Study on Mutual Recognition of esignatures: update of Country Profiles Italian country profile

Transcription

1 Study on Mutual Recognition of esignatures: update of Country Profiles Italian country profile

2 This report / paper was prepared for the IDABC programme by: Coordinated by: Hans Graux (time.lex), Brigitte Jossin (Siemens), Guy Lambert (Siemens), Eric Meyvis (Siemens) Contract No. 1, Framework contract ENTR/05/58-SECURITY, Specific contract N 13 Disclaimer The views expressed in this document are purely those of the writer and may not, in any circumstances, be interpreted as stating an official position of the European Commission. The European Commission does not guarantee the accuracy of the information included in this study, nor does it accept any responsibility for any use thereof. Reference herein to any specific products, specifications, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favouring by the European Commission. All care has been taken by the author to ensure that s/he has obtained, where necessary, permission to use any parts of manuscripts including illustrations, maps, and graphs, on which intellectual property rights already exist from the titular holder(s) of such rights or from her/his or their legal representative. This paper can be downloaded from the IDABC website: European Communities, 2009 Reproduction is authorised, except for commercial purposes, provided the source is acknowledged. Page 2 of 28

3 Table of Contents 1 GENERAL INTRODUCTION E-GOVERNMENT STRUCTURE AND ROLE OF E-SIGNATURES MAIN E-SIGNATURE SOLUTIONS 6 2 LEGAL AND TECHNICAL FRAMEWORK FOR E-SIGNATURES E-SIGNATURES REGULATORY FRAMEWORK: OVERVIEW OF THE ITALIAN E-SIGNATURE E-GOVERNMENT AND E-SIGNATURE REGULATIONS CERTIFICATES CERTIFICATION AUTHORITIES E-SIGNATURES TECHNICAL/INFRASTRUCTURAL FRAMEWORK ELECTRONIC IDENTITY CARD (EIC) NATIONAL SERVICE CARD INA-SAIA SYSTEM CERTIFIED ELECTRONIC RESIDENCE PERMIT E-CARDS FOR EMPLOYEES OF PUBLIC AUTHORITIES: MINISTRY OF JUSTICE 17 3 E-GOVERNMENT APPLICATIONS USING ELECTRONIC SIGNATURES PUBLIC PROCUREMENT ACQUISTI IN RETE GENERAL DESCRIPTION APPLICATION QUESTIONNAIRE E-HEALTH GENERAL DESCRIPTION APPLICATION QUESTIONNAIRE E-JUSTICE E-CIVIL TRIAL GENERAL DESCRIPTION APPLICATION QUESTIONNAIRE 25 Page 3 of 28

4 1 General introduction 1.1 E-government structure and role of e-signatures The Italian Constitution recognises that both the State (i.e. the central authorities, national Parliament and Government) and the Regions have legislative power, i.e. the competence to enact laws in their respective fields. As to what specifically concerns ICT, however, it must be remarked that the State enjoys a full competence on the issue of the technical coordination of administrative data, even when those concern local administrations. This comes directly from Article 117(2)(r) of the Constitution. Therefore it is the State that defines the ICT standards to be used also at local level, on the basis of the EU legislation in force and taking into account the general technical state of the art. This means that the Regions, in those matters where they have autonomous competences, do hold a decisional power over the creation and implementation of software applications and platforms, but the latter must comply with the centrally decided standards. Furthermore, the State has exclusive competence in enacting laws in the field of civil, criminal and civil procedure law (Article 117(2)(l) of the Constitution). This means that, for instance, the legal value of electronic documents and the requirements for the electronic signature applied to them must be assessed by the State and not by the Regions. There are many examples of the division of competences between State and Regions, for instance in the field of health protection, where Regions enjoy various competences at local level, among which the monitoring of health expenses. In order to accomplish that purpose with automatic instruments, some Regions have created their specific ICT systems, as it is the case of Lombardy with Project CRS-SISS or Emilia-Romagna with Project SOLE. To the ends of this Study, we will take into account mainly national applications/systems. At the level of the State (i.e. the central Government), the State entity in charge to decide the applicable standards is currently the CNIPA ( Centro Nazionale per l Informatica nella Pubblica Amministrazione, the National Centre for ICT in the Public Administration, CNIPA operates at the Office of the Head of the Council of Ministers ( Presidenza del Consiglio ) with the aim of implementing the policies issued by the Minister for the Public Administration and Innovation) ( Ministro della Pubblica Amministrazione e Innovazione ). In particular, CNIPA coordinates its activities with the Department for Innovation and Technologies ( Dipartimento per l Innovazione e le Tecnologie ), which is a sub-structure of the office of the said Minister. It must be understood that what makes CNIPA a strategic office is not only its key position inside the Italian e-government structure but also its recognised strong technical competence in ICT. At present the tasks of CNIPA are the following: Consultancies to policymakers, public authorities and operators in the concerned sector; Drafting and enacting technical rules, such as guidelines and (more specifically) technical guidelines in the field of implementation of ICT technologies by public authorities; Evaluation of ICT activities of public authorities, regarding both the plans of development of ICT systems and specific actions for which the evaluation by CNIPA is compulsory but not binding; Planning and managing specific projects for the use of ICT systems both at national, regional and local level. It is important to highlight that CNIPA is a technical institution by the Office of the Prime Minister and its decrees and regulations are not, strictly speaking, sources of law but provide useful guidance and set technical requirements. At the level of regional Governments, many initiatives in the field of e-government can be reported: the most active Regions in the field are (this list is not intended to be exhaustive): Page 4 of 28

