Poland is a country with many different document types that require Qualified Electronic Signature QES. If the Polish law requires “Written Form” for some contract then electronically Qualified Electronic Signature should be used.
Main mandatory use cases for Qualified Electronic Signatures (compiled based on data source from the below links) are:
- Employment contract
- Employment contract termination
- Non-competition agreement
- Non-disclosure agreement
- Intellectual Property and copyright transfer
- Exclusive licensing agreements
- License to industrial property rights
- Leasing agreement
- Agreement on the transfer of author’s economic rights
- Real estate agency agreement
- Changes to existing contracts
- Annual financial reports to KRS (National Court Register)
- Can also be signed using Trusted Profile ePUAP
- VAT declarations and “Uniform Control File” / “Jednolity Plik Kontrolny” (JPK)
- Can also be signed using Trusted Profile ePUAP
- Range of interactive tax forms
- Only QES is allowed and Trusted Profile ePUAP cannot be used
- Forms CIT-D CIT-ST CIT-6AR CIT-6R CIT-8 CIT-8AB CIT-8A CIT-8B CIT-9R CIT-10Z CIT-11R CIT-14 IFT-2 IFT-2R CIT-CFC CIT-TP WH-WOZ WH-WCZ WH-WOP WH-WCP WH-OSC APA-C TPR-C ZAW-RD CIT-15J CIT-N1 CIT-N2 WH-WOE CIT-8E CIT-NZ
- More info at https://www.podatki.gov.pl/cit/e-deklaracje-cit/formularze-cit/
- Declaration of will
- Power of attorney
- Commercial proxy agreement
- A statement by a guarantor in a guarantee agreement,
- Agreements on the acquisition of debt
- Public procurements and European single procurement document (ESPD)
- Electronic tenders and auctions
- Registration and identification of contractors
- Pharmacies reporting in ZSMOPL system
- Many signatures can be done with non-qualified certificates also
- Data sent to GIIF – Generalny Inspektor Informacji Finansowej
- Anti money laundering related transactions with value over 15 000 EUR by range of different institutions
- Geodesy and cartography documentation
- Medical records and certificates
- Notifications and reports to the President of the Personal Data Protection Office (PUODO)
- Contacts with Social Insurance Institution (ZUS) using Płatnik program
- Applying to EU subsidies
- E-court pleadings
- Apartment rental agreements
- Long term fixed rent, termination of contract
- Applications related to the construction works at https://e-budownictwo.gunb.gov.pl
- Notification of construction works (PB-2), Application for a building permit (PB-1), Notification of the completion of the construction of a single-family house, (PB-16a), Notification of construction or reconstruction of a single-family house (PB-2a), Application for an occupancy permit (PB-17), Application for a building permit for a temporary building (PB-8), Application for a decision to amend the building permit (PB-7), Application for issuing a separate decision on approving the project of the zagosp. plot or area (PB-6), Notice of Completion of Construction (PB-16), Application for an occupancy permit – before completion of construction (PB-17a), Application for simplified legalization (PB-15), Motion to exclude certain duties of the site manager (PB-13), Application for legalization (PB-19), Demolition permit application (PB-3), Demolition notification (PB-4), Application for the transfer of the building permit decision (PB-9), Application for the transfer of the decision on the permit to resume construction works (PB-10), Application for the transfer of rights and obligations arising from the notification (PB-11), Notification of the intended date of commencement of construction works(PB-12), Application to enter adjacent land (PB-14), Application for drawing up a local plan or for changing the local plan, Notification of a change in the use of the building (PB-18), Statement on the right to dispose of the real estate for construction purposes
Alternative to Qualified Electronic Signatures in Poland – Trusted Profile
Poland has also for government official use only Trusted Profile (Profil Zufany) that acts as eID means and also allows creating Advanced Electronic Signatures (AdES) that Poland sometimes accepts at a similar level as QES. To sign PDF documents with Trusted Profile for free for the Polish government you can upload files to this site https://moj.gov.pl/nforms/signer/upload?xFormsAppName=SIGNER
Actually on this site document will be signed with Advaced Electronic Seal using Qualified Certificate issued by Eurocert to “Minister do spraw informatyzacji – pieczec podpisu zaufanego” at the same time Signature reason is written to be “Opatrzono pieczęcią ministra właściwego do spraw informatyzacji w imieniu: FIRSTNAME LASTNAME, PESEL: 1234567890, PZ ID: USERNAME”
Qualified Trust Service Providers landscape in Poland
Full list of Qualified Trust Service Providers (QTSP) who can issue qualified electronic signatures can be found from https://esignature.ec.europa.eu/efda/tl-browser/#/screen/tl/PL. List of Brand names and links to products maintained in Poland can be found here also https://www.nccert.pl/ . Europe currently has over 200 QTSP who can issue Qualified Certificates for document signing.
