Legal validity of the Advanced Electronic Signature (FEA): what Italian law says
The Advanced Electronic Signature (AES) is a particular type of electronic signature recognized by both Italian and European law. It is widely used for signing remote policies and contracts, and it can have the same legal validity as a Qualified Electronic Signature (QES), making it equivalent to a handwritten signature.
However, according to Italian law, the validity of AES is limited to certain documents: it can be used to sign purchase contracts, reimbursements, and insurance policies, but not for signing documents intended for third parties, such as contracts with external suppliers or documents to be submitted to authorities and regulatory bodies.
The Advanced Electronic Signature (AES) is a type of electronic signature provided for under the EU eIDAS Regulation and governed in Italy by the DPCM of February 22, 2013. Unlike simple electronic signatures, which consist of any data connection useful for authentication, the advanced electronic signature guarantees the unique identification of the signer and is therefore considered a stronger form of signature.
In legal terms, the advanced electronic signature ensures the following:
The signature with this particular type of signature can be done using a tablet for handwritten signatures, or by using an OTP code sent via SMS, or, only in Italy and in certain cases, the Electronic Identity Card.
A common example of an advanced electronic signature is the handwritten signature on a tablet, often used in physical settings such as bank counters or for certain postal deliveries.
In this case, the identification of the signer is performed by a human operator, while the unique association of the signature to the document is done through the recording of data acquired from the device, including writing speed, rhythm, and pressure applied with the stylus.
In other contexts, the signature with AES happens by entering an OTP code generated at the time of the signature and sent to the signer’s verified mobile number via SMS. Identification can occur in various ways, such as requiring a copy of the signer’s identification documents or through video recognition. In any case, the identification process must include the verification of the phone number used to receive the code.
According to Italian law, the AES has the same legal effects as a Qualified Electronic Signature (QES) only if it meets the requirements set out in Title V of the DPCM of February 22, 2013.
For example, providers offering AES solutions must "certify the user's identity through a valid identification document, inform them about the exact terms and conditions of the service," and "require the user to sign an acceptance declaration for the service terms before activating the service."
When it meets all the legal requirements, the advanced electronic signature has the same probative effect as a QES and can therefore be equated to a handwritten signature.
The main difference between digital signatures and advanced electronic signatures is that only in the former is the correspondence between the signing keys and the signer guaranteed by a Certification Authority recognized by AgID.
In a Qualified Electronic Signature, it is also required to use a secure signature device, such as a USB Token or a Hardware Security Module (HSM), which is a combination of hardware and software that generates secure signatures and can securely manage one or more cryptographic key pairs.
Despite its widespread use in signing contracts, the AES cannot be used for just any type of agreement between the parties. Article 60 of the aforementioned DPCM introduces an essential restriction: the advanced electronic signature can only be used in legal relationships between the signer and the entity providing the signature solution.
Documents signed with AES are, in essence, valid only in bilateral relationships and cannot be used with third parties or public bodies.
For example, in the banking sector, AES can be used to sign current account contracts, transfer orders, or loan applications, but it is not valid for documents intended for other banks or to be submitted to the Bank of Italy or other regulatory bodies.
In the insurance sector, AES is used to sign policies, claims reports, and contract amendments, but it is not valid for documents intended for other insurance companies or to be sent to IVASS or other authorities.
In the retail sector, AES can be used to sign sales contracts, warranty documents, returns, and refunds, but it is not valid for contracts with external suppliers or for documents to be submitted to third parties.
Therefore, while it has full legal validity in bilateral relationships, AES is not suitable for situations requiring the involvement of third parties. In these cases, the only secure solution remains the electronic signature based on a qualified certificate, namely the Qualified Electronic Signature or Digital Signature, both of which can also be requested and activated via API.
In particular, on Openapi you will find different signature solutions: with or without CNS, usable on PC or mobile and to be activated with or without video recognition.