5 Lombardy: the Region created a company, Lombardia Informatica S.p.a. ( with the mission to create ICT infrastructures for the access of citizens to e-government applications and to manage the e-procurement services; Emilia Romagna: the Region created an entity, Intercent-ER ( aimed to manage the e-procurement services inside the Region; Veneto: the regional authorities are performing many projects in the field of e-government, for a list see Friuli Venezia Giulia: the region is particularly active in the field of e-government; for a list of projects and to have an overview of the activities performed by regional authorities please see rafvg/cms/rafvg/at1/arg12/. At local level, then, e-government initiatives are lead and coordinated by local authorities, mostly Municipalities, in cooperation with regional authorities. Typically, the user visits the website of the local authority and the system verifies the user s credentials through National Service Card ( Carta Nazionale dei Servizi, NSC) or National e-id (EIC Electronic Identity Card) or, until the end of 2009, by mean of other trusted authentication methods such as username/password, (see below) 1. As said before, the competence to harmonise the different approaches to e-government and to set national standards is of the State, with the strategic role of CNIPA. The first phase of implementation of e-government tools by Regions and local authorities took place between 2001 and 2003; the second phase, currently running, has the mission to extend existing e-government tools to all citizens and companies and to further develop new projects and new instruments. To make a clear summary of the current situation, we can say that: Every authority (at national, regional or local level) is independent when adopting ICT technologies and moving towards more updated modalities of working and communicating with citizens and enterprises, pursuant to Article 12 of the Code of the Digital Administration (see below) that states that the public authorities when organising their activities independently shall adopt ICT technologies ; The central Government, through CNIPA, has the task to promote the implementation and the use of networks as an instrument of communication between public authorities, citizens and enterprises and, basically, to avoid interoperability problems within the country. With this regard, interoperability problems should not arise given the role of guidance of CNIPA for the whole country and for all national, regional and local authorities. For what concerns international interoperability, it must be pointed out (see below for further considerations) that the Italian legislation, namely the Code of the digital administration, requires that the electronic document must be signed with a qualified electronic signature ( firma elettronica qualificata ) or a digital signature ( firma digitale ) and therefore the requisites may be higher than in other Member States. Provided that actually there is not yet full interoperability between the different electronic signature standards adopted in Europe, the Italian public authorities accept electronic documents coming from other Member States if the standards used there, mainly as regards the electronic signature, are the same as the Italian ones. At the same time, the Italian Government would support a European system of mutual recognition of electronic signatures coming from other Member States. From the technical point of view, the central Government thus enacted the Decree 13 January 2004 (available at concerning the technical rules for the creation, transmission, conservation, copying, reproduction and validation (including time validation) of the electronic documents. This Decree basically sets technical 1 For an example, see act regarding the city of Belluno and its surroundings. Page 5 of 28

6 rules regarding the creation, use and verification of electronic signatures and states that the provisions adopted at international level or enacted by the European Commission in this field must be respected. To be more precise, as regards the creation and verification of the electronic signature, the certification must be based on the algorithm RSA (Rivest-Shamir-Adleman) with key length of at least 1024 bit. Other sources, like the CNIPA Deliberation 17 February 2005, no. 4, and the CNIPA Deliberation 18 May 2006, no. 34, must be mentioned here and will be analysed below. Another important act to mention is the agreement (February 2006) between CNIPA and Adobe as regards the recognition of the PDF as valid format for the digital signature, together with the XML and PKCS7 (P7M) format (please refer to With this regard, however, it has to be said that PDF has become an ISO standard and thus would be recognised as valid format even without the agreement. Furthermore, the government recently approved new technical rules regarding the electronic signature, which have been published as Prime Ministry Decree of 30 March These rules will enter into force in December Until this time, the Prime Ministry Decree of 13 January 2004 will remain applicable. Finally, we can say that the emphasis of national and regional authorities is basically on allowing citizens and businesses to use electronic signatures when dealing with those authorities. Some notable examples do exist, like in the area of extracts from commercial registers. In fact they can be acquired through an offline or an online application and they will be delivered by the competent authority online, i.e. in the form of an electronic certificate. The extract will mention the following elements: (i) name of the Chamber of Commerce that delivered the extract; (ii) the kind of certificate (with this regard the Decree of the Ministry for Economic Development of 25 February 2005, see economico.pdf, mentions explicitly the certificate of inscription in the commercial register); (iii) the statement that the certificate is delivered only in electronic format; (iv) the data regarding the person/company that required the document; (v) the name and address of the recipient; (vi) the statement regarding the use of the certificate; (vii) the date of delivery. 1.2 Main e-signature solutions The Electronic Identity Card (EIC) and the National Services Card (NSC) are the main instruments provided by public administrations to citizens as a means of identification and document signature when in online governmental services. They are, therefore, essential tools for the development of higher value-added e-government services, which require certainty and security (e.g. for access to customised databases, transactions, etc.). To be more precise, the EIC and the NSC are the tools that grant access to the service provided online by public administrations and, furthermore, they are the instruments able to give legal effects to the documents sent by citizens and companies to public authorities. The EIC and the NSC may contain also a certificate for digital signature, provided that the certificate is issued by an accredited certificateservice-provider. With this regard the reader must be aware that the common instrument for the digital signature is a dedicated smartcard, used for instance in some of the applications described in the second part of the Study (questionnaire). Further comments about these issues will be developed below. Apart from the EIC and the NSC, other identification/e-signature solutions are the Electronic Residence Permit and other cards issued to selected groups of public employees. The EIC, as it will be pointed out below, is the identification document issued to citizens and that, as from 1 January 2006, substituted the paper-based traditional identity card. As regards electronic signature, the EIC contains a digital signature that allows the citizens to deal with the public authorities as regards, for instance, the sending of requests, communications, payments in favour of public institutions, etc. The EIC is issued by the Municipalities but the applicable technical and legal rules are set at central level, and it is fabricated by a unique public institution for the whole country. The reader must be aware that, given the fact that identity cards (both electronic and paper-based) are valid for 10 Page 6 of 28