Besides locally certified QTSP-s it is possible to also use QTSP-s from other countries as EU eIDAS regulation Article 25 3 states that: “A qualified electronic signature based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature in all other Member States.”
Pricing models and costs for the QTSP
Biggest cost to QTSP is always initial user identification and issuing the Qualified Electronic Certificate. From there on every signature has a very small incremental cost to the QTSP. Generally certification validation checks are done to the QTSP when signature is created and for cloud signatures SMS could be sent and a few API calls to the servers.
In addition QTSP-s need to follow high compliance requirements that cause high fixed fees.
From the user point of view the Identification has no utility to them and they get value only if signatures are applied.
This means that the more signatures are created by one signer the lower one signature price will be. With physical devices like Smart Cards it is hard to control how many signatures are created and these can actually create many signatures per second. Recently cloud and app signatures are trending and in these solutions the pricing model can be made more user friendly where identification cost is smaller and charges are applied only when signers get utility and create signatures.
Asseco Data Systems S.A
Brand name for Asseco QES business is Certum https://www.certum.pl/. There are mobile and smart card bases QES available. They claim on their website to have issued over 1 million electronic signatures.
Mobile app is called SimplySign that has 50K+ Downloads in the Android Play store. SimplySign app is not free for users and they need to pay 367 PLN for 1 year QES certificate, 478 PLN for 2 years certificate up to 589 PLN for 3 years certificate. If you download their software then you can sign documents on your device for free after the certificate purchase and subscription comes with up to 5000 qualified timestamps per month.
Certum Smart Card needs a smart card reader on your computer and prices are 269 PLN for 1 year and 416 PLN for 3 years thus about 30-40% cheaper than the SimplySign app.
Signature cards are from Giesecke+Devrient | G+D StarCos 3.5 series
Both solutions need signer identification that can be done physically at the Certum point of sales or at the notary.
Online identity verification also exists using eID with Santander bank for free and through the video call that accrues additional fees.
Krajowa Izba Rozliczeniowa S.A.
KIR offers Mobile and physical HSM based solutions. Smart cards cost 198 PLN for 1 year (renewal 134 PLN) and 292 PLN for 2 years (renewal 195 PLN). 3 year certificates are not available.
Certificates can be on the full sized Smart Card or with a SIM card form factor that allows using a small USB-A or even USB-C reader.
Smart card producer is local Polish company CryptoTech with its Carbon and Graphite smart cards
mSzafir offers 2 types of Qualified Electronic Certificates. First is a regular 1 or 2 years validity long term certificate. A 1 year validity certificate with a 1000 signatures limit costs 292PLN and a 2 years certificate costs 341 PLN with 2000 signatures limit. Certificate renewal exact price list is not available on the website but we can see that it starts from 174 PLN including VAT.
Long term qualified certificates on mSzafir app can be activated in 3 ways. Traditional physical meeting at the KIR branch, secondly using existing KIR Qualified Certificates on the smart card and thirdly online using online banking.
Google Play store shows 10k+ downloads for mSzafir application.
Interesting solution in the Poland market is one time signatures using mSzafir costing 15 PLN and online bank verification is needed for that. Online bank-s available for identification are Bank Polski, Inteligo, mBank and Bank Pekao. Since the listed banks have a lot of customers in Poland then a big part of the population has access to Qualified Electronic Signatures with small effort.
mSzafir can be used locally over PKCS #11 protocols using CryptoCard CloudSigner application by creating Karty wirtualne (Virtual card). Instructions for using CryptoCard CloudSigner with mSzafir mobile app.
From the software side it is possible to to use “Szafir SDK Web Module” and SzafirHost to integrate smart card signing over NPAPI into Google Chrome >45, Opera>37, FireFox >= 52, Microsoft Edge => 81 and to other Chromium engine based browsers.
Polish Security Printing Works
More widely known, PWPW is a government organization who is printing Polish currency, passports, ID cards and many other items.
Trust Services brand name for Qualified Electronic Signature is Sigillum https://sigillum.pl/ .
PWPW is also maintaining an eDO App https://www.edoapp.pl/ This app has impressive 1M+ downloads in the Play store.
eDO App works with a new Polish electronic ID card which unfortunately does not include Qualified Certificates by default. Fortunately PWPW is happy to sell you a 1 year certificate for 186 PLN and a 2 year certificate for 200 PLN. More information about buying QES certificates to eDO App can be found from https://sklep.sigillum.pl/#/product/information?id=18
Sigillum sells Qualified Certificates on the Smart card 1 year for 266 PLN (renewal 201 PLN) and 2 years 292 PLN (renewal 241 PLN). Computer software is called Sigillum Sign and can be downloaded from https://sigillum.pl/pliki. Downside of this software is that it works only on Windows and does not support MacOS nor Linux. Unlimited qualified timestamps are included with purchase of this card.
