Digital signatures are the legal backbone of paperless business in India. Yet many organisations still struggle with a fundamental question: which digital signature type do they need, and under which legal framework? Whether you are e-signing a contract, filing annual returns with the MCA, submitting GST invoices, or filing a petition in the Supreme Court, the law has a specific and mandatory answer. This guide demystifies India's digital signature landscape, from the foundational IT Act 2000 to the emerging Aadhaar eSign ecosystem and their practical implementation inside a Document Management System.
The IT Act 2000: India's Legal Foundation for Digital Signatures
The Information Technology Act, 2000 (IT Act) was India's landmark legislation recognising electronic documents and digital signatures as legally valid. Section 2(1)(p) defines a "digital signature" as an authentication of an electronic record using an asymmetric crypto system and hash function in the manner prescribed. Section 5 gives digital signatures the same legal validity as handwritten signatures for legally enforceable transactions.
The IT (Amendment) Act, 2008 broadened the scope by introducing the concept of "electronic signatures" — a wider category that encompasses digital signatures (PKI-based) as well as other methods prescribed by the Central Government. This distinction matters: Aadhaar eSign is an electronic signature, not a traditional digital signature, yet it holds legal validity under the amended Act.
Exclusions from IT Act — Know These!
Section 1(4) explicitly excludes negotiable instruments (cheques, bills of exchange), powers of attorney, trust deeds, wills, and contracts relating to immovable property from the IT Act's digital signature provisions. These documents still require wet ink signatures under the Negotiable Instruments Act and Registration Act.
Digital Signature Certificates (DSC): Class Hierarchy
Digital Signature Certificates (DSCs) in India are issued by Certifying Authorities (CAs) licensed by the Controller of Certifying Authorities (CCA) under MeitY. The DSC hierarchy operates across three classes:
| Class | Assurance Level | Verification Method | Primary Use Cases |
|---|---|---|---|
| Class 1 | Low | Self-attested online only | Email security, basic user authentication |
| Class 2 | Medium | Identity verified against database | Income Tax, ROC filing, MCA — now largely replaced by Class 3 |
| Class 3 | High | In-person or video verification | MCA21, GST, e-Tendering, court filings, banking transactions |
| Document Signer | High | Organisation-issued for automated signing | Bulk invoice signing, automated document workflows |
MCA issued a circular in January 2021 discontinuing Class 2 DSCs for company filings. As of 2026, Class 3 DSC is mandatory for virtually all regulatory filings. The validity period for a DSC is 1 or 2 years from the date of issuance, after which renewal is required.
Aadhaar eSign: India's Revolutionary E-Sign Framework
Aadhaar eSign, introduced under the IT (Amendment) Rules 2015 and operationalised by UIDAI in collaboration with CCA-licensed eSign Service Providers (ESPs), allows any Aadhaar holder to sign documents using OTP or biometric authentication — without owning a physical DSC token.
The beauty of Aadhaar eSign is its accessibility: any smartphone user with a valid Aadhaar can sign a document in under 60 seconds. The signature is backed by a dynamically generated X.509 certificate tied to the signer's Aadhaar, creating a legally valid electronic signature under the IT Act.
Aadhaar eSign vs Traditional DSC
Aadhaar eSign is ideal for high-volume, citizen-facing or employee-facing signing workflows (loan agreements, HR documents, consent forms). Traditional DSC (Class 3) remains mandatory for statutory filings with MCA, Income Tax, GST portals, and court e-filing systems. A mature DMS should support both natively.
Sector-Specific Digital Signature Requirements
Different regulatory bodies in India mandate specific digital signature types and procedures. Here is a summary of the key requirements:
- Ministry of Corporate Affairs (MCA21): All company forms (Annual Return, Financial Statements, Director appointments, charges) must be filed with a Class 3 DSC of the authorised signatory. Company Secretary forms require ICSI-specific DSC.
- Income Tax Department: ITR-6 and ITR-7 (companies, trusts) mandatorily require Class 3 DSC. Individuals filing ITR-1/ITR-4 may use Aadhaar OTP e-verification instead.
- GST Network (GSTN): GST registration and returns for companies and LLPs require Class 3 DSC. Proprietors may use Aadhaar OTP. E-invoicing requires Document Signer certificates for automated invoice signing at high volumes.
- eCourts / e-Filing: Advocates filing in High Courts via eCourt portals require Class 3 DSC. The Supreme Court's SCIS system mandates DSC for e-filing. eFiling in NCLT, NCLAT requires advocate DSC.
- SEBI / Listed Entities: SEBI LODR filings through BSE/NSE require Class 3 DSC of the Compliance Officer or MD/CEO. Insider trading disclosures and related-party transaction approvals require DSC-authenticated submissions.
- EPFO / ESIC: Employer ECR (Electronic Challan cum Return) filings require Class 3 DSC of the establishment's authorised representative.
DSC Validity, Revocation, and Renewal
A critical and often neglected aspect of DSC management is the lifecycle of the certificate itself. Key points:
- DSCs are issued with 1-year or 2-year validity. Documents signed before expiry retain their legal validity permanently — the signature timestamp is preserved.
- DSCs can be revoked for key compromise, loss of token, or change in subscriber information. Revocation is published in the CA's Certificate Revocation List (CRL) within 24 hours.
- Renewal should be initiated at least 30 days before expiry to avoid workflow disruption, particularly for automated batch signing workflows.
- Document Signer Certificates used for bulk/automated signing require Hardware Security Module (HSM) storage — software-only storage is not permitted by CCA guidelines.
How Sarthi DMS Integrates Digital Signature Workflows
Sarthi DMS provides a comprehensive, built-in digital signature module that handles the full spectrum of signing requirements across Indian regulatory frameworks:
The Sarthi DMS signing workflow supports sequential and parallel signing routes, escalation policies when signatories are absent, and automatic dispatch to subsequent approvers upon completion of each signing step. All signatures are embedded in the document in conformance with PAdES (PDF Advanced Electronic Signature) and CAdES standards, ensuring long-term verifiability even after DSC expiry.
For large organisations managing hundreds of signatory DSCs, Sarthi provides a centralized certificate lifecycle management dashboard — tracking expiry dates, utilisation, and revocation status across all registered tokens and HSMs. Automated alerts 60 and 30 days before expiry ensure that no signing workflow is unexpectedly disrupted.