7 years (Law 6 August 2008, no. 133, available at many citizens still have the old paper-based document. 2 Legal and technical framework for e-signatures 2.1 E-signatures regulatory framework: overview of the Italian e-signature Before assessing which e-signature tools are adopted in Italy, it is necessary to provide the reader with an overview of what e-signature means in Italy. The e-signatures, defined by the Italian legal framework (see below), are to a limited extent similar to those described by the European sources. Three different kinds of signature are provided for and specifically regulated by the Code: The electronic signature ( firma elettronica ): pursuant to Article 1(1)(q) of the Legislative Decree 7 March 2005, no. 82, Code of the Digital Administration ( Codice dell Amministrazione Digitale, available at hereinafter the Code ) as updated by the Legislative Decree 4 April 2006, no 159, it is the collection of data in electronic form, attached or linked through logical association to other electronic data, used as an instrument of authentication. It is clear that this definition corresponds to that of electronic signature according to the Directive (Article 1(1)); The qualified electronic signature ( firma elettronica qualificata ): pursuant to Article 1(1)(r) of the Code it is the electronic signature obtained through electronic proceedings that guarantee the unambiguous connection to the person who made the signature and its unambiguous electronic attestation, created with means on which the person who made the signature can keep exclusive control and linked to the relevant data so that it is possible to check whether the data have been modified, and based on a qualified certificate and implemented through a safe item for the creation of the signature, such as the electronic items used for the creation of the electronic signature. This definition corresponds to that of advanced electronic signature pursuant to Article 2(3) of the Directive, but the certificate must be qualified. Thus this signature corresponds to the advanced electronic signature based on a qualified certificate and created using a secure signature creation device, as defined by the Directive; The digital signature ( firma digitale ): pursuant to Article 1(1)(s) of the Code it is a particular kind of qualified electronic signature based on a system of cryptographic keys, one public and one secret, linked to each other, that allows the signatory (through the secret key) and the recipient (through the public key) to disclose and verify the provenience and integrity of an electronic document or of a group of electronic documents. It is important to highlight that the Code provides for a particularly stringent regime regarding the probatory value of the electronic document with an electronic signature. Article 21(1), in fact, states that the electronic document with an electronic signature (of the fist type) can be freely evaluated by the judge, taking into account its characteristics as regards quality and reliability of the document and of the signature. In other words, the judge is free to accept or deny the document as evidence in the proceedings 2. Please be aware (we repeat) that this freedom of the judge is limited to e-documents with an electronic signature different from the abovementioned qualified electronic signature and digital signature. As regards qualified electronic signatures and digital signatures, Article 21(2) of the Code states that they have the same value as written paper-based documents with a real signature. In other words, there is the presumption that the signatory signed the document unless there is a counter-evidence, the burden of which lies with the signatory himself. With this respect, Italian legislation is fully consistent with the requirements of Article 5(1) of the European E-signature Directive. Article 21(3) of 2 See CNIPA, Guida per la Firma Digitale, 2009, p. 9, available at Page 7 of 28

8 the Code specifies a further rule/requirement, i.e. that an electronic document with a digital signature or a qualified electronic signature based on a certificate that has been revoked or suspended, or that has expired, is deemed to be a document without signature. To summarise what said above, according to Italian law (the answers here are strictly based on the applicable legislation) the only effect of the electronic signature (not qualified) is that it can be freely evaluated by the judge, with no further consequences. In practice, electronic documents shall be signed with a qualified electronic signature or a digital signature to have the effects of legal certainty. As pointed out by CNIPA (see note no. 2), when an e-document equivalent to a paper-based signed document is necessary, the qualified electronic signature or a digital signature are required E-government and E-signature regulations The activities of CNIPA, of course, must be seen in the framework of the applicable legal sources (legislation, decrees, etc) about e-signature. It is appropriate to remember that Italy has showed a great effort in this matter, being the first European State to introduce a specific legislation on electronic signatures, predating the European Directive. Italy had taken little advantage of it, because at the entering into force of the said Directive the internal legislation had (at least theoretically) to be reshaped. For instance, the principle of a neutral approach to the signature had to be introduced, while in the original legislation a clear choice had been made in favour of the so called digital signature ( firma digitale ), a specific version of a pki-based publicly certified signature. Besides, at the beginning there was just one type of certificate and one typology of certification authority. In practice, however, there is still a clear preference for the digital signature, as showed by the positions expressed by CNIPA (see note no. 2, and see below). Coming now to consider the legislation in force, it has taken quite a twisted path, with repeated changes and corrections. Here we taken into account only the legal sources still in force (i.e. not those abolished by other laws), in chronological order (please see IT/Normativa/Raccolta_normativa_ICT/Firme_elettroniche_e_certificatori/): CNIPA Circolare (regulation) 15 February 2007, no. 52 (CNIPA s supervision rules); CNIPA Deliberation 18 May 2006, no. 34 (technical rules for the definition of the profile of encrypted envelope for digital signature in XML); CNIPA Circolare 6 September 2005, no. 48 (CNIPA s accreditation schema); The Code; CNIPA Deliberation 17 February 2005, no. 4 (rules for recognition and verification of the e- document); Decree of the Minister for Innovation and Technologies 2 July 2004 (the content of this Decree has been in practice transposed in the Code); Decree of the President of the Council of Ministers 13 January The legislation in force is therefore mainly the Code, complemented by technical rules enacted by CNIPA and other entities Certificates Following what we said above while introducing the Italian e-signature, there are two types of certificates: qualified and non-qualified. There are, on the other side, also three categories of certificate-service-providers: Accredited ( accreditati ) who issue qualified certificates; Supervised ( qualificati ) who issue qualified certificates; Page 8 of 28

