The Electronic Transactions Ordinance 2002 in Pakistan: Digital Signatures, Electronic Evidence, and Enforceability of E-Contracts

When Pakistan enacted the Electronic Transactions Ordinance 2002 (ETO 2002), the country had almost no legal framework for contracts concluded by email, invoices signed on a screen, or records kept only on a server. More than two decades later the ordinance remains the principal federal law on electronic documents and signatures. Businesses rely on it every day without knowing it, and disputes about the authenticity of a WhatsApp message or a scanned agreement are decided against the standards it set.

This article sets out what the ordinance actually does, how courts have treated it in practice, where the gaps are, and what practitioners should keep in mind when drafting, sending, or relying on an electronic document in 2026.

What the Ordinance covers

The ETO 2002 is a short statute of forty-four sections divided into nine chapters. It extends to the whole of Pakistan. Its stated object is to recognise and facilitate documents, records, information, communications and transactions in electronic form. It does not create a separate body of contract law. It sits alongside the Contract Act 1872 and the Qanun-e-Shahadat Order 1984 and tells courts how to treat an electronic equivalent of a paper document.

The central idea is functional equivalence. If a rule of law requires writing, the requirement is satisfied by information in electronic form that is accessible and usable for subsequent reference. If a rule requires a signature, it is satisfied by an electronic signature attached to the document for the purpose of authentication. If a rule requires a document to be retained, retention in electronic form is enough provided the information remains accessible and the format accurately reflects the original.

Electronic signatures and advanced electronic signatures

Section 7 of the ordinance recognises electronic signatures generally. Any mark, symbol or procedure attached to or logically associated with an electronic document and executed with the intention of authenticating it counts. Typing a name at the bottom of an email, clicking an "I Agree" button, or pasting a scanned image of a wet signature into a PDF all qualify on this broad definition.

The ordinance then creates a second, stronger category called the advanced electronic signature. To qualify, the signature must be uniquely linked to the signer, capable of identifying the signer, created using means under the sole control of the signer, and linked to the document in a way that any subsequent change is detectable. In practice this means a digital signature created with a key pair issued by a licensed Certification Service Provider under the Electronic Certification Accreditation Council (ECAC), which operates within the Ministry of Information Technology and Telecommunication.

The practical significance of the distinction is evidentiary. An advanced electronic signature is presumed valid and reliable under the ordinance. An ordinary electronic signature is not. Where a party wants to rely on an email or a clickwrap acceptance against a counterparty who denies signing, the burden of proving authenticity falls on the party asserting the signature. This matters in commercial disputes where the other side simply says, "That was not me."

Legal recognition of electronic documents

Sections 3 to 6 give legal force to documents in electronic form. An offer, acceptance, revocation, or counter-offer may be expressed by data messages. A contract is not invalid merely because it was formed using an electronic communication. Attribution rules in section 13 tell us when a message is treated as sent by the originator: when the originator sent it personally, when an authorised person acted on their behalf, or when an information system programmed to operate automatically on their behalf issued it.

Receipt is deemed to occur when the message enters a designated information system. If no system is designated, receipt occurs when the addressee retrieves the message. Place of dispatch is the place of business of the originator, and place of receipt is the place of business of the addressee, which has obvious importance for jurisdiction and conflict of laws questions in cross-border deals.

Exclusions: what cannot be done electronically

The ordinance does not apply to everything. The First Schedule lists documents where electronic form is not permitted. These include negotiable instruments under the Negotiable Instruments Act 1881, powers of attorney, trusts under the Trusts Act 1882, wills, and any contract for the sale or conveyance of immovable property or an interest in it. A sale deed for a plot in Islamabad cannot be executed by email, and a will drafted in Microsoft Word and saved to cloud storage is not a valid will.

Practitioners sometimes forget this schedule and accept scanned copies for transactions that require stamping and registration under the Stamp Act 1899 and the Registration Act 1908. A transfer of immovable property remains governed by those statutes, and the electronic copy has no substitute value.

