I don’t know where you’re taking “click a link in an email” from, but that’s decidedly not how eIDAS works. The private keys must be hardware-protected and under the sole control of an identified signer, which usually means either a physical token or a 2FA-protected remote key in an HSM. In addition, a prior ID verification procedure like video ID or a face-to-face verification is required.
> Well. Eversign holds the key and promises to only use it when you authenticated by clicking the link in the email that was sent to you personally.
This method would most likely be eIDAS confidence level low. They (like many other providers) most likely offer multiple LoA variant but only advertise the lowest one online so you think you are "ok" with an easy to use variant but when push comes to shove you need to upgrade to substantial or high, do the full validation scheme and get a QSCD to do you signatures with.
eIDAS' levels of assurance are about authentication when logging in.
For digital signatures, the levels are 'An electronic signature', like /s/, 'advanced electronic signature', and 'qualified electronic signature'.
The first "shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures."
Qualified signatures used to require that the private key was physically on some tamperproof chipcard (or similar), but eIDAS changed that. Now, you can rely on some vendor's implementation of cloud signing services that is certified to ensure(?) that "signature creation [data] [is] with a high level of confidence, use[d] under [your] sole control". Much like how many people don't manage the secret keys of their crypto wallets.
For remote QCSD the relevant spec is ETSI EN 419 241‐2 PP. It has very few requirements (8.1.8) about authentication, only that it should be resistant to guessing your PIN/password, and it should only let in the legitimate user.
Note that you can get certified as a qualified trust provider by EY or KPMG.
Service providers must undergo audits to ensure that the security measures they take meet the eIDAS requirements. This includes strong protective measures against unauthorized access to private keys. The keys are usually unrecoverable when the end user has lost their credentials. It’s actually quite involved and costly to become such an accredited provider.
You completely miss the point. The crypto key held by the EIDAS provider is not the weak link. They are very securely attesting ONLY that the signatory controlled a given email address at the time of the signature. If I can get control of your email address then I can sign anything in your name with EIDAS. It's worthless, as the signatory can just claim that their email was hacked. You might as well just rely on emails, as we do in the UK.
Disclaimer: I'm not familiar with this service or EIDAS, so my comment might be entirely off the mark.
The decision to require users to use an emailed link to view and sign a message could stem from DLP requirements. Emails are plain-text and therefore any sensitive data leaked could be irreversibly exposed. By keeping the messages inside a system that requires authentication, there is less likelihood that a someone besides the intended recipient will interact with the message. Such systems also support auditability and DLP scanning.