9 Neither accredited nor notified, who issue non-qualified certificates. Requests or declarations electronically addressed to the public authorities, or addressed by public authorities to citizens (and enterprises) can be subscribed through the digital signature, pursuant to Article 65 of the Code (see below for further information) Certification Authorities The main difference between accredited and supervised certificate-service-providers is that the former ones agree to undergo a preliminary investigation to ascertain whether or not they meet all relevant legal requirements (Article 29 of the Code: for this reason they are declared to have the requisites of the highest level ). If they pass that verification they are enrolled into a public registry run by CNIPA and available online for consultation. Instead, supervised certificate-service-providers chose not to follow such procedure and start in fact operating right from the very moment they communicate so to CNIPA (Article 27 of the Code). Both types are of course subject to inspections by CNIPA at any time, pursuant to Article 31 of the Code. At present, the public registry of accredited certificate-service-providers lists as many as 17 active entities (for further information, please see IT/Attività/Firma_digitale/Certificatori_accreditati/Elenco_certificatori_di_firma_digitale/Certificatori_attiv i/ - retrieved 10/5/2009): 1. Actalis S.p.A. (since 28/03/2002); 2. Aruba Posta Elettronica Certificata S.p.A. (since 06/12/2007); 3. Banca d Italia (since 24/01/2008); 4. Banca Monte dei Paschi di Siena S.p.A. (since 03/08/2004); 5. Cedacri S.p.A. (since 15/11/); 6. CNDCEC (since 10/07/2008); 7. CNIPA (since 15/03/2001); 8. Comando C4 Difesa - Stato Maggiore della Difesa (since 21/09/2006); 9. Consiglio Nazionale del Notariato (since 12/09/2002); 10. Consiglio Nazionale Forense (since 11/12/2003); 11. I.T. Telecom S.r.l. (since 13/01/2005); 12. In.Te.S.A. S.p.A. (since 22/03/2001); 13. Infocert S.p.A. (since 19/07/2007); 14. Intesa Sanpaolo S.p.A. (since 08/04/2004); 15. Lombardia Integrata S.p.A. (since 17/08/2004); 16. Postecom S.p.A. (since 20/04/2000); 17. SOGEI S.p.A. (since 26/02/2004). Page 9 of 28

10 Any software application, complying with the technical requirements as in CNIPA Deliberation of 17 February 2005, no. 4, can be used to verify the signatures. A non-exhaustive list of available signature verification applications or service can be found at IT/Attivit%c3%a0/Firma_digitale/Certificatori_accreditati/Elenco_certificatori_di_firma_digitale/. Furthermore,, it should be noted that accredited certificate-service-providers must indicate a software for verification of the signature that must respect the requisites set forth by CNIPA (see the abovementioned Deliberation 4/2005). 2.2 E-signatures technical/infrastructural framework After having assessed the main characteristics of the e-signature system adopted in Italy, we provide the reader with a more-detailed description of the most important and remarkable solutions implemented or planned by national public authorities. It should be noted that the overview below is not an exhaustive list of secure signature creation devices in use in Italy. Each CSP which is accredited in the CNIPA s list can provide the user with an SSCD (Smartcard, Token USB, HSM) compliant with Annex III of the e-signatures Directive. All of those could be used, keeping into account any possible use limitations present in the holder s qualified certificate, in egovernment applications (C2A, B2A, or A2A) Electronic identity card (EIC) The EIC card (CIE in Italian, carta d identità elettronica ) is issued by Municipalities, also organised in associated form. The main legal source that regulates the EIC is the Code. All EICs for the whole country are prepared by the National Printing Institute ( Istituto Poligrafico e Zecca dello Stato, IPZS). The Institute prints the EICs that then are sent to the Municipalities (see below for further details) whose task is to activate the cards with the necessary content, pursuant to the guidelines issued at central level by the competent authorities. The EIC was firstly conceived in the second half of the nineties as a tool for simplifying relations between Government and citizens, seeking to achieve a number of objectives: - Greater security in identification for law enforcement purposes; - Use as an identification tool for online services; - Complete interoperability throughout the country. After many delays in the introduction and adoption of the EIC in the whole country, the Government finally took decisive actions to impose it, and as from 1 January 2006 the paper-based identity cards are substituted by the EIC. In other words, when a citizen requires a new identity card or the renewal of the document, only electronic cards are issued. In reality the abovementioned provision of the law of 31 March 2005, no. 43 (available at has not been fully respected in practice, and it has to be reported that paper-based identity cards have been issued to citizens also many months after 1 January Furthermore, according to the information provided by the Ministry of Internal Affairs, not all Municipalities are issuing EICs but only a certain number (138) of them, the so-called experimenting Municipalities. For the complete list of them, please see COM=ELENCOCIE (retrieved 10/5/2009). It is noteworthy that even several big cities, like Palermo or Cagliari, are not yet in the list. The technical rules regarding the EIC have been specified by the Decree of the Ministry of Internal Affairs together with the Ministry for Reforms and Innovations in the Public Administration 8 November 2007 (Technical rules for the EIC, available at documentazionericerca.do?metodo=dettagliodocumento&servizio=documentazione&id_document Page 10 of 28