Electronic evidence and the Qanun-e-Shahadat Order

The ordinance amended the Qanun-e-Shahadat Order 1984 to bring electronic documents within the definition of evidence. Articles 2(1)(e) and 78-A now expressly provide for the admissibility of electronic records. A printout or display of electronic information is admissible if the information was produced by a computer in the ordinary course of activities, the computer was operating properly, and the content is shown to be accurate.

Courts have accepted WhatsApp messages, emails, call detail records and CCTV footage on this basis. They have also rejected them where the chain of custody was weak, where the device could not be produced, or where the forensic origin was unclear. The Lahore High Court and the Islamabad High Court have both observed that the mere existence of a screenshot is not enough. The party relying on it must lay a foundation for authenticity, usually through a certificate under section 2A of the ordinance issued by the person in charge of the information system or by expert forensic evidence.

Certification Service Providers and the accreditation regime

Chapter VII sets up the ECAC to accredit Certification Service Providers, who issue the certificates used to bind a public key to an identified person. Accredited CSPs in Pakistan include National Institutional Facilitation Technologies (NIFT), which is widely used in banking and in filings with the Securities and Exchange Commission of Pakistan. Accreditation is voluntary, but only signatures certified by an accredited provider enjoy the statutory presumption of reliability.

In litigation, the value of an accredited digital signature is that the court does not need to ask whether the signer actually signed. The presumption runs in favour of the party relying on it, and the opposing side must rebut it. That is why companies dealing with regulated filings, cross-border contracts, and high-value commercial agreements increasingly use NIFT-issued certificates rather than scanning a wet signature.

Offences under the ordinance

Sections 36 to 38 created offences for violating the privacy of information, damaging or tampering with electronic systems, and issuing false certificates. Most of this territory has since been absorbed by the Prevention of Electronic Crimes Act 2016 (PECA), which deals with unauthorised access, data interference, and electronic fraud in much greater detail. The ETO offences remain on the statute book but are rarely invoked today. Practitioners investigating a cybercrime complaint usually proceed under PECA and register the FIR with the Cybercrime Wing of the Federal Investigation Agency.

Practical issues in 2026

Three problems come up repeatedly in our practice. First, parties often assume a clickwrap is enforceable without thinking about proof. When a customer denies having clicked "I Agree" on a website, the company must produce server logs, IP addresses and timestamps. A properly drafted audit trail and a retention policy that meets section 6 of the ordinance are the difference between winning and losing.

Second, email contracts frequently fail because one side did not clearly accept the terms. Section 13 attribution rules require the message to originate from the person or an authorised system. A junior employee confirming a price on a generic company address may or may not bind the company. Companies should make clear in their signature block and email policies who has authority to contract, and the other side should check.

Third, commercial leases and sale agreements for immovable property continue to be drafted and exchanged in PDF, signed electronically, and then never stamped or registered. The electronic version is worth nothing before the revenue authorities and cannot be produced to prove title. The ETO 2002 does not fix this. Parties must still execute the wet-signed stamped and registered instrument.

Reform and the future

The ordinance is showing its age. It predates smartphones, cloud computing, biometric authentication and blockchain. Pakistan has been consulting on a new Personal Data Protection Bill for years and on a standalone E-Commerce Act. Until those laws are passed, the ETO 2002 continues to do the heavy lifting. Practitioners should read it against the 2018 amendments to the Qanun-e-Shahadat Order, PECA 2016, and any sectoral regulation (such as the State Bank of Pakistan's rules on digital banking) that applies to their client's transaction.

Takeaways for businesses

Use an accredited Certification Service Provider for any high-value or regulated transaction. Keep audit logs with timestamps, IP addresses and server identifiers so authenticity can be proved later. Draft email and signature policies that identify who may bind the company. Never treat an electronically signed sale deed as a substitute for a stamped and registered instrument. And when preparing to rely on electronic evidence in litigation, prepare a section 2A certificate and consider engaging a forensic expert early, because the foundation is often contested on the first day of trial.