Expert Guide
A complete walkthrough — Company Dsc
Reading this guide locally — Korukkupet businesses operate where around the Korukkupet Railway Yard catchment of Korukkupet.
What Company DSC means under Indian electronic-signature law
Section 21 Companies Act 2013 — authentication on behalf of the company
Section 21 of the Companies Act 2013 prescribes the manner in which a document or proceeding requiring authentication by a company shall be signed — by any key managerial personnel or an officer or employee of the company duly authorised by the Board in this behalf. The provision is the corporate-law counterpart of Section 5 IT Act and clarifies that a 'Company DSC' is, in legal substance, the DSC of an individual office-bearer authorised by the Board, not a juristic person's certificate. CCA Interoperability Guidelines 2015 reinforce this — Class 3 DSCs are issued only to natural persons, with the company's name embedded in the Organisation (O) field of the X.509 Subject when the DSC is for company use. The board authorisation typically takes the form of a Section 179 resolution mapping the office-bearer to specified filing categories.
Comparative — eIDAS, US ESIGN and DocuSign frameworks
The European Union eIDAS Regulation 910/2014 establishes three tiers of electronic signatures — simple, advanced, and qualified — with the qualified electronic signature (QES) holding the same legal effect as a handwritten signature across all Member States. The qualified trust service provider regime under eIDAS mirrors India's CCA-licensed Certifying Authority model. The US Electronic Signatures in Global and National Commerce Act 2000 (ESIGN Act) adopts a technology-neutral approach similar to Section 3A IT Act, treating any electronic record signed with intent as legally binding subject to the Uniform Electronic Transactions Act adopted by State legislatures. DocuSign and Adobe Sign operate within both frameworks. Indian Class 3 DSCs are PKI-based equivalents of eIDAS advanced electronic signatures with qualified-CA backing, and are accepted under WebTrust audit standards for cross-border transactions where mutual recognition between Indian CCA and foreign trust frameworks is established.
Statutory framework — IT Act 2000 and the 2008 Amendment
The Digital Signature Certificate regime in India is anchored in the Information Technology Act 2000, originally enacted to give legal recognition to electronic records and electronic signatures based on the Public Key Infrastructure model adopted by the UNCITRAL Model Law on Electronic Commerce 1996. Section 2(1)(p) defines digital signature as authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with Section 3, which prescribes asymmetric crypto-system and hash function as the technical standard. Section 35 governs the issuance of Digital Signature Certificates by Certifying Authorities licensed by the Controller of Certifying Authorities under Section 17. The IT Amendment Act 2008 introduced Section 3A which expanded the recognition to 'electronic signatures' — a technology-neutral category encompassing biometric authentication (including Aadhaar e-KYC and Aadhaar e-Sign), beyond the original asymmetric-key digital signature. The combined framework treats both digital signatures under Section 3 and electronic signatures under Section 3A as valid for authentication of electronic records, subject to the Second Schedule notification by the Central Government.
EVC versus DSC — when is DSC mandatory and when optional
Company filings — DSC mandatory across regulators
For companies and LLPs, DSC is mandatory and unconditional across the MCA-21, GSTN, ICEGATE, EPFO, ESIC, IT and TRACES portals. The mandatory rule flows from three concurrent statutory bases — Section 21 Companies Act 2013 (authentication on behalf of the company), Rule 26(1)(a) CGST Rules (DSC for corporate GST filings), Rule 12(3)(a) IT Rules read with Section 139D IT Act (DSC for ITR-6 companies). The mandatory rule is technology-neutral within the DSC category — Class 3 individual DSC of an authorised office-bearer suffices, with no preference among the CCA-licensed Certifying Authorities (eMudhra, Sify, CapriCorn, NSDL e-Gov, IDRBT, Verasys, Pantasign, e-Mudhra). The only flexibility is in DSC validity (one-year or two-year) and signature class (Class 3 individual versus HSM-based Document Signer Certificate for automated invoice signing).
Tax audit and statutory audit — DSC always mandatory
The tax audit under Section 44AB of the Income Tax Act 1961 and the statutory audit under Section 143 of the Companies Act 2013 are conducted by Chartered Accountants in practice — natural persons holding ICAI membership. The audit-report upload to the IT e-filing portal (Form 3CB / 3CD) and the audit-report attachment to AOC-4 on MCA-21 require the auditor's own Class 3 individual DSC carrying the ICAI membership number. There is no EVC alternative for audit certifications — even where the auditee is an individual taxpayer, the auditor's certification operates through the auditor's DSC. The ICAI peer-review framework treats the DSC as the embodiment of the auditor's professional responsibility under the Code of Ethics. Misuse or sharing of an auditor's DSC is a professional misconduct under Clause (1) of Part I of the First Schedule of the Chartered Accountants Act 1949.
Procurement and tender filings — Class 3 DSC mandatory
Government procurement portals — the Central Public Procurement Portal (CPPP), the Government e-Marketplace (GeM), the Indian Railways e-Procurement System (IREPS), the Defence Public Sector Undertaking portals, and the various State e-Procurement systems — uniformly require Class 3 individual DSCs of the bidder's Authorised Signatory for bid submission, bid signing and Letter of Acceptance acknowledgement. The CPPP under the General Financial Rules 2017 Rule 159 mandates Class 3 DSC with the CCA-licensed CA chain. GeM Rule on Authorised User mandates Class 3 DSC with specific OID extensions for the GeM workflow. For company bidders, the DSC is of the office-bearer designated by Section 179 board resolution as the Authorised Tender Signatory. EVC is not available for any procurement portal — the higher security assurance of DSC is treated as integral to the procurement integrity framework.
