Legal basis

The basic legislation on qualified electronic signatures is included in the Regulation (EU) No 910/2014, known as eIDAS Regulation (electronic IDentification, Authentication and trust Services) which entered into force on July 1, 2016, approved in 2014.

Article 25: Legal effects of electronic signatures

• Approved by the European Parliament: 29 February 2024
• Published in the Official Journal of the EU: April 11, 2024
• Entered into force: May 20, 2024

This reform extends the scope of the original regulation (EU 910/2014) and introduces, among other innovations:

1. - European Digital Identity Portfolio (European Digital Identity Wallet or EUDI Wallet), which the Member States must offer voluntarily.
2. - New qualified services, such as electronic archiving, e-books and electronic attributes associated with identity.
3. - Strengthening of security controls and regular audits for qualified trust service providers.

🔹 Article 26 - Requirements for advanced electronic signatures

An advanced signature (basis for the qualified one) must:

1. Be linked to the signatory in a way only.
2. Allow the signer identification.
3. Be created with data that is under the exclusive control of the signatory.
4. Be linked to the signed data, so that any subsequent modification is detectable.

🔹 Article 27 – Qualified electronic signature creation devices

It states that the qualified signature must be generated with a qualified device (such as a cryptographic token or an HSM), meeting the requirements of the Annex II.

🔹 Article 28 – Qualified electronic signature certificates

A qualified signature must be based on a qualified certificate issued by a qualified provider trusted services and comply with the provisions of the Annex I of the Rules.

When data is signed, the signatory indicates the acceptance of general conditions and particular conditions applicable to that electronic signature by including a signed field, within the signature, that specifies an explicit or implicit policy.

If the field corresponding to the electronic signature regulation is absent and no regulation is identified as applicable, then it can be assumed that the signature has been generated or verified without any regulatory restrictions, and consequently, that no specific legal or contractual meaning has been assigned to it. It would be a signature that does not expressly specify any semantics or specific meanings and, therefore, it will be necessary to derive the meaning of the signature from the context (and especially, from the semantics of the signed document).

The purpose of a signature policy is to reinforce the confidence in electronic transactions through a series of conditions for a given context, which can be a certain transaction, a legal regime or a role assumed by the signatory party.

For example, the Signature Policy of the General State Administration (AGE) specifies the general conditions applicable to the electronic signature for its validation, in the electronic relationship of the General Administration of the State with the citizens and between the organs and entities of the AGE.

According to article 24 of Royal Decree 1671/2009 partially implementing Law 11/2007 on Electronic Access of Citizens to Public Services, the policy of electronic signature and certificates in the field of the General Administration of the State and its public agencies is constitu&icaute;da by the guidelines and technical standards applicable to the use of certificates and electronic signature within its scope of application.

The signing policy has an important mission since it defines the rules and obligations of all actors involved in the signing process in certain contexts (contractual, legal, legal,…).

Royal Decree 4/2010 regulating the National Interoperability Scheme establishes that the electronic signature and certificate policy of the General State Administration will serve as a general interoperability framework for the authentication and mutual recognition of electronic signatures within its scope. It also establishes that this policy may be used as a reference by other Public Administrations to define the policies of certificates and signatures to be recognized within their areas of competence.

Royal Decree 3/2010, of 8 January, which regulates the National Security Scheme in the field of Electronic Administration, aims to establish the principles and requirements of a security policy Protection of the information.

Well, the decree, in its article 33 also relegates to the Signature Policy all the function of concretizing the processes of generation, validation and conservation of electronic signatures, as well as the characteristics and requirements required of electronic signature systems, certificates, time stamping services, and other elements of support of signatures.

On the other hand, the RD in its Annex II point 5.7.4 is very specific about the types of signatures to be applied depending on the level of information to be protected.

• LOW level

  Any means of electronic signature of those provided in the current legislation may be used.

• MEDIUM Level

  The means used in the electronic signature will be provided to the qualification of the information processed. In any case:

  Algorithms accredited by the National Cryptological Center will be used.