11 O=1049&codiceFunzione=NO&ccodiceSettore=CI) and therefore we will refer to this source to the ends of this Study. First of all, it is important to highlight that the EIC allows the online authentication and identification of the user in order to have access to services provided by public authorities. With this regard reference has to be made to Article 63 (and following) of the Code that states the principle that central and local public administrations shall provide citizens and companies with online services. Two important issues must be highlighted: first of all, pursuant to Article 64(1) of the Code, the EIC and the national service card (see below) are the instruments to guarantee access to online services provided by public authorities when user authentication is required. The access to those services can happen also through other ways of user s identification and authentication on a local basis, but the access through EIC must always be guaranteed in the whole country by all public authorities that provide online services. Furthermore, pursuant to Article 65, all requests and declarations sent to public authorities are valid if: They are signed with a digital signature whose certificate has been issued by an accredited certification-service-provider; When the user is identified and authenticated through the use of the EIC or the national service card; When the user is identified and authenticated through other systems adopted at the local level. As regards the information stored in the EIC, it contains the following data: 1. Data that allow the identification of the holder; 2. The so-called Fiscal Code, i.e. the identification code of the holders to tax/social security purposes; 3. The address of the holder; 4. The place of residence; 5. The citizenship of the holder; 6. The picture of the holder; 7. The validity as travelling document outside Italy; 8. The signature of the holder. These data are printed on the card and are stored both in the chip and the laser band (see below). Article 66(4) of the Code lists other data than can be stored in the EIC, including the blood group and other biometrical data, provided the consent of the holder. Physically, the EIC is a hybrid card made of polycarbonate with two distinct technologies embedded: a microchip and a laser band (Article 8 of Decree 8 November 2007). Pursuant to Article 7 of the Decree the card respects the norms ISO/IEC , and ISO/ID-001. As regards the chip, it has at least 64Kbytes of EEPROM memory with algorithms RSA (at least 2048 bits). The personal information of the holder (including a photograph) is printed on the card and is stored in the laser band and in the microchip, with the use of cryptographic techniques. The reason for this dual technology approach is that while the laser band provides security, since the data cannot be modified when attempting to make counterfeits, the microchip makes possible online identification and enables transactions between citizens and providers. The microchip can also store digital signature certificates. With this regard Article 8 of the Decree clearly states that the microchip is intended for operations linked to online identification of the holder. Such card is therefore conceived as an e- government tool to be used by citizens in C2A, C2B and C2C relationships as a means of identification and data authentication. Note that the EIC can be also used to make electronic payments. On that account it must be remembered that under Article 5 of the Code central public administrations, with the exclusion of foreign-based offices, shall allow online payments, starting from 30 June Page 11 of 28

12 The role of local Municipalities is very important in the implementation and adoption of the EIC. As we said above, they are competent to issue EICs to citizens (passports, for instance, are issued by the local police offices, on behalf of the Ministry of Internal Affairs). Municipalities are fully independent in organising the local services (Article 2 of the Decree 8 November 2007 and Article 12 of the Code), provided the respect of the technical rules set at national level. As regards the modality of interconnection, Municipalities must use the online security services (and other technical online services) provided by the National Centre for Demographic Services ( Centro Nazionale dei Servizi Demografici, CNSD: see homesettore&servizio=navigazione&codicefunzione=pr&codicesettore=cn). At the same time Municipalities have the obligation to update the national database of registries ( Indice Nazionale delle Anagrafi, INA, see homesettore&servizio=navigazione&codicefunzione=pr&codicesettore=is). For what concerns privacy, provided the respect of all legal and technical rules set mainly by the Legislative Decree 30 June 2006, no. 196 (Privacy Law), the Ministry of Internal Affairs and the Municipalities are the ones in charge of the processing of citizens personal data. Therefore they act as data controllers in the processing of data. It is very important to highlight that services provided by public authorities can be divided in two groups (Article 5 of the Decree): Local services: these are organised and provided in full autonomy by local authorities if they do not require the registration of data in the EIC; if such registration is necessary, the Municipalities are in charge of that (and thus all other local authorities, i.e. the provinces, are excluded) and, if sensitive data are concerned, the consent of the holder is required; National services: they usually require the registration of holder s data in the EIC, and Municipalities are in charge of that according to the rules set forth at national level. With this regard, it is important to mention that it is not allowed for the Ministry of Internal Affairs to trace and/or register the data relating to the use of the EIC as regards access to the services provided by public authorities. The same applies to the services for which the authentication by the holder has been requested. In other words, all these data can be kept at local level, if necessary, with no involvement of central authorities, namely the abovementioned Ministry. At the same time, the Ministry of Internal Affairs is competent to issue all software and services to the Municipalities, including the service for the validation of EIC certificates based on the standard OCSP (RFC 2560) for the systems that provide the holders with services through the EIC. Having said that, the entities involved in the implementation and adoption of the EIC in Italy are: Municipalities: see above; Ministry of Internal Affairs (and its internal divisions: CNSD, INA, etc): see above; Technical-scientific permanent committee by the Ministry of Internal Affairs (Article 8-bis of the Decree): its purpose is to connect the other entities involved. Another pivotal function then relates to the definition and updates of the technical standards and of the guidelines regarding: (i) production of physical supports; (ii) characteristics of the laser band, of the microchip, of the file system and of the printing tools; (iv) the definition of the ways to use the EIC as instrument for the digital signature; Promoting and monitoring committee by the Ministry of Internal Affairs (Article 8-ter of the Decree): its main task is to evaluate the status of adoption of the EIC and the uses of the EIC as tool for the digital signature; Committee for the verification and the technical homologation of the microchips. As said above, all EICs are physically produced by the IPZS and then they are sent to the Municipalities. To be more precise, the cards are delivered to the local offices of the national Government (one office in every province) that then provides the Municipalities with the cards. To the Page 12 of 28

13 ends of hardware and software configurations, Municipalities must respect the configurations approved by the Ministry of Internal Affairs and the security software issued by the same Ministry. The security proceedings to create and issue the EIC are listed in Article 13 of the Decree. First of all, the municipality receives the data (including biometric data) of the citizen that requires an EIC. These data are then encrypted and sent to CNSD (the access to those data, in the database of CNSD, is allowed only to the municipality in charge of the proceedings and to the office of the police of the territory where the municipality is located). As soon as CNSD authorises to proceed, the municipality registers the data in the laser band and in the microchip and then prints the EIC (this process must be notified to CNSD). At the same time the municipality generates the PIN that shall be provided to the holder. Special rules apply if the municipality does not print by itself the EIC (see Article 13, no. 2, of the Decree). It is important to highlight that the citizen requiring the EIC must be physically present at the moment of verification of his identity by the municipality. Furthermore, EICs can be issued also by Italian consulates, for citizens registered in the database of Italians living abroad ( Anagrafe degli Italiani Residenti all Estero, AIRE). Some further comments about the technical characteristics of the EIC. Its references and adopted standards are the following: Scheme for the circuit of emission of the EIC, Rome 22 December 1999; Process of online authentication, Rome 22 December 1999; Working group EIC, AIPA/associations of suppliers; Project of CNSD, Rome December 2002, Ministry of Internal Affairs/University of Rome Tor Vergata; ISO/IEC :2001 for the format of digital certificates, extensions and policies; ISO/IEC :1998 for the function of hash SHA-1; ISO/IEC Annex A and Annex B for the laser band; ISO/IEC for the smart card; PKCS11 for interfacing the smart cards; Technical Annex to the Agreement 13 May 2003 between the Government and the producers of microchips; Restricted technical committee EIC, works about the microchip, 21 April 2006; ICAO, document 9303, part 3; Council of the European Union, A item note 15000/05, Hague Programme; EU Regulation 2252/2004. The organization infrastructure, from the technical point of view, involves the following entities: 1. Producers of microchips; 2. Producers of laser bands; 3. IPZS: it produces the document and distributes it in the whole country; 4. Ministry of Internal Affairs: it provides the central technological infrastructures and guarantees the security in the whole process; it provides the service of validation of the digital certificates for authentication; it provides services to citizens to block the IEC if necessary; 5. Municipalities: they prepare, personalise and print the final EIC; they deliver the EIC to the holder (the same applies to Italian consulates). Page 13 of 28