DSC issuance — process, documents and validity
CCA-licensed Certifying Authorities
The Controller of Certifying Authorities licensed under Section 17 of the IT Act 2000 currently administers a panel of seven CCA-licensed Certifying Authorities for DSC issuance — eMudhra, Sify Communications, CapriCorn Identity Services, NSDL e-Governance, IDRBT, Verasys (formerly Code Solutions) and Pantasign. Each CA operates under the CCA's CP/CPS (Certificate Policy / Certification Practice Statement) framework and the Interoperability Guidelines 2015. The CAs offer a uniform product set — Class 3 individual DSC with one-year or two-year validity, Document Signer Certificate (HSM-based) for automated workflows, and Encryption Certificate for confidentiality use cases. Pricing is broadly comparable — ₹1,500 to ₹3,000 for one-year Class 3 individual DSC and ₹2,500 to ₹5,000 for two-year Class 3 individual DSC, varying by CA and reseller channel. The applicant has free choice among CAs subject to the destination portal's compatibility matrix.
KYC documents and Aadhaar e-KYC
The DSC issuance process under CCA Guidelines requires the applicant to furnish PAN (mandatory), Aadhaar (preferred via Aadhaar offline e-KYC XML), passport-size photograph, address proof (Aadhaar, voter ID, passport, driving licence, utility bill not older than two months, or bank statement), e-mail (for verification OTP), and mobile (for verification OTP). For organisational DSCs (Class 3 with company in Organisation field), the additional documents are — Certificate of Incorporation / Registration of the organisation, PAN of the organisation, board resolution under Section 179 authorising the applicant as the signatory, GST registration certificate (where applicable), and Authorisation Letter on the organisation's letterhead. The KYC verification is conducted through video-KYC by the CA's verifier under CCA Notification on Video-KYC for DSC dated 7 August 2020, valid throughout India.
Crypto-token (USB) versus mobile-app DSC
DSCs in India have historically been issued on FIPS 140-2 Level 2 certified USB crypto-tokens — physical hardware devices with a tamper-resistant secure element holding the private key. The token is connected to the signing device via USB and the private key never leaves the token. Common token brands include ePass2003, Aladdin / SafeNet, Trust Key, mToken K3 and HYP2003. The token costs ₹400 to ₹900 separately and is a one-time purchase. With effect from 2021, several CAs have launched mobile-app DSCs that hold the private key in a software-based secure enclave on the applicant's mobile device, accessed through biometric authentication. The mobile-app DSC reduces hardware dependency but is currently accepted by a narrower set of portals; MCA-21 v3, GSTN and the IT portal accept both modes. The crypto-token mode remains the default for high-security procurement portals such as GeM and CPPP.
Comparative — eIDAS, US ESIGN and Indian DSC
Cross-border recognition and trust frameworks
Cross-border recognition of electronic signatures and DSCs remains a work in progress globally. The WebTrust for Certification Authorities audit framework (operated by AICPA and CPA Canada) provides one assurance pathway — CAs that hold WebTrust audits are accepted by major browser vendors and document-management platforms across jurisdictions. Indian CCA-licensed CAs that hold WebTrust audits (eMudhra, Sify and select others) accordingly enjoy de facto cross-border recognition for routine document signing. For formal regulatory acceptance, however, jurisdictional reciprocity arrangements are required — as between EU Member States under eIDAS, between Schengen states under historical arrangements, or under bilateral mutual recognition agreements. India has not yet entered formal MRAs with the EU or US for DSC recognition; cross-border filings to foreign regulators typically rely on the foreign regulator's own signature framework. Indian DSCs are usable for Indian-portal filings by foreign-resident directors, with the DSC issued in India to the foreign individual after apostilled / consularised KYC.
EU eIDAS Regulation 910/2014
The EU eIDAS Regulation 910/2014 (electronic Identification, Authentication and Trust Services) establishes a harmonised framework for electronic signatures across all EU Member States. Three signature tiers are recognised — simple electronic signature (any data in electronic form attached to other electronic data for authentication, including scanned signatures), advanced electronic signature (uniquely linked to the signatory, capable of identifying the signatory, created using means under the signatory's sole control, and linked to the data such that any change is detectable), and qualified electronic signature (an advanced signature created by a qualified signature creation device and based on a qualified certificate issued by a qualified trust service provider). The QES under Article 25(2) has the equivalent legal effect of a handwritten signature across all Member States. The QES framework is operationally similar to India's Class 3 individual DSC with CCA-licensed CA chain — both rely on PKI, both require strict identity verification, both produce non-repudiable signatures. Mutual recognition between Indian CCA and EU qualified trust providers is not yet formalised but is the subject of intermittent diplomatic exchange under the India-EU Trade and Technology Council.
US ESIGN Act 2000 and UETA
The US Electronic Signatures in Global and National Commerce Act 2000 (ESIGN Act, 15 USC 7001) adopts a technology-neutral approach to electronic signatures — any electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record qualifies as an electronic signature. The ESIGN Act preempts State law to the extent of inconsistency but does not preempt State adoptions of the Uniform Electronic Transactions Act 1999 (UETA), which most States have adopted. The combined framework treats electronic signatures as legally equivalent to handwritten signatures for the vast majority of transactions, with carve-outs for certain document categories (wills, trusts, family-law instruments, court orders). DocuSign, Adobe Sign and HelloSign operate within this framework. Indian Class 3 DSCs and US electronic signatures are not directly interchangeable — cross-border contracts typically use one party's preferred regime and rely on choice-of-law clauses for enforcement, with parallel paper signatures sometimes deployed for evidentiary belt-and-braces.
What Korukkupet clients usually ask next: On the ground in Korukkupet, for Korukkupet businesses balancing growth ambitions with tight statutory compliance.