SPID: the new digital identity system
Europe’s Public System of Digital Identity, known in Italy as the Sistema Pubblico di Identità Digitale or SPID, is something most of us are now familiar with. It is a system that guarantees all citizens and businesses functional and secure access to the digital services of the Public Administration and to those of participating private entities. This includes access from any type of device, with unique credentials (thus avoiding the proliferation of different usernames, passwords, recognition systems, etc. with all the related inefficiencies and risks).
This is true in Italy and, increasingly, throughout the European Union as well. It is precisely the issue of SPID in Europe that we will focus on in this post. First, we’ll start by establishing some basic preliminary points.
SPID’s different levels of security
First of all: who issues the SPID identity?
It is issued by the Digital Identity Providers (IdPs), which are private entities accredited by AgID (Agenzia per l’Italia Digitale). These entities manage user authentication according to very stringent and continuously updated regulations. It’s important to note that when it comes to security, there are 3 different levels of security related to the SPID identity:
- Level 1, or “low”: allows authentication using an ID and password established by the user.
- Level 2, or “significant”: the most common security level and one that many of us have already found ourselves using. It allows dual-factor identification, with a “one-time password” (OTP), and it is generally distributed via text message or through the dedicated apps of different providers.
- Level 3, or “high”: the security level that provides the highest level of reliability. In addition to the user name and password, it requires a physical medium for cryptographic key management. This medium can be a smart card or a remote digital signature device.
After this important specification (which, as we shall see, will also have implications for SPID identity in Europe), let’s continue with our theme. However, before we move on to the EU, we will look at some important figures about the deployment of SPID in Italy.
SPID diffusion in Italy – some important figures
The SPID system is not new. In fact, the first measure where it was implemented was the Prime Ministerial Decree of October 24, 2014, published in Official Gazette No. 285 of December 9, 2014. In other words, we’re not talking about a technology in its infancy, but quite the opposite.
What is certain, however, is that the pandemic period that is now behind us has accelerated the diffusion of the SPID identity among all segments of the population. For a better idea of this, let’s look at the data from AgID itself (source agid.gov.it):
- As of May 2022, there were more than 30 million SPID digital identities in Italy.
- Of this 30 million, as many as 10 million (thus, a third) were activated in the previous 12 months.
- Accesses through SPID to use public administration services exceeded half a billion in 2021. In the first four months of 2022, the number of accesses had reached around 330 million.
Looking in even more in detail, we can see the obvious progression of the weekly average of digital identities issued:
- around 76,000 in the first 5 months of 2020 ;
- around 262,000 in the next 7 months of 2020 ;
- around 198,000 in 2021;
- around 196,000 in January 2022 alone.
Again, SPID was used to access networked services:
- In 2019: over 55 million times;
- in 2020: over 143 million times;
- in 2021: over 571 million times;
We could continue with such figures, but it’s enough to see that the trend is already very clear. Now, we’re ready to move to the SPID identity plan in Europe. Here, we will ask ourselves: what are the regulations, uses and opportunities?
SPID in Europe – the regulations, uses, and opportunities
To frame the topic of SPID in Europe, it is essential, first of all, to mention eIDAS.
eIDAS (the electronic IDentification, Authentication and trust Services) is the European regulation for electronic identification and trust services for electronic transactions in the internal market. eIDAS provides a common regulatory basis for secure electronic interactions between citizens, businesses, and public administrations and it increases the security and effectiveness of electronic services and e-business and e-commerce transactions. It is from this regulation that unique standards have been created for everything related to the various forms of electronic authentication in all European Union countries.
In particular, as far as SPID is concerned, the reference to keep in mind is the publication in the Official Journal of the European Union (OJEU C318 and OJEU C344 of 2018). With the notification of SPID by Italy and its publication in the European Official Journal, it became possible to use SPID for access to networked services of all public administrations in the European Union.
According to the provisions of the eIDAS Regulation, the use of a digital identification service notified by a European state in other EU countries must be recognized within 12 months of its notification and publication in the Gazette. Therefore, as of September 10, 2019, Italian citizens can use the SPID digital identity to access services made available by other European administrations. Even more specifically: for access to services involving the use of Level 2 and Level 3 credentials, acceptance by all member states is mandatory. For Level 1 credentials, however, there is no obligation: consent to access such services remains at the discretion of each individual state.
Beyond regulations, however, let’s ask ourselves: what is the SPID identity used for in Europe? And how can it be used? There are many cases. Here is a list of the most important and widespread ones:
- Application for birth certificates.
- Opening a bank account and applying for a loan.
- Filing tax returns.
- Applying for college, either in your own country or in another member state.
- Requesting medical certificates of any kind and keeping medical prescriptions that can be used in any member state.
- Reporting a change of domicile or residence.
- Renting a car using a digital driver’s license.
- An ordinary online check-in at a hotel.
We close this section with the words of Margrethe Vestager, vice-president of the European Commission in charge of digital, and those of Internal Market Commissioner Thierry Breton. As Vestager said:
“With the European digital identity we will be able to do in any member state what we do in our own country without additional costs and with fewer obstacles, for example, renting an apartment or opening a bank account abroad, and all in a secure and transparent way. We will decide how much information we wish to share about ourselves, with whom, and for what purpose. This is a unique opportunity that will allow us to experience even more what it means to live in Europe and to be European.”
As Breton said:
“EU citizens expect not only a high level of security, but also convenience; whether they are dealing with national administrations, such as filing a tax return, or enrolling in a European university where they need official identification. European digital identity wallets give them a new way to store and use data for all kinds of services, from checking in at the airport to renting a car. This is about giving consumers a choice, a European choice. Our European businesses, large and small, will also benefit from this digital identity, and they will be able to offer a wide range of new services as the proposal offers a solution for secure and reliable identification services.”
These are statements that summarize the breadth of benefits and opportunities arising from the increasingly broad adoption of the SPID identity in Europe. In particular, in the next and last section, we want to start from the reference that Commissioner Thierry Breton makes to companies large or small. This is a fundamental aspect and a side where we must not limit ourselves to pure legislative compliance.
Not just fulfillments – SPID opportunities for companies in Europe
When we talk about digitization and the SPID identity in Europe, we should not make a (still) widespread mistake: that of limiting ourselves to fulfillments. In fact, we have already pointed out the great advantages that are made possible in the transition to digital identity in terms of security, transparency, convenience, and increased efficiency.
But there is one additional theme that we must always keep in mind: integration. In fact, integration is absolutely decisive when we move from the realm of private individuals to that of companies. For example, it makes it possible to integrate electronic signature solutions with identification via SPID identity. This is a natural and innovative evolution of signature processes, which is extremely useful on several fronts.
A mature, 360-degree digital revolution!