Legal basis

The basic legislation on electronic signatures is included in the Law 59/2003 of 19 December 2003, Electronic Signature.

In addition, the Act distinguishes between two types of signature, ‘advanced electronic signature’ and ‘recognised electronic signature’:

According to the law, recognised electronic signature is the only one that can be considered equivalent to the handwritten signature:

But how do we, in practice, get an electronic signature recognised and therefore equivalent to handwritten signature?

A recognised electronic signature must comply with the following properties or requirements:

• Identify the signatory
• Verifying the integrity of the signed document
• Ensuring non-repudiation at source
• Count on the participation of a trusted third party
• Be based on a recognised electronic certificate
• Debe de ser generada con un dispositivo seguro de creación de firma

The first 4 points are possible thanks to the use of the cryptographic keys in the certificate and the existence of a structure of Certification Authorities which offer confidence in the delivery of certificates. But according to Law 59/2003, these 4 points only offer us an advanced signature.

For the electronic signature to be equivalent to the manuscript, that is to say that an electronic signature is recognised, it must also:

• Be based on a Recognised Certificate

  The certificate must have been recognised by the Ministry of Industry and Commerce as being able to create recognized signatures and must be listed on its website as such.

  You can see all certificates recognized by MITyC in the address List of trusted electronic service providers

  They are recognized because both the provider who issues them and the contents of the certificate, comply with the requirements stated in Chapter II of Law 59/2003 of electronic signature on Recognized Certificates.

• Being generated with a secure signature creation device

  The characteristics of a secure signature creation device are listed in Article 24 of Law 59/2003 on Electronic Signature.

  In particular, the safe device should ensure that the unique and secret keys, that the private key cannot be deducted from the public and vice versa, that the signatory can reliably protect the keys, that the content of the original document is not altered and that the signatory can see what he is going to sign.

  From a technical point of view, according to Article 27 of Law 59/2003, a secure device the signature must be certified as complying with the above characteristics in accordance with the technical standards published in Decision 2003/511/EC of 14 July 2003 of the European Commission.

  • The Electronic ID is considered a secure signature device and, therefore, the signatures generated with it are recognized and have the same validity as the handwritten signature.

    Are signatures generated on the computer recognized with a software certificate installed in the browser?

  • Since the computer is not a secure signature creation device, the signatures generated are only advanced signatures as defined by the law.

When data are signed, the signatory indicates the acceptance of general conditions and particular conditions applicable to that electronic signature by including a signed field, within the signature, which specifies an explicit or implicit policy.

If the field corresponding to the electronic signature regulations is absent and no regulations are identified as applicable, then it can be assumed that the signature has been generated or verified without any regulatory restrictions, and consequently, that no specific legal or contractual meaning has been assigned to it. It would be a firm that does not explicitly specify any semantics or concrete meaning and, therefore, it will be necessary to derive the meaning of the firm from the context (and especially from the semantics of the signed document).

The aim of a signing policy is to strengthen the confidence in the electronic transactions through a set of conditions for a given context, which may be a given transaction, a legal regime or a role for the signatory party.

For example, the Signature Policy of the General State Administration (AGE) specifies the general conditions applicable to electronic signatures for validation, in the electronic relationship of the General Government of the State with citizens and between the bodies and entities of the AGE.

According to article 24 of Royal Decree 1671/2009 partially implementing Law 11/2007 on Citizens' Electronic Access to Public Services, the policy of electronic signature and certificates in the field of the General Administration of the State and its public bodies is supported by the guidelines and technical standards applicable to the use of certificates and electronic signature within its scope.

The signature policy has an important mission as it defines the rules and obligations of all the actors involved in the signing process in certain contexts (contractual, legal, legal,…).

Royal Decree 4/2010 regulating the National Interoperability Scheme provides that the policy of electronic signatures and certificates of the General Government of the State will serve as a general framework for interoperability for the authentication and mutual recognition of electronic signatures within its scope. It also provides that this policy may be used as a reference by other public administrations to define the policies of certificates and signatures to be recognised within their fields of competence.

