Latest from the blog
Is a signed PDF legally binding? (What actually counts)
E-signature law7 min read
Request access

E-signature compliance in the UK: a practical guide

The Signet team··8 min read

Electronic signatures are legally valid in the UK for the vast majority of agreements, and have been for over two decades. The law doesn't usually dictate a specific technology — it asks whether the signer intended to sign and agreed to the terms. Compliance, in practice, is less about the signature mark itself and more about the process around it: proving identity, capturing intent and consent, keeping a tamper-evident record, and handling personal data properly. This guide walks through what that means day to day. This is general information, not legal advice.

The UK legal basis

Three pillars support electronic signatures under UK law:

  • The Electronic Communications Act 2000. Section 7 established that electronic signatures are admissible as evidence in legal proceedings. This is the foundational statute that put e-signatures on a firm legal footing.
  • Retained (UK) eIDAS. The EU's eIDAS Regulation was brought into UK law after Brexit as "UK eIDAS." It confirms that an electronic signature isn't to be denied legal effect simply because it's electronic, and it defines the tiers of signature discussed below.
  • The Law Commission position. In its 2019 report on the electronic execution of documents, the Law Commission confirmed that electronic signatures are capable of executing documents — including deeds — under English law, provided the usual signing formalities (such as witnessing, where required) are met. The government accepted this position, which removed much of the lingering uncertainty.

The practical upshot: for everyday business contracts — service agreements, statements of work, NDAs, engagement letters — an electronic signature is generally as binding as ink. A short list of documents still carries special formalities or paper requirements (some property, probate and statutory matters), so if you're dealing with those, take specific advice. For a broader overview of enforceability, see are electronic signatures legally binding.

The three eIDAS tiers

UK eIDAS defines three levels of electronic signature. Understanding them helps you match the tier to the risk of the agreement rather than over-engineering every document.

  • Simple electronic signature (SES). The broadest category — typing your name, clicking "I agree," or drawing a signature. It carries legal weight when supported by evidence of who signed and that they intended to. Suitable for the large majority of routine commercial agreements.
  • Advanced electronic signature (AES). Uniquely linked to the signer, capable of identifying them, created using means under their sole control, and linked to the data so any later change is detectable. Appropriate for higher-value or higher-risk agreements where you want stronger identity assurance.
  • Qualified electronic signature (QES). An advanced signature created by a qualified signature-creation device and backed by a qualified certificate from a trust service provider. It carries the highest evidential status. Usually reserved for specific regulated or cross-border scenarios that explicitly require it.

Most businesses don't need QES for standard contracts, and demanding it everywhere adds friction without adding proportionate value. The sensible approach is to ask: what's the risk if this signature is disputed, and how much identity assurance does that justify? A simple electronic signature backed by a strong audit trail is defensible for a great deal of ordinary business.

What a compliant signing process needs in practice

Because the law focuses on evidence rather than a specific mark, "compliance" really means being able to show a court or counterparty what happened. In practice, a defensible process captures the following.

Evidence of identity

You should be able to show a reasonable link between the signature and the person who made it — typically an email address, a link sent to that person, and a record of the device or session used. The level of assurance should scale with risk: a routine NDA needs less than a high-value financing agreement.

Evidence of intent and consent

The signer must clearly intend to sign and must consent to doing business electronically. In practice this means an unambiguous signing action (not a buried checkbox), clear presentation of the document being signed, and a record that the signer agreed to use electronic signatures. Clarity here is what defeats a later "I didn't realise I was signing" argument. Our guide on how to sign a contract online covers what a clear signing action should look like.

A tamper-evident audit trail

This is the backbone of e-signature compliance. A tamper-evident audit trail records who did what and when — opened, viewed, signed — and cryptographically binds that record to the document so any later alteration is detectable. If the document changes after signing, the seal breaks and it shows. This is what turns a signed PDF into evidence you can stand behind. We explain the mechanics in what is a tamper-evident audit trail.

A durable, retrievable record

Signatures are only useful if you can produce them later. A compliant process gives each completed agreement a certificate of completion and keeps the signed document, the audit trail, and the signer details together in a form you can retrieve years later. A publicly verifiable seal — where either party can independently confirm the document is genuine and unaltered — adds a further layer of confidence without either side having to trust the other's copy.

GDPR and UK data residency

Signing inevitably involves personal data: names, email addresses, IP addresses, timestamps. That brings the UK GDPR and Data Protection Act 2018 into play. A few practical considerations:

  • Lawful basis and minimisation. You'll usually rely on contract or legitimate interests as your lawful basis for processing signing data. Collect what you need to make the signature defensible and no more — resist hoovering up extra personal data "just in case."
  • Data residency. Where your signing data is stored matters. Keeping data within the UK and EU avoids the added complexity of international transfer safeguards and is often what regulated clients expect. If your provider stores documents outside those regions, understand the transfer mechanism they rely on.
  • Retention. Keep signing records for as long as the agreement could realistically be disputed or is required for regulatory reasons, then dispose of them. Indefinite retention "to be safe" is its own compliance risk.
  • Processor obligations. Your e-signature provider is a data processor. Check they offer a data processing agreement, are transparent about sub-processors, and — importantly — don't use your documents to train AI models. Confidential agreements have no business becoming training data.

Signet keeps document data within UK and EU data residency and never trains AI on your documents. You can read the specifics on our security page, and confirm any completed agreement independently via verify.

Record-keeping that holds up

Good record-keeping is where compliance either lands or falls apart. Aim to keep, for each agreement, the final signed document, the full audit trail, the certificate of completion, and the signer's details, all linked together and tamper-evident. Store them somewhere you'll still be able to reach in three, five or seven years — not a personal inbox or a folder that leaves when an employee does. The test is simple: if someone disputed this agreement two years from now, could you produce a clear, unaltered record of what was signed, by whom, and when? If yes, you're in good shape.

Bringing it together

UK e-signature compliance isn't about buying the most heavyweight signature tier for everything. It's about a signing process that proves identity, captures clear intent and consent, produces a tamper-evident audit trail, handles personal data lawfully with sensible data residency, and keeps retrievable records. Match the assurance level to the risk of the document, keep the evidence tidy, and the vast majority of your agreements will stand up if they're ever questioned. Our pricing page shows how Signet packages this into flat, predictable plans. This is general information, not legal advice — for anything high-stakes or unusual, consult a qualified solicitor.

Signet is in private beta, request early access and send your first sealed agreement free.

Be first to seal.

Signet is in private beta. Join the early-access list and we'll get you a seal of your own, polished, effortless to sign, provably real.

No card, no spam. We'll only email about your access.