Identification happens only in the physical registration points and no online registration is possible.
ENIGMA Systemy Ochrony Informacji Sp. z o.
Brand name here is CenCert https://www.cencert.pl/ .
Traditionally you can buy smart cards with Qualified Certificates and there is also rSign cloud signature option which is used with “rSign by CenCert” mobile app.
Smart card certificate costs 269 PLN (renewal 220 PLN)for 1 year , 330 PLN (renewal 293) for 2 years, 453 PLN (renewal 429) for 3 years and there is also option for 4 years 650 PLN (renewal 626 PLN) and even 5 years option 869 PLN (renewal 872 PLN).
Smart cards are from ENCARD and Thales Safenet IDPrime MD series
Software for these cards is PEM-HEART . This supports virtual PKCS #11 and CSP cards as well.
rSign prices range from 269 PLN for 1 year certificate to 453 PLN for 3 year certificate. Only physical meetings can be used to activate the certificate. There are 201 registration points https://www.cencert.pl/punkty-rejestracji/ . Currently rSign adoption is lower than most other Polish QTSP-s, only 1000+ downloads in Google Play store.
EuroCert Sp. z o.o.
In this case QES brand name is same as the QTSP business name EuroCert https://eurocert.pl/
EuroCert is selling 3 Qualified Certificates to 3 types of mediums: a) ECSigner cloud Qualified Certificates, b) smart card based certificates, c) Qualified Certificates to national eID card
Smart card certificates on ATOS CardOs v5.3 (SIM card sized) and Gemalto IDPrime 930nc (full smart card). Prices start from 355 PLN for 1 year and go up to 564 PLN for a 3 year certificate.
Identification can be done at EuroCert partner points and after 20 minutes the HSM device will be immediately usable. 1000 Qualified timestamps are included per month for 18 PLN.
Interestingly VIP service is available where EuroCert validation guys will come to you.
Recommended software is SecureDoc 2.0 that works in Windows and in MacOS except M1 processor.
Polish national ID card (E-dowód) certificates cost from 220 PLN for 1 year to 416 PLN for 3 years. These cards have been issued since 4th of March 2019. Identification is physical in the partner point.
ECSigner certificates cost from 367PLN for 1 year to 601 PLN for 3 years. Play store shows 100+ downloads. However in this case the app download number does not tell much because ECSigner has also desktop app and most importantly signature confirmation is possible with password and SMS OTP without any apps whatsoever.
ECSigner app has virtual card service for PKCS#11, CSP and KSP and integration is possible with ECSigner API.
Examples of other QTSP-s that can be used in Poland
InfoCert from Italy
InfoCert is Italian QTSP and one of the 3 QTSP-s in Autenti platform together with SimplySIgn and mSzafir. Price of the 1 year InfoCert certificate in Autenti is 199 PLN + 149 PLN for video identification. It is possible to buy the same Qualified Certificate directly from the InfoCert page for 3 years with the price of 73 EUR (~342 PLN) including video identification.
No app is needed and signatures are created with username/password + SMS OTP.
EvroTrust from Bulgaria
Approach for the pricing is different from most Polish QTSP-s. Everyone can just go and install the application for free. If a business wants to collect signatures then they can cover all the costs for the users so the user will have everything free. There is also an option to buy a subscription in the app and pay a monthly fee for the number of signatures needed.
Using eID Easy each EvroTrust QES signature costs 1.5EUR ~7 PLN for low volumes and can go down for higher volumes
D-trust from Germany
D-trust sign-me is a service provided by the German government Bundesdruckerei, it is much like PWPW in Poland.
Public pricing for end users is 25 EUR for video identification and multiyear Qualified Certificate with 5 qualified signatures. For topping up you can buy additional 100 QES signatures for 117 EUR.
Full cost of the signatures can also be covered by the signature requested business, in this case the low volume pricing through eID Easy is 1.5EUR per QES. Identification without the 5 QES signature combo package is also less than 15 EUR.
Smart-ID by SK ID Solutions from Estonia
While not currently officially available in Poland then it can be activated in Poland if there will be found active business to use this service. Pricing here is very attractive compared to any other mobile app based solution available in Poland. There are no identification costs to anybody and and the single qualified signature price is 0.1EUR (~0.47PLN) in all 3 Baltic countries as seen here https://www.skidsolutions.eu/en/services/pricelist/smart-id/
List of resources