Electronic signature is regulated in our legal system by the application of Law 6/2020 of 11 November, regulating certain aspects of electronic trust services and Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 (eIDAS) on electronic identification and trust services in electronic transactions in the internal market and by which the Directive is repealed.
It should be noted that the recent Law 6/2020 has repealed Law 59/2003, of 19 December, on electronic signature, and with it those precepts incompatible with the eIDAS Regulation which is directly applicable, thus avoiding the existence of regulatory gaps that could give rise to situations of legal uncertainty in the provision of trustworthy electronic services.
Article 3 of the eIDAS Regulation provides for definitions which:
12) ‘qualified electronic signature’ means an advanced electronic signature which is created by a qualified electronic signature creation device and which is based on a qualified electronic signature certificate;
Qualified electronic signature is that made with a qualified certificate which is defined by the Regulation as:
an electronic signature certificate, issued by a qualified trust service provider and meeting the requirements set out in Annex I;
Qualified electronic signature shares all the characteristics of the advanced electronic signature, being linked to the signatory in a unique and non-transferable way and linked to the document in such a way that it cannot be altered subsequently, but it differs in that it has to be created by an electronic certificate which validates the identification of the signatory unequivocally and which must be issued by a certifying authority, with the effect that it is a very safe and complete method.
Article 3 of the eIDAS Regulation covers definitions which:
(11) ‘advanced electronic signature’ means an electronic signature meeting the requirements referred to in Article 26;
The requirements for this type of signature under rule 26 of the rules of procedure would be:
Advanced electronic signatures have a higher level of security, as they allow the signatory to be identified only with the electronic document, and the subsequent registration of signature and acceptance by it, in order to avoid any subsequent changes to the document.
Article 3 of the EIDAS Regulation states:
(10) ‘electronic signature’ means the data in electronic format annexed to other electronic or logically associated data used by the signatory for signature;
That is, simple electronic signature is one that allows the signatory to be digitally identified with his data, but it offers a low level of security.
When data are signed, the signatory indicates the acceptance of general conditions and particular conditions applicable to that electronic signature by including a signed field, within the signature, which specifies an explicit or implicit policy.
If the field corresponding to the electronic signature regulations is absent and no regulations are identified as applicable, then it can be assumed that the signature has been generated or verified without any regulatory restrictions, and consequently, that no specific legal or contractual meaning has been assigned to it. It would be a firm that does not explicitly specify any semantics or concrete meaning and, therefore, it will be necessary to derive the meaning of the firm from the context (and especially from the semantics of the signed document).
The purpose of a signature policy is to strengthen confidence in electronic transactions through a set of conditions for a given context, which may be a particular transaction, a legal regime or a role for the signatory party.
For example, the Signature Policy of the General State Administration (AGE) specifies the general conditions applicable to electronic signatures for validation, in the electronic relationship of the General Government of the State with citizens and between the bodies and entities of the AGE.
According to Article 24 of Royal Decree 1671/2009 partially implementing Law 11/2007 on Citizens' Electronic Access to Public Services, the policy of electronic signature and certificates in the field of the General Administration of the State and its public bodies is constituted by the guidelines and technical standards applicable to the use of certificates and electronic signature within its scope.
The signature policy has an important mission as it defines the rules and obligations of all the actors involved in the signing process in certain contexts (contractual, legal, legal,…).
Royal Decree 4/2010 regulating the National Interoperability Scheme provides that the policy of electronic signatures and certificates of the General Government of the State will serve as a general framework for interoperability for the authentication and mutual recognition of electronic signatures within its scope. It also provides that this policy may be used as a reference by other public administrations to define the policies of certificates and signatures to be recognised within their fields of competence.
Royal Decree 3/2010 of 8 January, which regulates the National Security Scheme in the field of e-government, aims to establish the principles and requirements of an electronic government. security policy protection of information.
The decree, in its article 33, also relegates the Policy of Signature to the whole function of concretizing the processes of generation, validation and preservation of electronic signatures, as well as the characteristics and requirements required of electronic signature systems, certificates, time-stamping services, and other supporting elements of signatures.
Moreover, the RD in Annex II point 5.7.4 is very specific on the types of signature to be applied depending on the level of information to be protected.
Any means of electronic signature of those provided for in existing legislation may be used.
The means used in the electronic signature shall be proportionate to the rating of the information processed. In any case:
Algorithms accredited by the National Crypto Centre shall be used.
It will be ensured that the verification and validation the electronic signature for the time required by the administrative activity which it supports, without prejudice to the possibility of extending this period in accordance with the provisions of the electronic signature and certificate policy applicable. To this end:
The security measures for electronic signatures required at the Medium level shall apply, in addition to the following:
The CCN-STIC-807 standard of the National Cryptologic Center sets out in point 5.7 which mechanisms and algorithms can be used to sign depending on the level of information.