Are e-signatures legal, admissible, and enforceable in Italy?
- Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market (eIDAS)
- Legislative Decree No. 82/2005, the Digital Administration Code (DAC)
Types of electronic signatures:
eIDAS recognizes three types of electronic signature: (i) simple e-signature (SES), (ii) advanced e-signature (AES), and (iii) qualified e-signature (QES). SES can be any form of electronic message associated with a natural person (this can include typed signatures, e-mail blocks, etc.) AES is an electronic signature uniquely associated with an individual and linked to data, so that any subsequent change in the data is readily identifiable. QES is generated by a qualified electronic signature creation device (backed by a certificate issued by a qualified trust service provider) and has the same validity as a handwritten signature.
The DAC recognizes an additional type of e-signature: the Digital Signature (DS), which is a particular kind of qualified electronic signature based on a system of two cryptographic keys (a public one and a private one) which allows the signatory (by means of the private key) and the recipient (by means of the public key) to make evident and verify the provenance and integrity of an electronic document or a set of electronic documents.
The DAC (art. 21) states that a document signed by an electronic signature has the same effect as a simple written signature. However, DS, QES, and AES are required in the case of contracts that are required to be in written form in order to be valid and enforceable. More specifically:
- contracts listed in art. 1350, par. 1, No. from 1 to 12, of the Italian Civil Code (CC) must be signed using DS or QES only. Examples of said contracts include: (i) contracts to purchase or transfer property or other rights on immovable goods; (ii) contracts for the leases of property for a period exceeding nine years; (iii) certain deeds for the division of property or other property rights; (iv) certain contracts disposing of companies’ or associations’ assets;
- other writings that are required to be in written form in order to be valid and enforceable, provided by article 1350, No. 13 CC, have to be signed with AES, QES, DS (e.g., banking or insurance contracts, energy supply, etc.).
Please note that the Italian government with the Decree-Law no. 23 of 8 April 2020 simplified the process of entering into contracts for certain banking and financial services by introducing equivalence between consent given via e-mail (SES) to handwritten signatures (provided certain requirements are met, including attaching a copy of an ID document). However, these provisions are clearly marked as an emergency measure and will therefore remain in force only during the emergency period connected to the current pandemic.
In terms of evidentiary rules, a document signed with AES, QES, and DS has a full evidentiary effectiveness as per art. 2702 CC (art. 20, par. 1-bis, DAC). However, please note that DS has no longer value once the relevant certificate has expired. To avoid that, it is advisable to use an electronic timestamp before the expiration of the certificate used for the DS.
On the other hand, in case of litigation, the evidentiary weight of contracts executed via SES will be subject to the assessment of the judge. Therefore, the parties may decide to use electronic signatures having a higher degree of security and reliability even in the absence of any formal requirement provided by the law.
Are there certain documents that cannot be e-signed in Italy?
As a general rule, the use of e-signature is generally permissible.
Documents that require notarization can be e-signed by the parties. However, the notarization implies physically ascertaining the identity of the signatories, the lawfulness of the document, and the validity of the electronic certificate used to sign it.
As described in sec. 1 above, QES is a valid means to ensure the same effect as a simple written signature for the documents listed in art. 21 of the DAC. However, such effectiveness may be ensured also through DS and, in certain cases, AES, and SPID (see sec. 3 below).
Does local regulation govern the use of digital IDs and/or certificates for e-signatures in Italy?
An electronic identification system, called SPID (Sistema Pubblico di Identità Digitale), allowing access to public and private online services was introduced in Italy in 2014 (DPCM October 24, 2014).
SPID identity is issued by Identity Providers (IP), private entities accredited by a specific public body, the Agency for the Digital Italy (AgID), which provides digital identities and manages user authentication in line with the rules issued by the Agency. Only persons 18 and older can request SPID credentials, providing the IP with an e-mail address, mobile number, fiscal code, and an identity document (ID, passport or driving license). When the user requests access to a service, the Identity Provider shall verify the correctness of the login data entered by the user and provide the service provider with the user's information that is strictly necessary.
There are 3 security levels of SPID credentials: (i) Level of Assurance LoA2 of ISO/IEC DIS 29115; (ii) Level of Assurance LoA3 of ISO/IEC DIS 29115; and (iii) Level of Assurance LoA4 of ISO/IEC DIS 29115. Starting in November 2019, all identity providers have committed to provide SPID credentials (level 1 and 2) for free. The user may ask the SPID for credentials as a private citizen, for professional use, or as the legal representative of a legal person.
On 23 March 2020, the Agency for Digital Italy issued guidelines on signing documents through the SPID. Following the technical steps laid down by these guidelines, it will be possible to use the same credentials to sign electronically any document, including contracts, and such documents will be deemed to be signed in writing. Therefore, signature through SPID has the full evidentiary effectiveness provided for by art. 2702 CC, when used for private or professional use by natural persons. Legal persons (and their representative) cannot use SPID as an e-signature with full evidentiary effectiveness.
Moreover, every person may use his/her electronic Italian national ID (Carta d'Identità Elettronica or CIE) to prove his/her identity electronically with respect to both public and non-public entities (Law No. 125/2015).
Please note that both SPID and CIE may be used by Italian citizens to access to digital services of other EU Member States, due to the integration of the Italian eIDAS node (eID).
Certificates for e-signatures
There are provisions in Italian national law related to certificates for e-signatures.
The eIDAS Regulation, which is directly applicable in Italy, provides for the general legal framework for qualified trust services. Among other things, the eIDAS Regulation governs the application procedure for trust service providers to obtain the status of a qualified trust service provider (Art. 22) and the requirements applicable to the same (Art. 24).
According to the eIDAS Regulation, qualified electronic signatures can only be created using ”qualified certificates for electronic signatures” which again can only be issued by qualified trust service providers (Sec. 3 no. 12, 15, 17 eIDAS Regulation).
On the national level, the DAC governs responsibilities and details related to the implementation of the eIDAS. The service provider will request the supervisory body, the AgID, to obtain recognition as a qualified trust service provider, attaching a report of the conformity assessment made by the national conformity assessment bodies. Such conformity assessment bodies are accredited by ACCREDIA, the sole national accreditation body appointed by the Italian government.
Does local law provide certification bodies / trust services that users of e-signatures should be aware of in Italy?
According to DAC and Law No. 134/2012, AgID is the designated supervisory body as required by Art. 17 eIDAS Regulation.
In this capacity, AgID is responsible for, among other things, the supervision of qualified trust service providers, including the maintenance of the "trusted list" of qualified trust service providers (see Art. 22 eIDAS Regulation) and handling notification of the intention to obtain the status as a qualified trust service provider.
Further information can be found on AgID's website (https://www.agid.gov.it/ in Italian).
*DISCLAIMER: The information contained in this guide is for information purposes only, provided as is as of the date of publication and should not be relied upon as legal advice or to determine how the law applies to your business or organization. It is recommended that you seek guidance from your legal counsel with regard to law applying specifically to your business or organization and how to ensure compliance. OneSpan does not accept liability for the contents of these materials or for third parties materials.
Last updated: November 2020