Expert Guide
A complete walkthrough — Company Dsc
Reading this guide locally — Across Vanagaram, within Vanagaram's commercial junction along the Vanagaram-Ambattur Road.
What Company DSC means under Indian electronic-signature law
Section 21 Companies Act 2013 — authentication on behalf of the company
Section 21 of the Companies Act 2013 prescribes the manner in which a document or proceeding requiring authentication by a company shall be signed — by any key managerial personnel or an officer or employee of the company duly authorised by the Board in this behalf. The provision is the corporate-law counterpart of Section 5 IT Act and clarifies that a 'Company DSC' is, in legal substance, the DSC of an individual office-bearer authorised by the Board, not a juristic person's certificate. CCA Interoperability Guidelines 2015 reinforce this — Class 3 DSCs are issued only to natural persons, with the company's name embedded in the Organisation (O) field of the X.509 Subject when the DSC is for company use. The board authorisation typically takes the form of a Section 179 resolution mapping the office-bearer to specified filing categories.
Comparative — eIDAS, US ESIGN and DocuSign frameworks
The European Union eIDAS Regulation 910/2014 establishes three tiers of electronic signatures — simple, advanced, and qualified — with the qualified electronic signature (QES) holding the same legal effect as a handwritten signature across all Member States. The qualified trust service provider regime under eIDAS mirrors India's CCA-licensed Certifying Authority model. The US Electronic Signatures in Global and National Commerce Act 2000 (ESIGN Act) adopts a technology-neutral approach similar to Section 3A IT Act, treating any electronic record signed with intent as legally binding subject to the Uniform Electronic Transactions Act adopted by State legislatures. DocuSign and Adobe Sign operate within both frameworks. Indian Class 3 DSCs are PKI-based equivalents of eIDAS advanced electronic signatures with qualified-CA backing, and are accepted under WebTrust audit standards for cross-border transactions where mutual recognition between Indian CCA and foreign trust frameworks is established.
Statutory framework — IT Act 2000 and the 2008 Amendment
The Digital Signature Certificate regime in India is anchored in the Information Technology Act 2000, originally enacted to give legal recognition to electronic records and electronic signatures based on the Public Key Infrastructure model adopted by the UNCITRAL Model Law on Electronic Commerce 1996. Section 2(1)(p) defines digital signature as authentication of any electronic record by a subscriber by means of an electronic method or procedure in accordance with Section 3, which prescribes asymmetric crypto-system and hash function as the technical standard. Section 35 governs the issuance of Digital Signature Certificates by Certifying Authorities licensed by the Controller of Certifying Authorities under Section 17. The IT Amendment Act 2008 introduced Section 3A which expanded the recognition to 'electronic signatures' — a technology-neutral category encompassing biometric authentication (including Aadhaar e-KYC and Aadhaar e-Sign), beyond the original asymmetric-key digital signature. The combined framework treats both digital signatures under Section 3 and electronic signatures under Section 3A as valid for authentication of electronic records, subject to the Second Schedule notification by the Central Government.
DSC issuance — process, documents and validity
KYC documents and Aadhaar e-KYC
The DSC issuance process under CCA Guidelines requires the applicant to furnish PAN (mandatory), Aadhaar (preferred via Aadhaar offline e-KYC XML), passport-size photograph, address proof (Aadhaar, voter ID, passport, driving licence, utility bill not older than two months, or bank statement), e-mail (for verification OTP), and mobile (for verification OTP). For organisational DSCs (Class 3 with company in Organisation field), the additional documents are — Certificate of Incorporation / Registration of the organisation, PAN of the organisation, board resolution under Section 179 authorising the applicant as the signatory, GST registration certificate (where applicable), and Authorisation Letter on the organisation's letterhead. The KYC verification is conducted through video-KYC by the CA's verifier under CCA Notification on Video-KYC for DSC dated 7 August 2020, valid throughout India.
Crypto-token (USB) versus mobile-app DSC
DSCs in India have historically been issued on FIPS 140-2 Level 2 certified USB crypto-tokens — physical hardware devices with a tamper-resistant secure element holding the private key. The token is connected to the signing device via USB and the private key never leaves the token. Common token brands include ePass2003, Aladdin / SafeNet, Trust Key, mToken K3 and HYP2003. The token costs ₹400 to ₹900 separately and is a one-time purchase. With effect from 2021, several CAs have launched mobile-app DSCs that hold the private key in a software-based secure enclave on the applicant's mobile device, accessed through biometric authentication. The mobile-app DSC reduces hardware dependency but is currently accepted by a narrower set of portals; MCA-21 v3, GSTN and the IT portal accept both modes. The crypto-token mode remains the default for high-security procurement portals such as GeM and CPPP.
Renewal, revocation and lost-token replacement
DSCs are issued for a fixed validity period — one year or two years — and must be renewed before expiry to ensure continuity of filings. The renewal process is typically lighter than fresh issuance — existing KYC is preserved and only the certificate is re-issued against the same or a new token. Renewal applications are best initiated 45 days before expiry to allow for portal re-registration under Rule 8 of the MCA-21 Registration Rules and the equivalent re-registration on GSTN, IT and EPFO portals. DSC revocation under Section 38 of the IT Act 2000 read with Rule 31 of the IT (CCA) Rules 2000 is initiated by the subscriber on suspicion of compromise, or by the CA on detection of fraud, or by court order. Revoked DSCs are added to the Certificate Revocation List (CRL) maintained by the CA and consulted by relying portals in real time. Lost-token replacement requires a fresh KYC verification — the existing DSC must be revoked first and a new DSC issued, with the new token replacing the lost one.
