Certified Electronic Mail, known as PEC in Italy, is a tool we are all familiar with and has become part of our daily lives, both in business and in bureaucratic environments.
According to the latest available data, there are more than 14 million active PEC addresses in Italy.
For comparison: there were between 7 and 8 million PEC addresses in 2016 (agid.gov.it).
Quite simply: in the Italian system, PEC corresponds to the paper registered letter with return receipt: therefore, it allows a communication to be sent, generating proof of delivery and receipt of the message, guaranteeing the integrity of the content through the affixing of the digital signature by the provider. In this way, the communication, when it takes place between two PEC inboxes, assumes legal value.
This tool was created in 2005 and has proven to stand the test of time very well.
Despite this, important updates are on the horizon. These updates point to the evolution of PEC toward the European standards set by the eIDAS regulation.
PEC, in fact, is specific to Italy. And lately, we are starting to hear about the so-called European PEC.
Let’s put a point on the timeline right away.
We can identify the starting point behind the evolution of CEM in 2019 with the establishment of a national working group that aimed to evolve CEM toward the requirements set by the eIDAS Regulation for Qualified Certified Electronic Delivery Services (SERCQ).
During 2020, the working group expanded and became international: this led to the definition of a baseline of requirements on which to build the interoperability of delivery services based on the REM (Registered Electronic Mail) protocol.
Another very important step took place on June 27, 2022 when AgID (Agency for Digital Italy) announced the consolidation of the ETSI EN 319 532-4 standard.
Now that the “toolbox” to evolve PEC toward a European scenario is available, the steps and regulatory framework that will enable the switch to the new qualified PEC system still remain to be defined.
To this end, a decree is being studied that will provide this framework, and this is expected in the coming months of 2023.
So, if all goes according to plan, the European PEC should be fully operational and valid by early 2024.
At this point, and without getting too technical, we need to take a small step back to clarify the picture and unravel the acronyms we mentioned: eIDAS and QERDS.
The eIDAS regulation and the Qualified Electronic Registered Delivery Service (QERDS) – the steps toward European PEC
eIDAS (Electronic IDentification, Authentication and trust Services) is the European Regulation 910/2014 that focuses on electronic identification and trust services for electronic transactions in the internal market.
It’s important to mention that the eIDAS regulation is currently under revision, and the new text of the standard is expected to be approved in 2023.
(The full text of the current version can be viewed here.)
(In this article on our blog, we focused on the changes in the eIDAS regulation that transpired from the drafts already circulated. See here for the in-depth discussion.)
In summary, eIDAS provides a common regulatory basis for secure electronic interactions between citizens, businesses, and public administrations in the European Union.
Among other things, the regulation introduced the Electronic Registered Delivery Service (ERDS) and the Qualified Electronic Registered Delivery Service (QERDS) as trust services.
Previously, we devoted an in-depth look at certified, qualified, and unqualified electronic delivery services.
In this post, we will examine why it was necessary to intervene on a well-established tool such as PEC, which has been widespread and in common use for almost 20 years now in Italy, in order to embark on a path of change that will certainly have an impact on users.
As mentioned above, PEC has been in use since 2005, therefore long before the enactment of the eIDAS regulation that provided the framework for certified and qualified electronic delivery services. This is one of the reasons why electronic delivery services, in various forms, have spread widely in other European countries, while they have only recently appeared in Italy.
Having been born long before the eIDAS regulation, PEC does not, for obvious reasons,
Since it was operational long before the eIDAS regulation, PEC does not have all the requirements of certified or qualified electronic delivery services: for this reason, its legal validity is limited to the Italian territory.
Here we come to a decisive point.
In some respects, PEC can be considered as an Electronic Registered Delivery Service (ERDS).
However: it cannot currently be considered a Qualified Electronic Registered Delivery Service (QERDS) .
The current PEC lacks some specific requirements of QERDSs, such as guarantees on sender and receiver. In fact, PEC does not allow for certain identification of sender and recipient before the communication is sent, nor does it provide for affixing a qualified time stamp issued by a qualified trust service provider.
It also does not require the provider to undergo mandatory compliance audits by designated bodies.
And here, from these limitations, the path of evolution from Italian PEC to European PEC begins to take shape.
Let us follow it.
After these premises, in the next section we will look at the requirements of European PEC compared to the one we have been familiar with so far.
The requirements of European PEC
Let’s start with a list, starting with the requirements of qualified certified electronic delivery services that are already met by current Certified Electronic Mail systems:
- The legal-value certainty of the sending and delivery (or non-delivery) of messages to the recipient.
- Precise time declaration of the sending and receipt of messages (although, to date, not through the affixing of a qualified time stamp).
- The guarantee of integrity of the message content so as to prevent or detect any unauthorized changes to the transmitted data.
- The provision of the service by accredited operators, those identified in the eIDAS regulation as “qualified trust service providers.” To date, PEC providers are accredited by the Agency for Digital Italy (AgID).
Instead, here are the new requirements that will ensure the transition from the current PEC tool to the so-called European PEC tool:
- Enhanced security standards, with the adoption of additional levels of control and specific permissions for service access and management.
- Certain identification of parties involved in message transmission through reliable and shared authentication mechanisms.
- Interoperability of the service, including across borders, regarding other providers who adopt the REM protocol.
In concrete terms, to carry out identification operations, the user will be able to choose one of the following modes from those that each provider will make available:
- SPID (Public Digital Identity System)
- Digital Signature
- CIE (Electronic Identity Card)
- CNS (National Service Card)
- DVO (De Visu Online) with an operator ** remote identification??
- In person, by going to an authorized counter
A second step involves activation of 2FA, two-factor authentication (another system with which we are all now familiar with).
The opportunities behind the fulfillment of the European PEC
When we talk about digitization, digital identity, authentication, and certification systems, we must never forget one important point: these are not just fulfillments, but opportunities to be seized, especially for professionals and businesses in any sector.
First and foremost, there are the great benefits in terms of security, transparency, convenience, time savings, and efficiency.
But there is an additional keyword that we should always keep in mind and that, after all, lies behind everything: integration.
With the tools offered by specialized companies such as Doxee, all certification and authentication tools can be integrated with the core systems already in use.
This is a decisive aspect.
Specifically: the Doxee Certified Electronic Delivery product includes a range of different delivery solutions that can ensure the production of documentary evidence in electronic format, which guarantees the traceability of communication between sender and recipient and provides evidence regarding the sending and receipt of data.
Certified email, but also certified SMS, and e-Recapito (which allows a certified email or certified SMS containing a link to access the documents sent to the recipient).
Doxee Certified Electronic Delivery solutions meet the requirements defined by the eIDAS regulation mentioned above: they are, in fact, solutions delivered through a Qualified Trusted Service Provider. Therefore, communications made through Doxee Certified Electronic Delivery constitute valid evidence that can also be used in the event of litigation.
(Learn more about the Certified Electronic Delivery product here).
In summary: integration with your business solutions, security, reliability, increased efficiency and the ability to comply fully, completely.
All of this together in a single solution.
And those in business know this very well: being prepared early immediately turns into a competitive advantage.