14 After having assessed the technical and organisational characteristics of the EIC, we have to provide the reader with a detailed analysis of the services that can be accessed to through the EIC. These services can be split in two categories: standard services and qualified services. The former do not need any installation in the EIC and can be accessed to by the holder through his PIN code and the use of the certificate of the EIC for strong authentication. These services are provided by national or local authorities in full autonomy. As regards qualified services, they require the installation of further information in the EIC. The installation of qualified services is done by (basically) the Municipalities, with the exception of the digital signature. Please be aware that for this particular service an accredited certificate-service-provider is required. More specifically, the Ministry of Internal Affairs directly generates qualified certificates for the digital signature of public officers. For what concerns all other citizens (i.e. not public officers), the Ministry of Internal Affairs enters into agreements with accredited certificate-service-providers and provides them with the necessary elements for the digital signature in the EIC. Interoperability among the certificate-service-providers is assured. For further information, please refer to the technical annex of the Decree of The Decree (together with the Code) set forth the framework in the field of EIC and digital signature. It is important to highlight that the EIC does not necessarily contain the certificate for the digital signature. In other words, the EIC may contain a certificate for the digital signature. This is clearly stated in paragraph 6 of Annex B of the Decree of 2007 and in the website of the Ministry of Internal Affairs dedicated to the EIC ( Settore&servizio=navigazione&codiceFunzione=PR&codiceSettore=CI, retrieved 10/5/2009) National Service Card Another very important instrument to analyse here is the National Service Card ( Carta Nazionale dei Servizi, hereinafter NSC). The development of the plan for e-government requires the availability of an extensive national online authentication. For this reason, the process of dissemination of the EIC is helped by the adoption of the NSC. The NSC has the objective of enabling the use of the services provided by the EIC even among users who do not have the EIC yet. The NSC is a chip card that has the same characteristics of the EIC (as regards structure of the microprocessor and software), but does not possess the properties and characteristics of physical security (optical bandwidth, security holograms, etc) typical of a document recognition "on demand". The NSC does not contain the photo of the owner and does not require special safety requirements for the plastic support. The complete correspondence between NSC and EIC will ensure interoperability between the two cards and the continuity of services after the complete adoption of the EIC. The main differences with the EIC are the following: the NSC lacks of the additional security elements of the EIC, such as the laser band, the holograms, etc; the NSC does not work as an ID document accepted on sight; the NSC does not bears a photo of the owner and is not subject to special security constraints as to its plastic material. In charge for the implementation and distribution of the NSC is CNIPA, that entered into an agreement with Actalis (together with other companies, i.e. Finsiel, Oberthur Card Systems Italia, SIA and Trust Italia) in 2004 in order to issue some 3 million NSCs in the whole country. To be more precise, CNIPA made a framework contract with the abovementioned company (the length of the agreement is six years and the total budget invested is around 50 million euro) that is open to all public authorities that are willing to use the NSC-system (under the supervision of CNIPA). The Minister for Innovation and Technologies pointed out, in 2005, that at that time more than 10 million NSCs had been already distributed (thus many more than originally planned): see Directive 18 November 2005, Guidelines for the Digital Public Administration, available at The NSC, that has been adopted also in the Region Lombardy under the name Regional Service Card ( Carta Regionale dei Servizi ), is the infrastructure necessary for the access, through the Internet and digital television technology, to online services (health services, transport, tickets) and to the Page 14 of 28