Royal Decree 3/2010 of 8 January, which regulates the National Security Scheme in the field of e-government, aims to establish the principles and requirements of an electronic government. security policy protection of information.

The decree, in its article 33, also relegates the Policy of Signature to the whole function of concretizing the processes of generation, validation and preservation of electronic signatures, as well as the characteristics and requirements required of electronic signature systems, certificates, time-stamping services, and other supporting elements of signatures.

Moreover, the RD in Annex II point 5.7.4 is very specific on the types of signature to be applied depending on the level of information to be protected.

• LOW

  Any means of electronic signature of those provided for in existing legislation may be used.

• MEDIUM level

  The means used in the electronic signature shall be proportionate to the rating of the information processed. In any case:

  Algorithms accredited by the National Crypto Centre shall be used.

  • Recognised certificates shall preferably be used.
  • Secure signature devices shall be used.

  It will be ensured that the verification and validation the electronic signature for the time required by the administrative activity which it supports, without prejudice to the possibility of extending this period in accordance with the provisions of the electronic signature and certificate policy applicable. To this end:

  • All information relevant for verification and validation shall be attached to the signature or referenced.
  • The signature and the information referred to in the previous paragraph shall be protected by means of a time-stamp.
  • The body which collects documents signed by the administrator shall verify and validate the signature received at the time of receipt, unambiguously annexing or referencing the information described under (a) and (b).
  • The electronic signature of documents by the Administration shall unambiguously append or refer the information described under (a) and (b).
• HIGH LEVEL

  The security measures for electronic signatures required at the Medium level shall apply, in addition to the following:

  • Recognised certificates shall be used.
  • Secure signature creation devices will be used.
  • Certified products (op.pl.5) shall preferably be used.

  The CCN-STIC-807 standard of the National Cryptologic Center sets out in point 5.7 which mechanisms and algorithms can be used to sign depending on the level of information.

• European Regulation 910/2014 of 23 July on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC lays down the obligation to validate electronic certificates issued by any European Trust Service Provider.
• The implementing rules for the eIDAS Regulation, Commission Implementing Decision (EU) 2015/1506 of 8 September 2015 laying down the specifications relating to the formats of advanced electronic signatures and advanced stamps to be recognised by public sector bodies in accordance with Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 relating to electronic transactions To this end, it defines a number of advanced electronic signature formats to be technically accepted by Member States when advanced electronic signatures are required for an online administrative procedure.
• Article 47 of Royal Decree 1671/2009, of 6 November, partially implementing Law 11/2007, of 22 June, on the electronic access of citizens to public services, establishes the need to incorporate a temporary reference of electronic administrative documents, being one of the temporary reference modalities, the “Time stamp”, meaning the assignment by electronic means of a date and time mark to an electronic document with the accuracy of the certification of the service provider.
• On the other hand, Royal Decree 4/2010 of 8 January, regulating the National Interoperability Scheme in the field of Electronic Administration, states in Article 22.4 that the aspects relating to electronic signatures in the preservation of the electronic document will be established in the Electronic Signatures and Certificates Policy, and through the use of long-term signature formats that preserve the long-term retention of signatures.
• The preservation of long-lived signatures over time is embodied in the Resolution of 19 July 2011, of the Secretariat of State for the Civil Service, approving the Technical Standard for the Interoperability of Electronic Signature Policy and Certificates of the Administration, in paragraph II.7 relating to Archiving and Custody, which establishes that in order to guarantee the reliability of an electronic signature over time will be added:
• The time stamp is an indispensable part of electronic signatures, especially in the case of long-lived signatures, which need to be validated long after their generation.
• Likewise, Royal Decree 3/2010 of 8 January, regulating the National Security Scheme in the field of Electronic Administration, in ANNEX II of Security Measures, in section 5.7.4 concerning electronic signature, specifies that for systems classified as medium level in the dimensions of integrity and authenticity, the verification and validation of the electronic signature will be guaranteed during the time required.