Electronic signature and identification mechanisms

When putting an electronic procedure into operation, it is repeatedly considered what is the criterion to be followed to decide which identification and electronic signature mechanisms citizens can use to relate to a public administration, especially taking into account the regulatory changes that occur constantly in this regard.

The electronic identification and signature mechanisms that, in summary, can be used by interested parties are (for more information, consult articles 9 and 10 of Law 39/2015, of October 1, on the Common Administrative Procedure of the administrations public):

  • Qualified electronic certificates of electronic signature issued by providers included in the "Trusted List of Certification Service Providers".
  • Qualified electronic certificates of electronic seal issued by providers included in the "Trusted List of Certification Service Providers".
  • Any other system that the public administrations consider valid, as long as they have a previous registration as a user that allows them to guarantee their identity.

Mechanisms based on qualified certificates (points aib above) " must be accepted" , in compliance with Regulation no. 910/2014 of the European Parliament and of the Council, of July 23, relating to electronic identification and trust services (ReIdAS) and Law 39/2015 itself, of October 1, while the rest of the systems ( section c) " can be accepted ", always taking into account the level of security they offer.

Application criteria

The National Security Scheme (Royal Decree 311/2022, of May 3, hereinafter, ENS) provides that identification and electronic signature mechanisms can have three levels of security, together with the criteria to be followed to establish them in each case. It also establishes the criteria for determining what level a specific system or action requires.

Therefore, to define the level of security required by the systems of each Public Administration and, in particular, the type of credential that is admissible for identification and electronic signature for a specific action, it must be taken into account take into account what the ENS exposes and find the balance between security and usability (expanded in the next section).

In this sense, the services offered by the AOC Consortium allow citizens to identify themselves and sign documents both with qualified electronic certificates and by using the systems based on sending one-time passwords Cl@ve and idCAT Mòbil, from so that each user administration can decide in which cases they can be accepted.

In the area of the Generalitat de Catalunya, for example, this decision is defined by Order VPD/93/2022 , of April 28, which approves the Catalog of identification and electronic signature systems, and in particular by Order PRE/158/2022 , of 30 June, which approves the Guide for the use of identification and electronic signature systems in the area of the Administration of the Generalitat. This last Order establishes in its second point and, in general, that all mechanisms in the catalog are accepted for all procedures and services. The same guide establishes a procedure to exclude this criterion and limit the acceptance of any of the mechanisms either due to the existence of:

  • Legal risk: with regard to a specific procedure, assessment of the existence of a risk that prevents guaranteeing the viability and legal security of the procedure due to possible fraud in the signing of the document or impersonation of interested persons, which has as its origin the lack of robustness of the identification or electronic signature systems.
  • Cybersecurity risk or data protection: assessment of the need for more restrictive specific measures that are determined based on the level of risk or classification of the information, service or procedure or the possible processing of personal data derived from the procedure or service with respect to which is expected to use the identification or electronic signature system.

Security levels of identification and signature mechanisms

As mentioned, the ENS foresees three levels of security (low, medium and high) and the criteria that must be followed to establish them in each case, specifically in Annex I, point three.

The same ENS, in its Annex II, defines the criteria for assigning a security level to an identification and electronic signature mechanism.

Thus, the point relating to the operational framework (point 4.2.5 on Authentication mechanism [control op.acc.5]) defines the requirements that must be met by the electronic identification mechanisms to be used by citizens, understood as to an external user of the organization, for each level of security. In summary, for each level are accepted:

  • LOW LEVEL: Any identification mechanism accepted by current legislation, such as passwords, user password plus one-time password, qualified certificate or physical device certificates (e.g. card).
  • MEDIUM LEVEL: Requires the use of, at a minimum, one-time passwords as a second factor of authentication.
  • HIGH LEVEL: The requirements are the same as for the middle level.

On the other hand, the levels to be applied with regard to electronic signature mechanisms (defined in point 5 Protection measures [mp], specifically point 5.7.3 Electronic signature [control mp.info.3]), which in summary accept:

  • LOW LEVEL: Any electronic signature mechanism accepted by current legislation
  • MIDDLE LEVEL: If advanced electronic signature based on electronic certificates is used, these must be qualified. It will be necessary to use algorithms and parameters authorized by the National Cryptographic Center or by a national or European scheme that is applicable.
  • HIGH LEVEL: Advanced signature based on qualified certificates that uses a second authentication factor is required for the activation of your private key.

What does the AOC Consortium offer?

The VALID Service of the AOC Consortium allows Catalan public administrations to accept both idCAT Mòbil and Cl@ve and qualified certificates in electronic identification processes and offers an ordinary electronic signature mechanism linked to the presented credential. Administrations can therefore decide whether to accept all or only some of these mechanisms, and have different configurations to do so according to each specific need.

In the case of the e-NOTUM service, which has a portal for citizens to make electronic notifications, the type of credential to be accepted can be set for each specific notification.

Related Links

When should you use an identification system or a signature system? Use cases

The electronic signature of invoices

Legal context

Law 39/2015, on the Common Administrative Procedure of Public Administrations

Article 9 Identification systems of those interested in the procedure

Article 10 Signature systems accepted by public administrations

Regulation 910/2014 of the European Parliament and of the Council, of 23 July, relating to electronic identification and trust services

Article 25 Legal effects of electronic signatures

Royal Decree 311/2022, of May 3, regulating the National Security Scheme

Annex I, Point three

Annex II, Point 4 4.2.5 Authentication mechanism (external users) [op.acc.5].

Annex II Point 5 . Protection measures [mp] 5.7.3 Electronic signature [mp.info.3].

Related Solutions