  • Preferably, recognised certificates will be used.
  • Secure signature devices will be used.

  The guarantee verification and validation of the electronic signature during the time required by the administrative activity supported by it, without prejudice to the possibility of extending this period in accordance with the provisions of the applicable electronic signature and certificate policy. To that end:

  • All relevant information for verification and validation shall be attached to the signature or referenced.
  • The signature and the information mentioned in the previous section will be protected with a time stamp.
  • The body that collects documents signed by the administrator shall verify and validate the signature received at the time of receipt, unambiguously annexing or referencing the information described in subheadings (a) and (b).
  • The electronic signature of documents by the Administration shall unambiguously append or reference the information described in subheadings (a) and (b).
• HIGH level

  The security measures relating to electronic signatures required at the Medium level will be applied, in addition to the following:

  • Recognized certificates will be used.
  • Secure signature creation devices will be used.
  • Preferably, certified products [op.pl.5] will be used.

  The standard CCN-STIC-807 of the National Cryptological Center establishes in point 5.7 what are the mechanisms and algorithms that can be used to sign depending on the level of the information.

• European Regulation 910/2014, of 23 July, on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, establishes the obligation to validate electronic certificates issued by any European Trust Service Provider.
• The implementing regulation of the eIDAS Regulation, Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down specifications for the formats of advanced electronic signatures and advanced stamps to be recognised by public sector bodies in accordance with Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market, provides that Member States should lay down the necessary technical means to enable them to process electronically signed documents which are required on behalf of a public sector, To this end, it defines a series of advanced electronic signature formats that Member States must technically support when advanced electronic signatures are needed for an online administrative procedure.
• Article 47 of Royal Decree 1671/2009, of 6 November, partially implementing Law 11/2007, of 22 June, on electronic access of citizens to public services, establishes the need to incorporate a temporary reference of electronic administrative documents, being one of the temporary reference modalities, the “Time Stamp”, by which means the assignment by electronic means of a date and time to an electronic document with the intervention of a certification service provider that ensures the accuracy and integrity of the time stamp of the document.
• On the other hand, Royal Decree 4/2010, of 8 January, which regulates the National Interoperability Scheme in the field of Electronic Administration states in its article 22.4 that the aspects related to electronic signature in the preservation of the electronic document will be established in the Policy of electronic signature and certificates, and through the use of long-lived signature formats that preserve the preservation of signatures over time.
• The preservation of long-lived signatures over time is specified in the Resolution of July 19, 2011, of the Secretariat of State for the Public Service, approving the Technical Standard for the Interoperability of Electronic Signature Policy and Government Certificates, in section II.7 on Archiving and custody, which establishes that to guarantee the reliability of an electronic signature over time, it may be used: Long-lived signatures through which information of the status of the associated certificate will be added, incorporating a timestamp, as well as the certificates that make up the chain of trust.
• The time stamp is an indispensable part of the electronic signature, especially in the case of long-lived signatures, which need to be validated long after their generation.
• Likewise, Royal Decree 3/2010, of 8 January, which regulates the National Security Scheme in the field of Electronic Administration, in ANNEX II of Security Measures, in section 5.7.4 relating to electronic signature, specifies that for systems classified at medium level in the dimensions of integrity and authenticity, the verification and validation of the electronic signature will be guaranteed for the time required by the administrative activity that it supports, for which all the relevant information will be attached to the signature, or referenced, for verification and validation, and the signature and information mentioned in the previous section will be protected with a seal of time.

In addition to the eIDAS regulation, the ETSI set of standards It develops technical and interoperability aspects. The most relevant for the qualified firm are:

• ETSI EN 319 411-2: Requirements for qualified providers issuing qualified certificates.

• ETSI IN 319 401: General requirements for trusted service providers.

• ETSI IN 319 421: Requirements for qualified electronic signature retention services.

• ETSI EN 319 411-1: Requirements for certification service providers.