15 personalised management of information. The goal is to simplify the process of user s identification and authentication, with fewer costs for citizens and public authorities. There is a website dedicated to the NSC ( AspxAutoDetectCookieSupport=1) where citizens can find useful information about the device. So far many public authorities, both at national and local level, entered into the framework agreement initiated by CNIPA and issue the card (the list is available at the following URL: The number of services accessible through the NSC are, in reality, quite a few (and apparently many public authorities entered into the above agreement but do not provide holders with online services): the list is available at Italia/livello2/cnsServizi&id= The most important sources regarding the NSC are the Decree of the President of the Republic 2 March 2004, no. 117 (available at Presidente%20della%20Repubblica%202%20marzo%202004%20n%20117_c.pdf) and the Decree 9 December 2004 of the Ministry of Internal Affairs, the Minister for Innovation and Technologies and the Ministry of Finance (available at The former states clearly that the NSC is issued before the EIC is fully implemented. The most important pillars then are the following: All public authorities that provide online services must allow the holders of the NSC access to those services; The holders of the EIC are not allowed to obtain the NSC; CNIPA must define the initiatives aimed to improve the system of online services offered by public authorities and must make quality controls about the proceedings and the data used to issue the NSC. The latter Decree specifies the technical rules and requirements of the NSC. Two principles do apply: the NSC is a tool of online authentication; the NSC must be in the conditions to host the service of digital signature. The NSC then is a card with the dimensions of 53,98 x 85,6 mm (according to the norm ISO/IEC 7810: 1995). The NSC shall be fully interoperable with the EIC. As said above, the NSC is not issued by one specific public authority (like the municipality in case of EIC) but, on a case-bycase basis, by the authority that signed the agreement initiated by CNIPA (see supra). To the ends of this Study we pay particular attention to the issue of e-signature linked to the NSC. Pursuant to the Decree 9 December 2004, only accredited certificate-service-providers can issue certificates of authentication of the NSC (and, of course, they have to respect the rules regarding the management and creation of qualified certificates). The NSC must be ready to host the service of digital signature, but this possibility can be implemented in two ways: (i) the entity that issues the NSC chooses a specific certificate-service-provider (closed system model); (ii) the holder of the NSC can choose any (accredited or supervised) certificate-service-provider. In this case the public authority that issues the NSC provides the holder with a PIN code. The holder then can require the activation of the digital signature on the card to any supervised or accredited certificate-service-provider, showing his identity card and using his PIN code. The authority that issues the NSC can act as registration authority (sort of middle-entity between the holder and the certificate-service-provider). Finally, two extra (not compulsory) features of the NSC are the possibility to make online payments in B2A scenarios and be integrated with the functions of the health card. The adoption of NSCs and EICs in Italy can be considered quite a success for the public authorities involved. According to CNIPA, in fact, currently there are some 17 million NSCs and 1.5 million EICs already distributed in the country (information provided at the moment of the validation of this Report). Page 15 of 28

16 2.2.3 INA-SAIA system In order to fully understand one of the most relevant features of the EIC and NSC as instruments of e- government for the citizen, some explanations must be supplied on the account of the INA-SAIA system, which is indeed accessible using these cards. With the founding of CNSD in April 2002, the Ministry of Internal Affairs centralised the management of IT infrastructures and activity concerning: 1. The EIC; 2. INA; 3. The Personal-Data Access and Exchange System ( Sistema di Accesso e Interscambio Anagrafico - SAIA); 4. The upkeep of AIRE; 5. The automated monitoring of Registry Office records and marital status. SAIA, set up at the Ministry of Internal Affairs, is based on INA. Under Law 31 May 2005, no. 88 (available at INA is designed to monitor registry office records; as said above, Municipalities are required to update it constantly with the personal data at their disposal. By managing the so-called INA-SAIA applications backbone, the CNSD is also able to manage personal-data exchanges among Municipalities and other local authorities. In this way, all Municipalities will be able to issue EICs to their residents. For further information, please refer to ne&codicefunzione=pr&codicesettore=is Certified No particular updates have to be reported in the field of certified ( posta elettronica certificata, PEC). First of all it has to be said that PEC is an instrument of considerable importance in C2A communications. It must be noted that PEC is accessible through, among others, the EIC and the NSC. The current regulation is provided by the Decree of the President of the Republic 11 February 2005, no. 68 (available at and the Code (Articles 6, 47, 48 and 54). Legislation deals with the requirements of this means of communication either when used for the exchange of documents among public administrations and when it is used by private parties. Both public authorities and private companies can be PEC providers. With this regard not any economic entity can run a service of PEC, but only those meeting high standards of quality (ISO9000 certification among others) and capital (not less than 1 million euro, and a proper insurance coverage), provided they enrol in the registry of CNIPA (Article 14 of the above Decree). Certified providers (hereinafter CEPs) are obliged to guarantee privacy, security (including from viruses) and preserve the integrity of information contained in the so-called transportation envelope for 30 months. The list of providers is available at (PEC)/Elenco_pubblico_dei_ gestori/ (retrieved 15/5/2009). Coming to the functioning of PEC, what is important to understand is that the transmission and the receipt of messages are certified by both the sender s and the recipient s CEPs: the former will send an acceptance receipt, and the latter a delivery receipt. The sender gets a receipt from the recipient if reaches his/her inbox, whether it has been read or not. It must be highlighted however that an essential precondition here is that both the sender and the recipient have a PEC. Page 16 of 28

17 Regarding the issue of the consent of the recipient as a precondition for sending PEC- s, different rules are followed depending on the nature of the parties involved. In communications addressed to public administrations, the latter seem obliged to accept PECs (see Articles 3, 47(3)(a) and 48 of the Code). An express declaration of will is necessary in B2B communications for receiving PECs. Parties may indicate their PECs and declare them as valid means of communication in the State registry of enterprises (Article 4(4) of the Decree). They can of course withdraw that indication. The Decree 2 November 2005 (available at then, has set forth the technical rules to be followed for the formation, transmission and validation of PEC. Pursuant to Article 6 of the Code, on request by the subjects concerned, public administrations use PEC for any interchange of documents and information. Note that starting from 1 September 2006 all public administrations must have an institutional address and a PEC address. However such a term has a merely programmatic nature (no sanctions are provided) and, in fact, many administrations do not have a PEC address yet Electronic Residence Permit Another card used in e-government applications that must be mentioned here is the residence permit issued to people coming from countries outside the European Union living in Italy ( permesso di soggiorno and carta di soggiorno ). The most relevant source in the field is the Decree of the Ministry of Internal Affairs and of the Minister for Innovation and Technologies 3 August 2004 setting technical rules for the e-residence permit (available at one_608.html). Graphically this card is very similar to the EIC given the fact that it has a laser band and a microchip. The process of creation of the card is the same as for the EIC, as well as the ICT infrastructure adopted. The main difference is that the e-residence permit is issued by the offices of the police located in every capital of province. The e-residence permit shall allow the holder to have access to e-government services provided by public authorities. For these reasons the holder is provided with a PIN code necessary to use the private key Kpri for the online authentication when requested. Nevertheless, the Decree does not mention any e-signature feature linked to the card E-cards for employees of public authorities: Ministry of Justice Article 66(8) of the Code states that cards used for identification purposes issued to employees of State authorities (public employees of central administrations) can be made in electronic form and they may allow holders to have access to e-government services. One example of the application of this principle regards the employees of the Ministry of Justice, namely: judges, prosecutors, managers, all personnel of the Ministry. Pursuant to the Decree of the Ministry of Justice 6 November 2007 (available at the abovementioned people are provided with a card that allows the online authentication for the access to ICT systems of the Ministry. The card is very similar to the EIC and has both a laser band and a microchip, which may contain a certificate of digital signature. 3 E-government applications using electronic signatures In the section below we will comment only the most significant national e-government applications and the manner in which they rely on electronic signatures. As required, descriptions have been provided for the mandatory sectors: public procurement, e-health and e-justice. Page 17 of 28

