Aadhaar eSign vs Class-3 DSC: a decision framework for Indian businesses

When a company first looks at eSignature tooling, the advice from their CA or accountant is usually "get a DSC." It is not wrong advice, but it is incomplete. Class-3 DSC tokens are necessary for a specific set of government portals and regulatory filings. For everything else — routine commercial contracts, HR documents, vendor agreements, client onboarding — Aadhaar eSign does the same legal job at a fraction of the friction.

The two systems are not competing replacements. They solve overlapping problems in different ways, and knowing which problem you are solving determines which tool you need.

What Aadhaar eSign actually is

Aadhaar eSign is a service offered by CCA-licensed eSign Service Providers (ESPs), where UIDAI acts as the authentication layer. The signer authenticates using their Aadhaar number plus a one-time password sent to their registered mobile — or, where the ESP supports it, biometric authentication. The ESP then generates a digital signature on the document using a short-lived certificate tied to the signer's Aadhaar identity.

The result is a digitally signed document with a certificate attached. The entire flow takes under 60 seconds for most signers. There is no hardware token. The signer does not need to install software. UIDAI's record of the authentication event becomes part of the audit trail.

The legal basis is Section 3A of the IT Act, 2000, read with the Second Schedule, which explicitly lists Aadhaar-based eSign as a permitted electronic signature method. The signing authority — the CCA-licensed ESP — is the reliable third party that Section 3A requires. The audit trail produced by the ESP records the Aadhaar OTP event, the document hash, and the timestamp: that is what you rely on in a dispute.

What Class-3 DSC actually is and what it costs in practice

A Class-3 DSC is a certificate issued by a CCA-licensed Certifying Authority after in-person or video verification. For company use, the certificate typically names both the individual and the organisation. It is stored on a FIPS-compliant USB token (commonly called a "dongle") that must be physically present to sign.

To sign a document with a Class-3 DSC, the token holder must have the device plugged in, have the correct driver software installed, and enter the token password at signing time. If the token is with the Finance Director in Bengaluru and the document needs to be signed by end of day in Mumbai, you have a practical problem.

Annual costs run ₹1,000–₹3,000 per certificate, plus ₹500–₹1,000 for the token hardware, plus the internal overhead of managing renewals and locked accounts across multiple signatories. The signing latency — from "document is ready" to "document is signed" — is measured in minutes to days in most organisations. That bottleneck is real and compounds at volume.

The advantage: Class-3 DSC signing operates entirely independently of UIDAI. If UIDAI is down, DSC signing is unaffected. For time-sensitive regulatory filings, that independence matters.

Where Class-3 DSC is genuinely required

This is the list that matters. These are portals where Aadhaar eSign will not be accepted as a substitute, as of mid-2026:

• MCA21 / ROC filings: Director KYC (DIR-3 KYC), MGT-7, AOC-4, and financial statement filings all require DSC. The company-specific certificate is mandatory for forms filed on behalf of a company.
• Income Tax e-filing for companies and LLPs: corporate returns filed by authorised signatories require DSC. Aadhaar OTP-based verification is a separate path available only to individual taxpayers.
• DGFT / IEC applications: the Directorate General of Foreign Trade portal requires DSC for import-export code applications and modifications.
• GST portal, specific entity types: partnership firms and companies must use DSC for GST registration and return filing. Proprietorships can use Aadhaar OTP in some scenarios; verify for your entity type.
• EPFO employer filings: the EPFO employer portal requires a digital signature for ECR filings and certain employer declarations.
• Stock exchange filings (SEBI): listed companies filing on BSE/NSE portals require DSC for authorised signatories.
• Government procurement portals (GeM, CPPP): central tender and procurement portals require Class-3 DSC from bidders.

If your organisation touches any of the above, the relevant signatories need Class-3 DSC tokens for those specific workflows. There is no workaround.

Where Aadhaar eSign is legally sufficient

For everything outside the list above, Aadhaar eSign is recognised under the IT Act and is adequate for most commercial purposes:

• Bilateral commercial contracts: NDAs, vendor agreements, service contracts, SaaS MSAs, and similar documents between parties where both are natural persons or authorised representatives.
• HR documents: offer letters, employment agreements, policy acknowledgements, and appraisal sign-offs. The signer is an individual; Aadhaar authentication is appropriate.
• Customer onboarding and consent: product terms acceptance, loan or insurance agreement signatures, and KYC-adjacent consent flows where the regulatory requirement does not override the general IT Act framework.
• Internal shareholder or board resolutions, where the company's Articles of Association and applicable rules permit electronic signing and do not specify DSC.
• Pre-agreements and term sheets in real estate: registration of conveyance deeds still requires physical attendance at the registrar's office, but preliminary documents, term sheets, and escrow instructions do not.

The legal basis in each case is Section 3A plus the audit trail produced by the ESP. Courts have consistently looked to the audit trail when evaluating the reliability of a signature: who authenticated, how, at what time, on what document. The token hardware is not the point. The provable authentication record is.

A routing framework for document types

Most organisations do not need to choose one method universally. They need a routing decision for each document type. This table maps the key dimensions:

A practical routing approach: classify each document type in your workflows as either "regulatory filing" or "commercial document." Regulatory filings on the portals listed above go to DSC. Everything else goes to Aadhaar eSign, with the exception of documents involving foreign signers.

The UIDAI downtime problem

UIDAI's systems have periodic maintenance windows, OTP delivery failures when mobile numbers are mismatched or Aadhaar links are outdated, and occasional outages. When the service is degraded, Aadhaar eSign stops working. This is a government infrastructure dependency — not a problem specific to any eSign provider.

For most documents, a 2–4 hour delay is acceptable. For loan disbursals, same-day offer letters, or investor agreements with closing deadlines, it is not. The question is whether you have thought about this before the deadline, not after.

Three approaches worth considering for time-critical document types:

1. Maintain DSC capability for the small set of documents where a same-day signature has real financial or legal consequence. The additional overhead is contained because the set is small.
2. Build your signing workflow to retry automatically. If the first Aadhaar eSign attempt fails, queue the document and notify the signer to retry in 2 hours. This covers most transient outages without requiring a DSC fallback.
3. Use a different authentication factor where your ESP supports it. Some ESPs offer biometric eSign as an alternative to OTP — biometric authentication is a separate UIDAI service and may have different uptime characteristics.

None of these is complicated to implement. The difficulty is that organisations only think about them after experiencing an outage on a bad day. Building the fallback in advance is worth the hour it takes.