Comparative — eIDAS, US ESIGN and Indian DSC
EU eIDAS Regulation 910/2014
The EU eIDAS Regulation 910/2014 (electronic Identification, Authentication and Trust Services) establishes a harmonised framework for electronic signatures across all EU Member States. Three signature tiers are recognised — simple electronic signature (any data in electronic form attached to other electronic data for authentication, including scanned signatures), advanced electronic signature (uniquely linked to the signatory, capable of identifying the signatory, created using means under the signatory's sole control, and linked to the data such that any change is detectable), and qualified electronic signature (an advanced signature created by a qualified signature creation device and based on a qualified certificate issued by a qualified trust service provider). The QES under Article 25(2) has the equivalent legal effect of a handwritten signature across all Member States. The QES framework is operationally similar to India's Class 3 individual DSC with CCA-licensed CA chain — both rely on PKI, both require strict identity verification, both produce non-repudiable signatures. Mutual recognition between Indian CCA and EU qualified trust providers is not yet formalised but is the subject of intermittent diplomatic exchange under the India-EU Trade and Technology Council.
US ESIGN Act 2000 and UETA
The US Electronic Signatures in Global and National Commerce Act 2000 (ESIGN Act, 15 USC 7001) adopts a technology-neutral approach to electronic signatures — any electronic sound, symbol, or process attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record qualifies as an electronic signature. The ESIGN Act preempts State law to the extent of inconsistency but does not preempt State adoptions of the Uniform Electronic Transactions Act 1999 (UETA), which most States have adopted. The combined framework treats electronic signatures as legally equivalent to handwritten signatures for the vast majority of transactions, with carve-outs for certain document categories (wills, trusts, family-law instruments, court orders). DocuSign, Adobe Sign and HelloSign operate within this framework. Indian Class 3 DSCs and US electronic signatures are not directly interchangeable — cross-border contracts typically use one party's preferred regime and rely on choice-of-law clauses for enforcement, with parallel paper signatures sometimes deployed for evidentiary belt-and-braces.
Singapore Electronic Transactions Act and the Asian frameworks
Singapore's Electronic Transactions Act 2010 (revised 2021) adopts a two-tier framework similar to eIDAS — electronic signatures with general legal recognition under Section 8, and secure electronic signatures under Section 17 with the same legal effect as a handwritten signature. The secure electronic signature must be uniquely linked to the signatory, capable of identifying them, created under their sole control, and linked to the record such that subsequent changes are detectable — language closely tracking the eIDAS advanced electronic signature definition. Singapore's National Authentication Framework operates through National Certification Authority (NCA) accredited certifying authorities. Other ASEAN jurisdictions — Malaysia (Digital Signature Act 1997), Indonesia (Electronic Information and Transactions Law 2008), the Philippines (E-Commerce Act 2000) — operate broadly similar PKI-based frameworks. India's IT Act 2000 was an early mover in the Asian context and continues to be one of the more rigorous PKI-based frameworks, with mandatory CCA licensing and audit of Certifying Authorities under Rule 33 of the IT (CCA) Rules 2000.
Director DSC versus Company-Authorised-Signatory DSC
Class 2 versus Class 3 — CCA's class-based hierarchy
The CCA Interoperability Guidelines historically prescribed three classes of DSCs — Class 1 (low-assurance, identity verified against e-mail database), Class 2 (medium-assurance, identity verified against trusted database such as PAN), and Class 3 (high-assurance, identity verified by physical presence or video-KYC). With effect from 1 January 2021, CCA discontinued Class 2 DSCs through the CCA Notification dated 27 November 2020, mandating Class 3 as the only category for new issuance for individuals and organisations. Class 2 DSCs issued prior to the cut-off continue to be valid until expiry. All MCA-21, GSTN, EPFO, ESIC, IT and ICEGATE filings now require Class 3 DSCs. Class 3 DSCs are issued for one-year or two-year validity periods, with the two-year validity attracting a marginally higher fee. The Class 3 issuance process includes video-KYC, mobile-OTP, e-mail verification, PAN database match, and Aadhaar offline e-KYC.
The juristic-person constraint under CCA Guidelines
The CCA Interoperability Guidelines for Digital Signature Certificates expressly stipulate that DSCs are issued only to natural persons — companies, LLPs, partnership firms and other juristic persons cannot be the Subject of an X.509 certificate. This is consistent with the IT Act's definition of 'subscriber' in Section 2(1)(zg) — a person in whose name the Digital Signature Certificate is issued. A 'Company DSC' is therefore a colloquial label for one of two configurations — a Director DSC (issued in the name of a director of the company, with the company's name in the Organisation field) or an Authorised Signatory DSC (issued in the name of a non-director office-bearer authorised by board resolution under Section 179, with the company's name in the Organisation field). The distinction matters because MCA-21 forms under Rule 8 of the Companies (Registration Offices and Fees) Rules 2014 require DSCs of directors (DIR-12, AOC-4, MGT-7) whereas GST and EPFO portals accept Authorised Signatory DSCs.
Section 152 read with Section 21 — director authentication
A Director DSC derives its authority from the director's position under Section 152 of the Companies Act 2013 and the deemed authentication mandate under Section 21. Where the company law or rules require a director's signature on a document — INC-22 (registered office change), DIR-12 (director appointment / cessation), MGT-14 (special resolution filing), AOC-4 (financial statements filing), MGT-7 (annual return filing) — the Director DSC is the prescribed mode. The CCA template for Director DSC populates the X.509 Subject with the director's name in Common Name (CN), the company in Organisation (O), the directorship designation in Title (T) where the CA supports it, and the director's PAN in serial number (SN). The DIN of the director is often included in the OU (Organisational Unit) field. MCA-21's signature-verification module reads these fields to validate that the DSC belongs to a director on record.
What Vanagaram clients usually ask next: Closer to Vanagaram, for Vanagaram businesses scaling up in a fast-densifying residential and logistics belt.