In this post, we will focus on a major and topical issue, with some important updates on the horizon. We will start with technical and legislative issues, but these have a daily impact on the lives of all of us: both as individuals and as companies.
We’re talking about the Electronic Service of Qualified Certified Delivery, known as SERCQ. It’s good to start, therefore, with the framework related to current regulations; we’ll get to that in the next section.
Next, we’ll look at the differences between SERCQ (Qualified Certified Electronic Delivery Service) and SERC (Certified Electronic Delivery Service) and then focus on PEC, which is specific to the Italian digital and legislative ecosystem. Here, note that new developments are coming in this field, and all of them are aimed at placing PEC within unified European standards.
Let’s proceed in order.
Qualified electronic certificate delivery service and eIDAS
Let’s quickly unpack another acronym that lies behind this discussion: eIDAS (electronic IDentification, Authentication and trust Services) is European Regulation 910/2014 that focuses on electronic identification and trust services for electronic transactions in the internal market.
eIDAS provides a common regulatory basis for secure electronic interactions between citizens, businesses, and public administrations in the European Union. In addition, eIDAS addresses the security, transparency and effectiveness of electronic services and e-business and e-commerce transactions.
Among other things, this regulation introduced the Certified Electronic Delivery Service (SERC) and the Qualified Certified Electronic Delivery Service (SERCQ). These two acronyms can be misleading and confusing. In fact, we must pay close attention, as there are decisive differences between the two systems, which have decisive impacts at the legal and bureaucratic level more generally.
In this regard, the articles 43 and 44 are of most interest to us. We will explain those in detail below:
- Article 43: The legal effects of a certified electronic delivery service
- Data sent and received by means of a certified electronic delivery service shall not be denied legal effects and admissibility as evidence in court proceedings merely because of their electronic form or because they do not meet the requirements of the qualified certified electronic delivery service.
- Data sent and received by qualified certified electronic delivery service shall enjoy the presumption of data integrity, the sending of such data by the identified sender, its receipt by the identified recipient, and the accuracy of the date and time of sending and receipt indicated by the qualified certified electronic delivery service.
- Article 44: Requirements for qualified certified electronic delivery services
- Qualified certified electronic delivery services shall meet the following requirements:
(a) they shall be provided by one or more qualified trust service providers;
(b) ensure the identification of the sender with a high level of security;
(c) ensure the identification of the recipient before the data transmission;
(d) the sending and receiving of the data are secured by an advanced electronic signature or advanced electronic seal of a qualified trust service provider so as to exclude the possibility of undetectable changes to the data;
(e) any changes to the data necessary in order to send or receive them are clearly indicated to the sender and recipient of the data;
(f) the date and time of sending and receiving and any change to the data are indicated by a qualified electronic time stamp.
Where data are transferred between two or more qualified trust service providers, the requirements in (a) to (f) shall apply to all qualified trust service providers.
2. The Commission may, by means of implementing acts, establish the reference numbers of the standards applicable to the processes of sending and receiving data. Compliance with the requirements referred to in paragraph 1 shall be presumed where the process of sending and receiving data meets those standards. These implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
The differences between certified electronic delivery service (SERC) and qualified certified electronic delivery service (SERCQ)
Here, we come to a sensitive and important point, the one concerning the differences between SERC and SERCQ. The eIDAS regulation we quoted just above is exhaustive in this regard. But let’s summarize it below, sharply, and clearly.
SERC enables the transmission of data between third parties electronically, provides evidence regarding the processing of the transmitted data, including evidence that the data has been sent and received, and protects the transmitted data from the risk of loss, theft damage, or unauthorized modification. It also meets the required principles of “accuracy of date and time of sending and receiving.” What SERC lacks are guarantees, with high levels of security, of the identification of the sender, first of all. And then of the recipient, in the stages prior to data transmission. And these are precisely the features and standards that are guaranteed by the Electronic Service for Qualified Certified Delivery (SERCQ). In the context of the European Union, SERC and SERCQ systems are now widespread, at all levels. Italy, in this respect, is an anomaly.
Currently, we only have PEC in Italy. Italian legislation, however, already allows the use of SERCQ services: translated, it is only a matter of time before they spread widely here as well. Preparing for this in advance can be an important competitive advantage.
Also, pay attention to another aspect. There are some important developments on the horizon solely on the PEC front, which may soon adapt to SERCQ standards. We’ll talk about this in the next section.
The future of PEC points toward SERCQ
PEC (Certified Electronic Mail) is something we are all familiar with. It is now an everyday tool for a large segment of professionals and others. According to the latest available data, there are more than 14 million active PEC addresses; while, in 2016, there were between 7 and 8 million.
Simplifying, it can be said that PEC corresponds to the old registered letter with return receipt; and, as we pointed out above, it is an all-Italian peculiarity which, however, is adapting to European standards. But let us proceed in order.
What is certain is that PEC can be considered a Certified Electronic Delivery Service (SERC), as it meets the requirements set out in Article 43 of the eIDAS regulation that we quoted above. Beware, however: it cannot be considered a Qualified Certified Electronic Delivery Service (SERCQ).
The distinction, in fact, is what we have already isolated just above: the guarantees on sender and recipient. In particular, at present, there is no provision for certain verification of the identity of the applicant of the PEC box. Moreover, there is also no requirement for the operator to undergo mandatory compliance audits by designated bodies. Here’s why spam and some scams sometimes even make it into the inbox of certified mailboxes: PEC has more simplified (thus less secure) procedures for identifying requesters (lighter and more circumventable, for example, than those provided for SPID).
The good news, however, is that PEC is not standing still. Its evolution has been discussed for some time now, and the path seems already well marked in the direction of its inclusion among the Qualified Certified Electronic Delivery Services.
There are two acronyms to keep in mind on this path: ETSI and REM. ETSI is the European Telecommunications Standards Institute. These are the standards dedicated to the European Union-wide interoperability of digital signature systems and REM systems. And here is our second acronym: Registered Electronic Mail. REM protocols already include the Italian PEC.
Without getting lost in technicalities, suffice it to say that a working group was set up in 2019 between the Digital Italy Agency, PEC operators, Uninfo, and Assocertificatori that is finalizing the technical rules necessary to make PEC “rank up” so that it can be compliant with the European standards required for the Qualified Certified Electronic Delivery Service (SERCQ).
This is to avoid the creation of alternative tools. In fact, supplanting a tool as widely used and deployed as CEM would be slow, very inefficient, and certainly uneconomic.
Beyond compliance – the opportunities of mature digitization
When we talk about digitization, digital identity, authentication, and certification systems, we must never forget this: these are not just fulfillments, but opportunities to be seized. First of all, there are the great advantages in terms of security, transparency, convenience, and increased efficiency.
But there is an additional keyword that should always be kept in mind: integration. This is a key word that is absolutely decisive when we move from the realm of private individuals to that of companies.
In short, a real revolution, which turns into a spiral of continuous optimization!