18 3.1 Public procurement Acquisti in Rete General description The Government (more precisely the Ministry of Finance) created a dedicated company (Consip, whose mission is to develop and manage the ICT systems of the Ministry of Finance by providing technical and managerial consultancy. Furthermore, Consip manages the program for the rationalization of procurement instruments within the public administration. Such a program is realised through an organisational model that links the needs of public authorities with the market trends, in order to assure transparency and efficiency. The work of Consip is regulated by many legal provisions that can be found at the following URL: To the ends of this Study, it is interesting to focus on the projects performed by Cnipa. These projects started in the year 2000 and are aimed to improve the quality of the goods/services acquired by public authorities while, at the same time, reducing the overall costs and rendering the proceedings faster and more efficient. The most notable project (described in the questionnaire below) and the core of the national e- procurement services is the website This website functions both (i) as a way for e-tenders and (ii) as a marketplace where the public administrations buy products from lists provided by suppliers or make specific requests if and when they need products or services. With this regards, the authorised personnel of the public authority signs with digital signature the tender/request/proposal Application questionnaire Application/Service Classification CL1 Application/Service Name Acquisti in Rete della Pubblica Amministrazione - CL2 Application/Service Type B2A CL3 Concerned sector Public e-procurement CL4 Intended clients Providers who want to sell goods/services to public Administration. CL5 CL6 Abstract Description Application/Service responsible contact information The application allows companies to register, search for public procurement opportunities (listed periodically in the above website) and submit a bid electronically. The application functions also as a marketplace where the public administrations buy products from lists provided by suppliers or make specific requests if and when they need products or services. The negotiations are then performed electronically as well. See below for further information. Helpdesk: esignature use in the application Organisational aspects OR1 Which institutions, providers, etc. are involved in the signature In order to buy/sell products or services, both public authorities and companies must use a digital signature. The Page 18 of 28

19 scheme, and how do they relate? OR2 Which validation service provider / validation authority is involved for the signature validation? considerations made above (paragraph 2.1) apply. No answer can be provided given the fact that in Italy no recognised entities or providers supply the validation service. OR3 How is the long term validity of the signatures (including longterm archiving of certificates and signatures) ensured, if applicable? The information provided by companies (and signed with digital signature) shall be renewed every 6 months. esignature use in the application legal aspects LG1 LG2 LG2 LG3 LG4 LG5 Does the system require an advanced signature / advanced signature based on a qualified certificate / qualified signature? Does the choice of signature type result from a risk assessment process? What is the legal basis (law, decree, ) for this application? Does the legal basis impose additional legal requirements on the electronic signature beyond the aforementioned qualification? How does the application determine if the user is authorised to use the application (if applicable)? What information is signed by the user and what is the objective of the signature? Digital signature is required. It is extremely clear that Italian authorities prefer the digital signature as e-signature tool. This is based on the fact that digital signature assures more certainty than other signatures (in this sense a risk assessment process has been performed). The most relevant legal source is the Decree of the President of Republic 4 April 2002, no. 101 (available at No. Through the use of digital signature. There is a process of registration for the people (users: both from public administrations and companies)) authorised to have access to and use the service. The certificate/signature of the users is then used for the following phases of signature of the order (for what concerns public authorities) and of the final offer in a tender (for what concerns the company). The final offer, declarations and documents submitted by the company (Article 4 Decree 101/2002). Pursuant to Article 8, the public officer responsible for the proceedings signs (with real or digital signature) the documents attesting the proceedings that have been followed and the results of the negotiations. We assume that, in this case, the use of Page 19 of 28

20 esignature use in the application legal aspects the EIC or of the NSC by the public officer is allowed. esignature use in the application technical aspects T1 What kind of token or credentials are used (smart cards, software certificates, paper tokens ) to create the signature? Digital signature devices are used: SSCD (usually smartcards of USB tokens) issued by certificate-serviceproviders, T2 T3 T4 T5 T6 T7 T8 T9 What are the hard- and software requirements on the client side for the use of the esignature? How are the signature/certificate presented to the application? Is there specific information in the certificate that plays a notable role in the functioning of the application? Which standards have been implemented in the esignatures application? How is the signature verified and how is the verification data processed and stored? What types of validation protocols are used for the electronic certificate validation? (OCSP, CRLs, SCVP ) How is the signature type technically enforced by the application? Does the application require the use of time-stamping services? The user must have a smart card, a device that reads the smart card and a software of digital signature installed in the computer (unless the user has a USB token, like the Business Key of Infocert or PosteKey of Postecom). Through a Java script applet. The user then signs the e- document in PDF with his digital signature. In the registration phase the role is set by the link between certificate and user. Information in the certificate about the title of the user is not relevant. The very high standards of digital signature: PKCS#7 format also with multiple signatures (see CNIPA Deliberation 4/20005). The signature is verified in the framework of the digital signature paradigm. Information provided by the companies and verified must be renewed every six months. CRL is the legally valid system. OCSP is optional. Only digital signature is supported at this time. Pursuant to Article 4(5) of the Decree 101/2002 the operations and transactions are deemed to have been performed at the time registered by the system. If the tender is managed by the system, a time-stamping mark is required. Interoperability aspects Page 20 of 28