11.

11. Without changing the Tab click on the third certificate name from the top in the left panel called

“EMA Certify <[email protected]>”.

12. You should see in the trust tab that the permissions are inherited from the parent certificate

granting “Sign documents or data” and “Certify documents”. Again the “Add to Trusted

Certificates…” button is not disabled. You don’t need to do anything here.

mailto:[email protected]



EMA/264709/2013 /26

Figure 12.

13. Click OK.

14. Click Validate Signature.

15. You should then see the following:



EMA/264709/2013 /26

Figure 13.

16. Please Repeat steps 3 – 15 for the second signature field, In Step 8 you should see the following:



EMA/264709/2013 /26

Figure 14.

17. In this case the permissions on each certificate should be “Sign documents or data” only.

If the first certificate in the certificate list does not have any permissions set or the “Add to Trusted

Certificates…” button is not disabled please email [email protected].

26) How do I change certificate permissions?

1. Open Adobe Reader or Acrobat.

2. Select “Edit” -> “Preferences”




EMA/264709/2013 /26

Figure 15.

3. Scroll down the list in the left hand panel and select “Signatures”.

4. Under the section “Identities & Trusted Certificates” click “More”.



EMA/264709/2013 /26

Figure 16.

5. Click “Trusted Certificates”.

6. Sort by “Certificate Issuer”.

7. Look down the list for “Adobe Root CA”. Select it.



EMA/264709/2013 /26

Figure 17.

8. Confirm that the details in the bottom panel match the following:

Adobe Root CA

Adobe Systems Incorporated

Issued by: Adobe Root CA

Adobe Systems Incorporated

Valid from: 2003.01.08 23:37:23 Z

Valid to: 2023.01.09 00:07:23 Z

Intended usage: Sign certificate (CA), Sign CRL

9. If the settings match click close. If not continue to Step 10.

10. Click “Edit Trust”.



EMA/264709/2013 /26

Figure 18.

11. Make sure the following options are ticked on this screen:

a) Use this certificate as a trusted root

b) Signed document or data

c) Certified documents

12. Click “OK”.

13. You have now completed the steps to update an imported certificate’s trust permissions.



EMA/264709/2013 /26

27) How do I know if there is a problem with the verification of a digital signature?

1. Look out for alerts in the Blue Certification notification bar across the top of the PDF display panel.

The alerts that indicate a problem are shown below:

a) User action required to validate a signature field on the form

b) The form Certification is valid but the recipient signature cannot be validated

c) The recipient signature field on the form is valid but the Certification is not valid

d) The document Certification and recipient signature are not valid /cannot be validated.

e) Either the document Certification or Recipient Signature Field is Invalid.

f) All signatures on the form are valid

2. Signature Panel - Certification Field

a) Status unknown

b) Invalid

c) Valid

3. Signature Panel – Recipient Signature Field

a) Status Unknown

b) Signature has Problems



EMA/264709/2013 /26

c) Invalid

d) Valid

28) What do I do if I cannot verify a digital signature that is embedded in an EMA document?

Please contact [email protected]

29) Are digital signatures in Adobe products compatible with PDF/A?

PDF/A-1 FULLY supports Digital Signatures. Reader, Acrobat and LiveCycle all fully support signing a

PDF/A according the requirements for same.

How to digitally sign an EMA PDF Form

This section is included for those individuals that may not be familiar with digitally signing PDF Forms

using a PDF reader application.

A. Click on the file to open the EMA PDF Form in your PDF reader application.

B. The EMA Form is authenticated automatically, as shown by the blue ribbon and blue rosette and

the statement “Certified by EMA” in Figure 19.

Figure 19.

C. Enter the pertinent information of the scenario into the form’s fields.




EMA/264709/2013 /26

Figure 20.

D. Place your cursor over the "Signature of sponsor’s representative" digital signature box, as shown

in Figure 21, and right click.

E. Proceed through the dialogue to digitally sign the electronic document (save the file in a new

name)

Figure 21.

F. The representation of your digital signature is displayed in the digital signature box as shown in

Figure 22. This representation is configurable in your PDF reader application; however, the digital

signature is embedded into the PDF file. Your PDF application should provide you with the option to

save the file in a new filename; however, if this facility is not provided then save the form using

the “Save Form” button.



EMA/264709/2013 /26

Figure 22.

General Questions

30) When will the eSignature solution “go live”?

The eSignature solution was launched in September 2013.

1) Are EMA digital signatures legally binding? Updated September 2013

EMA digital signatures are advanced electronic signatures created by secure signature creation devices

and supported by Qualified Certificates. Digital signatures on EMA electronic documents conform to the

requirements for Qualified Certificates of Annex I of the Directive 1999/93/EC of the European

Parliament and of the Council dated 13th December 1999. Digital signatures on EMA electronic

documents are created using a secure signature-creation device as specified in Annex III of the

Directive.

Under Article 5 1b of the Directive, Member States shall ensure that advanced electronic signatures,

based upon a Qualified Certificate and created by a secure signature creation device, are admissible as

evidence in legal proceedings.

2) What is the cost of the eSignature solution? Updated September 2013

The cost of the eSignature solution is free for a user already in possession of a qualified certificate and

the means to create a digital signature.

For organisations that do not yet have the capability to digitally sign documents electronically, we

advise you to seek a quotation from a supervised or accredited trust service provider (TSP) supplying

digital signature services supported by Qualified Certificates.

You should refer to Table 1 above to determine the respective accreditation body or scheme operator

that maintain a list of supervised or accredited TSPs supplying Qualified Certificates.

3) How do the EMA ensure that digitally signed PDFs submitted by industry cannot be tampered with?

The PDF electronic forms are certified, using the EMA Entity Keys, to ensure that industry users

complete the specific permitted fields and do not add further fields. By certifying the PDF file, the

electronic forms are being “locked down” to detect unauthorised manipulation.





EMA/264709/2013 /26

4) Is the EMA’s digital signature solution compatible with the FDA’s digital signature

requirements? Updated September 2013

The EMA’s digital signature solution is legally binding in the European Union. It is apparent that each

country may have its own digital signature legislation. Users are advised to familiarise themselves with

the requirements of the country they are submitting documents to.

Contact us

For queries concerning the EMA’s eSignature solution please contact [email protected]


ema esignature capabilities: frequently asked …esubmission.ema.europa.eu/doc/esignature/digitally...

Documents