The EU eIDAS regulation and the SPID scheme

21 March 2017

Gian Marco Rinaldi, Viola Macrelli

The European Union regulation n. 910/2014 on electronic identity (also known as "eIDAS regulation" which stands for "electronic IDentification Authentication and Signature") entered into force in all member States on 1 July 20161

This regulation is intended to provide a general legal framework at the European Union level for trust services and electronic identification of member states as well as to strengthen trust in electronic transactions between citizens, businesses and public authorities. 

As declared in its second recital, "the Regulation seeks to enhance trust in electronic transactions in the internal market by providing a common foundation for secure electronic interaction between citizens, businesses and public authorities, thereby increasing the effectiveness of public and private online services, electronic business and electronic commerce in the Union".

The implementation of the eIDAS regulation in all sectors and in all the member states contributes to create a digital single market by facilitating the cross-border use of online services, with particular attention to facilitating secure electronic identification and authentication. 

The eIDAS regulation focuses on electronic identity, electronic signatures, electronic seals, electronic time stamps and electronic documents, electronic registered delivery services, website authentication and in general on online services where the identification of the other party is significant2

It is important to highlight that these new rules repeal the EU Directive 1999/93/CEE on the electronic document and the electronic signatures. 

Nowadays, we live in a more and more digital world and most of the services provided by private business or public authorities can be accessed online. As a consequence, knowing the identity of the counterparty and the authenticity of electronic documents is essential when one is taking part in delicate and important activities3.

Hence, on the Internet, anonymity now turns into electronic identity. The user, which can be a natural or legal person, can always be identified when it opens a new bank account online or takes part on an online public tendering procedure or it uses the services provided by public authorities via Internet. 

The eIDAS Regulation includes provisions on "Electronic Identification" (Chapter 2), "Trust Services" (Chapter 3), and "Electronic Documents" (Chapter 4).

This article will mainly focus on Electronic Identification issues and the Italian "SPID" (Sistema Pubblico di Identità Digitale – Public System of Electronic Identity) which represents the Italian implementation of a public system capable to guarantee the electronic identification of citizens4.

SPID has been implemented in Italy by the Prime Ministerial Decree 24 October 2014 in order to create a system of electronic identification complying with the new EU regulations and operating not only at national level but recognised by and able to be used in all the member states5

Pursuant to art. 9 of the eIDAS regulation, this Decree providing the abovementioned Italian identification scheme has been notified to the EU Commission in order to be recognized at the European Union level. 

Using this system, every citizen now has the possibility to access many services provided by public authorities using just one username and one password (or another element of identification). 

By the beginning of year 2017, 1,000, 103 Italian citizens have registered at the SPID scheme through its (not-so-simple) procedure. This good result was however lower than the one expected by the government which had foreseen 3 million users by the end of year 20166

It is worth stressing that, at the beginning of September 2016, the SPID credentials granted were only 60,000. The increase of users probably depends on the massive registration of teachers/professors and the newly 18-year-olds. This registration was required to get a single PIN in order to benefit from a monetary bonus granted by the Government to be spent on cultural activities and educational goods such as books, theatre or cinema or museum tickets and personal computers or tablets7.

Nonetheless, the success of this project can surely be declared: for instance, from the 16 of January 2017, parents will apply for schools – elementary, secondary and high school - on behalf of their children via the SPID scheme. It certainly is a big step towards the digitalisation of the relationship between citizens and the local and national authorities. 

The Government hopefully announced that by the end of 2017 every single service provided by public authorities will be online and accessible through the SPID. 

According to art. 3 of the Prime Ministerial Decree 24 October 2014, the entities operating in the SPID scheme are the following: 

  • Identity Providers: private companies which are accredited by the SPID scheme (following the execution of a special agreement) and have the task to: i) identify the user with certainty; ii) create electronic identities; iii) assign credentials; iv) manage users' attributes and v) provide public authorities and private citizens with user identification services;
  • Qualified Attributes Operators: entities which have the power to certify qualified attributes;
  • Service Providers: private entities8 and public authorities which provide online services whose use requires users' identification and authentication;
  • User: natural or legal person, owner of a SPID electronic identity, who uses online services provided by a service provider, following electronic identification;
  • Agency: supervisory entity in charge of managing the accreditation procedure and monitoring the activity of identity providers and qualified attributes operators.

In the private sector, the user shall register at the SPID system with an identity provider which will give him his new and single credentials to use in order to access the services provided by service providers.

Accessing the services, the following three security levels for SPID credentials exist:

  • Level 1 (user ID and password): it ensures, with a good level of reliability, the user's identity, verified during the authentication process;
  • Level 2 (user ID and password + a further element of identification, for example, an OTP – one-time password): it ensures, with a high level of reliability, the user's verified identity;
  • Level 3 (user ID and password + a further element of identification based on electronic certificates): it ensures, with a great level of reliability, the user's identity, verified during the authentication process9.

However, how does the authentication process work? It can operate locally (in person) or remotely: an individual can go to a physical office of the Service Provider and bring all the hard-copy documentation and undersigned forms with a face-to-face verification or he can do it at distance. In this latter case, the applicant can choose whether to be identified in a video or audio session by an operator, who will check all the applicant's identity documents, or to be identified through an electronic verification of his credentials. 

There are three types of data which may be provided by the user and stored/processed by the SPID: 

  • Identifier Attributes: biographical data, social security number, VAT number, ID number, etc.;
  • Secondary Attributes: telephone number, e-mail address, etc.; 
  • Qualified Attributes: qualifications, professional licenses, powers of representation, etc.. 

It is really important to notice and to keep in mind that only the strictly necessary data to access the service and to do a specific transaction are transmitted to the service provider when it requires them for identifying a user.

This is one of the main differences with the private system of identification provided for instance by some social networks (besides the uncertainty of the real identity of the user who on a social network could be registered also with fake data).

To conclude, there are several benefits for both private citizens and enterprises resulting from the use of the SPID scheme: 

i) Service providers have the possibility to access a fleet of users without having the duty to register them or to store their personal data; 
ii) there are lower risks for service providers (as well as users/citizens) related to security of data;
iii) there is a new business opportunity for identity providers;
iv) citizens can easily access online services and interact with public authorities.

Moreover, through the implementation of the SPID scheme, Italy took a big step forward for the interoperability at the European level of identifications schemes in order to create a single digital market as conceived by the European institutions and set out in the eIDAS regulation10


1 Except some provisions which entered into force on 17 September 2014. 
2 See D. TUMIETTO A. CACCIA, Regolamento europeo eIDAS, in Il Documento Digitale, I/MMXV.
3 Id.
4 "Electronic identification" and "authentication" are two different but related concepts. The eIDAS provision describes the above terms as follows: i) electronic identification means the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing a legal person (eIDAS regulation art. 3, n. 1); ii) authentication means an electronic process that enables the electronic identification of a natural or legal person, or the origin and integrity of data in electronic form to be confirmed (eIDAS regulation art. 3, n. 5).
5 The SPID scheme is based on OASIS SAML v2.0 specifications, widely spread at the European level and also used in the EU experimental project named Stork (a project which aims to establish a European eID Interoperability Platform that will allow citizens to establish new e-relations across borders, just by presenting their national eID).
6 See P. BRUNO, Avanza la SPID, più di un milione di italiani con l'identità digital, article of 14/01/2017 on Repubblica.it
7 Id.
8 A determination of the Italian Agency (Agenzia per l'Italia Digitale) which allows private entities to operate in the SPID scheme as Service Providers has been published on 7 October 2016. 
9 All you need to know about SPID
10 Please find more at http://www.agid.gov.it 

Authors