Legal basis

Electronic signature is regulated in our legal system by the application of Law 6/2020 of 11 November, regulating certain aspects of electronic trust services and Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 (eIDAS) on electronic identification and trust services in electronic transactions in the internal market and by which the Directive is repealed.

It should be noted that the recent Law 6/2020 has repealed Law 59/2003, of 19 December, on electronic signature, and with it those precepts incompatible with the eIDAS Regulation which is directly applicable, thus avoiding the existence of regulatory gaps that could give rise to situations of legal uncertainty in the provision of trustworthy electronic services.

Article 3 of the eIDAS Regulation provides for definitions which:

Qualified electronic signature is that made with a qualified certificate which is defined by the Regulation as:

Qualified electronic signature shares all the characteristics of the advanced electronic signature, being linked to the signatory in a unique and non-transferable way and linked to the document in such a way that it cannot be altered subsequently, but it differs in that it has to be created by an electronic certificate which validates the identification of the signatory unequivocally and which must be issued by a certifying authority, with the effect that it is a very safe and complete method.

Article 3 of the eIDAS Regulation covers definitions which:

The requirements for this type of signature under rule 26 of the rules of procedure would be:

• (a) be uniquely linked to the signatory;
• (b) permit the identification of the signatory;
• (c) has been created using electronic signature creation data which the signatory can use, with a high level of confidence, under his exclusive control;
• (d) be linked to the data signed by it in such a way that any subsequent modification of the data is detectable.

Advanced electronic signatures have a higher level of security, as they allow the signatory to be identified only with the electronic document, and the subsequent registration of signature and acceptance by it, in order to avoid any subsequent changes to the document.

Article 3 of the EIDAS Regulation states:

That is, simple electronic signature is one that allows the signatory to be digitally identified with his data, but it offers a low level of security.

When data are signed, the signatory indicates the acceptance of general conditions and particular conditions applicable to that electronic signature by including a signed field, within the signature, which specifies an explicit or implicit policy.

If the field corresponding to the electronic signature regulations is absent and no regulations are identified as applicable, then it can be assumed that the signature has been generated or verified without any regulatory restrictions, and consequently, that no specific legal or contractual meaning has been assigned to it. It would be a firm that does not explicitly specify any semantics or concrete meaning and, therefore, it will be necessary to derive the meaning of the firm from the context (and especially from the semantics of the signed document).

The purpose of a signature policy is to strengthen confidence in electronic transactions through a set of conditions for a given context, which may be a particular transaction, a legal regime or a role for the signatory party.

For example, the Signature Policy of the General State Administration (AGE) specifies the general conditions applicable to electronic signatures for validation, in the electronic relationship of the General Government of the State with citizens and between the bodies and entities of the AGE.

According to Article 24 of Royal Decree 1671/2009 partially implementing Law 11/2007 on Citizens' Electronic Access to Public Services, the policy of electronic signature and certificates in the field of the General Administration of the State and its public bodies is constituted by the guidelines and technical standards applicable to the use of certificates and electronic signature within its scope.

The signature policy has an important mission as it defines the rules and obligations of all the actors involved in the signing process in certain contexts (contractual, legal, legal,…).

Royal Decree 4/2010 regulating the National Interoperability Scheme provides that the policy of electronic signatures and certificates of the General Government of the State will serve as a general framework for interoperability for the authentication and mutual recognition of electronic signatures within its scope. It also provides that this policy may be used as a reference by other public administrations to define the policies of certificates and signatures to be recognised within their fields of competence.

Royal Decree 3/2010 of 8 January, which regulates the National Security Scheme in the field of e-government, aims to establish the principles and requirements of an electronic government. security policy protection of information.

The decree, in its article 33, also relegates the Policy of Signature to the whole function of concretizing the processes of generation, validation and preservation of electronic signatures, as well as the characteristics and requirements required of electronic signature systems, certificates, time-stamping services, and other supporting elements of signatures.

Moreover, the RD in Annex II point 5.7.4 is very specific on the types of signature to be applied depending on the level of information to be protected.

• LOW

  Any means of electronic signature of those provided for in existing legislation may be used.

• MEDIUM level

  The means used in the electronic signature shall be proportionate to the rating of the information processed. In any case:

  Algorithms accredited by the National Crypto Centre shall be used.

  • Recognised certificates shall preferably be used.
  • Secure signature devices shall be used.

  It will be ensured that the verification and validation the electronic signature for the time required by the administrative activity which it supports, without prejudice to the possibility of extending this period in accordance with the provisions of the electronic signature and certificate policy applicable. To this end:

  • All information relevant for verification and validation shall be attached to the signature or referenced.
  • The signature and the information referred to in the previous paragraph shall be protected by means of a time-stamp.
  • The body which collects documents signed by the administrator shall verify and validate the signature received at the time of receipt, unambiguously annexing or referencing the information described under (a) and (b).
  • The electronic signature of documents by the Administration shall unambiguously append or refer the information described under (a) and (b).
• HIGH LEVEL

  The security measures for electronic signatures required at the Medium level shall apply, in addition to the following:

  • Recognised certificates shall be used.
  • Secure signature creation devices will be used.
  • Certified products (op.pl.5) shall preferably be used.

  The CCN-STIC-807 standard of the National Cryptologic Center sets out in point 5.7 which mechanisms and algorithms can be used to sign depending on the level of information.

• Law 6/2020 of 11 November, regulating certain aspects of trust electronic services
• European Regulation 910/2014 of 23 July on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC lays down the obligation to validate electronic certificates issued by any European Trust Service Provider.
• The implementing rules for the eIDAS Regulation, Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down the specifications relating to the formats of advanced electronic signatures and advanced stamps to be recognised by public sector bodies in accordance with Articles 27(5) and 37(5) of Regulation 910/2014, provide for the Member States to process the necessary electronic means of processing. To this end, it defines a number of advanced electronic signature formats to be technically accepted by Member States when advanced electronic signatures are required for an online administrative procedure.
• On the other hand, Royal Decree 4/2010 of 8 January, regulating the National Interoperability Scheme in the field of Electronic Administration, states in Article 22.4 that the aspects relating to electronic signatures in the preservation of the electronic document will be established in the Electronic Signatures and Certificates Policy, and through the use of long-term signature formats that preserve the long-term retention of signatures.
• The preservation of long-lived signatures over time is embodied in the Resolution of 19 July 2011, of the Secretariat of State for the Civil Service, approving the Technical Standard for the Interoperability of Electronic Signature Policy and Certificates of the Administration, in paragraph II.7 relating to Archiving and Custody, which establishes that in order to guarantee the reliability of an electronic signature over time will be added:
• The time stamp is an indispensable part of electronic signatures, especially in the case of long-lived signatures, which need to be validated long after their generation.
• Likewise, Royal Decree 3/2010 of 8 January, regulating the National Security Scheme in the field of Electronic Administration, in ANNEX II of Security Measures, in section 5.7.4 concerning electronic signature, specifies that for systems classified as medium level in the dimensions of integrity and authenticity, the verification and validation of the electronic signature will be guaranteed during the time required.