Electronic signature using SPID: Guidelines issued

Prepared by Andrea Lensi, Chiara Giannella and Antonio Venditti

1. The Guidelines

On March 23, 2020, the Agency for Digital Italy issued the Guidelines for the electronic signature of documents pursuant to art. 20, CAD which regulate a new type of electronic signature of digital documents through simple authentication to the so called Public System for the Digital Identity Management of citizens and companies (hereinafter, respectively “AgID” or “Agency”, the “Guidelines” and “SPID”).

The Guidelines – issued at the end of the public consultation period and already released on the Agency’s website– will come into effect the day after their publication in the Italian Official Journal and, from the effective date, they will allow users already in possession of SPID to “sign” an electronic document using no other remote authentication tools but their SPID (e.g. qualified electronic signature using smartcard, etc.). It is immediate that the so-called Signature using SPID represents a new technological solution with disruptive impacts in a Country that seems to have hopefully undertaken the path of full digitalisation of relations between private individuals and between the latter and Public Administrations.

Moreover, in the current social historical context, this tool could play a decisive role in facilitating compliance with the very recent health regulations on social distancing.

It is therefore an absolute novelty that, using the Agency’s own words, will facilitate “the process of complete digitisation of documents” and, in concrete terms, will allow all citizens to digitally sign a document with the value of a handwritten signature.

2. First legal impacts

The Guidelines contain specific provisions aimed at satisfying the requirements of art. 20 of Legislative Decree no. 85/2005 (“CAD”) aimed at ensuring not only the safety, integrity and inalterability of the document formed by its author’s computer identification according to the processes established by the Agency pursuant to art. 71, CAD, but also its clear and unequivocal traceability to the author.

In other words, the document signed through SPID is suitable to fully meet the requirement of written form and bears “full proof, until a claim of falsehood, of the origin of the statements by the person who signed it” pursuant to Article 2702 of the Italian Civil Code.

Thanks to its legal value, the electronic signature process using SPID could also be of significant interest to the business world. In fact, although the new tool is not applicable to the so-called SPID digital identities by legal entity – i.e. those directly referable to a legal entity other than a natural person – nor is it equivalent to the electronic seals under Regulation (EU) 910/2014 (commonly known as eIDAS Regulation), the same Guidelines recognize its usability with reference to the so-called digital identities for professional use of the legal entity.

The latter, which are the subject of specific AgID guidelines, are those SPID digital identitiesuseful to prove the membership of a natural person to the organization of a legal person and/or its professional status”.

Consequently, as far as this is concerned, it is intuitive to assume that the SPID credentials at issue could soon be used to digitally sign a document in the name and on behalf of the organisation to which the natural persons belong by virtue of specific legal and/or statutory powers of attorney.

3. How “Sign through SPID” works

As anticipated, the new signing process with SPID will allow the citizen to sign the document – be it a contract, a declaration, a complaint, etc. – proposed by a SPID service provider (hereinafter, “SP”) without any physical support and/or paper document. You only need to authenticate yourself with your credentials through the SPID identity manager (hereinafter, “IdP”). As first step, the process described in the Guidelines requires the SP to prepare an ad hoc button (informatic, of course) called “Sign through SPID” which allows the user to select the subscription mode at issue.

Afterwards, the SP prepares the digital document – on which a PAdES qualified electronic seal is placed – which is immediately made available to the user for a first verification. In this phase, moreover, the SP must implement a special opt-in mechanism to obtain the user’s explicit consent to the transmission of both the fiscal code (i.e. in Italian, the “codice fiscal”) of the latter and the document thus prepared to the IdP.

At this point begins the second phase of the signing process according to which, once received the so-called “subscription request”, the IdP proceeds to authenticate the user with level 2 or higher credentials while checking the correspondence between the fiscal code of the person who authenticates with that previously received by the SP.

Once the identity of the subscriber has been verified, the IdP informs again the user of the purpose of the procedure (i.e. the digital subscription) and acquires a further consent to the signature on the digital document at issue.

Once it has obtained confirmation from the subscriber, the IdP finalizes the process and, on the one hand, makes available to the user the document signed with SPID – on which a second qualified electronic seal is placed – (re)sending it simultaneously to the SP through an ad hoc communication path on which adequate security measures are implemented. Once the process has been completed, the IdP is required to delete the signed document from its systems unless, by virtue of additional agreements, the user has chosen to make use of further document storage services.

That being said, it is as useful as interesting to underline how the Guidelines seem to describe an extremely user-friendly process designed to be completed as soon as possible from the moment the user has decided to sign the document by means of his digital identity.

As a matter of fact, apart from the back-end technical aspects, for the user in SPID possession, it will be sufficient to start the process directly at the SP and, during the same session, authenticate himself at his IdP thus confirming that he wants to sign the document straight away.

In practical terms, this results in an absolute simplification – revolutionary compared to what has been available so far – which allows the user to start and finish the signing process through SPID in a few simple clicks!

Let’s Talk

For a further discussion:

Andrea Lensi

PwC TLS Avvocati e Commercialisti

Partner

Chiara Giannella

PwC TLS Avvocati e Commercialisti

Director