Electronic signatures still required in B2G e-invoicing in Spain [guest post]

Before Directive 2010/45/EU e-invoicing in Spain mandated that bills to be signed with a qualified electronic certificate, using a secure signature-creation device; hampering the adoption of electronic invoicing in Spain. However to date the Spanish e-procurement law still requires qualified e-signatures. So how does this add up?

This is a guest post by Chema López

Why the mandatory electronic signature was eliminated?

Studies by the Commission (see conclusions of Annika Fritsch and JD Rouvinez in Electronic Invoice Summit 27, 28 and 29 of April 2010 -ES-) pointed out that the mandatory use of electronic signature in e-invoicing was a main barrier to implement electronic invoicing solutions.

The European Commission, with the aim to facilitate not only the adoption of e-invoicing but also its interoperability, shot down those barriers that, in its view, were unnecessary. That is why COUNCIL DIRECTIVE 2010/45/EU of 13 July 2010 amending Directive 2006/112/EC on the common system of value added tax as regards the rules on invoicing, indicates:

(11) The authenticity and integrity of electronic invoices can also be ensured by using certain existing technologies, such as Electronic Data Interchange (EDI) and advanced electronic signatures. However, since other technologies exist, taxable persons should not be required to use any particular electronic-invoicing technology.

Why the electronic signature was a barrier to implement electronic invoicing?

There are two main causes, from my (Chema López) experience, for which the electronic signature can be a deterrent:

  1. First, electronic signatures are still viewed with suspicion. It keeps raising doubts and fears like: “do I fulfill legal requirements? “, “how much will it cost to me” , “what administrative staff can do / see with the qualified electronic certificate of the company?”.
  2. Second, that a qualified electronic signature is required (although the wording is “electronic signature based on a qualified certificate and created by a secure signature creation device”).

This has three very important implications:

  • Firstly that personal data of an individual will appear in every one of the electronic bills (at least the name and National ID number and usually also the e-mail.)
  • Next, generally, the holder of the e-signature certificate will be an administrator or legal representative of the company. Can you imagine that all bills from, let’s say, Vodafone, incorporate the data of one of its directors?
  • And finally, you have to sign with a secure signature-creation device, or what is the same, in Spain, a smart card or cryptographic token in which, theoretically , you must enter the PIN each time you perform a signature. Can you imagine the same example, entering the PIN thousands of times a day to sign bills?

Is there really no more need for electronic signatures in Spain?

Let’s take it easy. It wouldn’t be easy in Spain to remove the electronic signature. Not surprisingly, Spain is a leading actor worldwide in terms of electronic signature and it would be hard to allow to perform e-invoicing stuff without using something that we are good at.

Directive 2010/45/EU left a “message” as an example worded like this:

“2. Other than by way of the type of business controls described in paragraph 1, the following are examples of technologies that ensure the authenticity of the origin and the integrity of the content of an electronic invoice:

(a) an advanced electronic signature within the meaning of point (2) of Article 2 of Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (*), based on a qualified certificate and created by a secure signature creation device, within the meaning of points (6) and (10) of Article 2 of Directive 1999/93/EC;

(b) […]”

But there is another law in Spain that mandates e-signatures. Law 25/2013 of 27 December on the promote of electronic invoicing … in the Public Sector (ES), makes it clear in its Article 5:

“1. Electronic invoices that are submitted to the general government should have a structured format and signed with advanced electronic signature based on a qualified certificate, in accordance with Article 10.1 a) of Royal Decree 1619/2012 of 30 November.”

The good thing is that in the case of the Directive, the use of a “qualified certificate and a secure signature creation device” is only one example. Additionally, Law to Promote Electronic Invoice has eliminated the need for secure signature-creation device, killing 2.3 braking cause.

The bad thing  is that the qualified electronic signature certificates remains compulsory. At least, the same law, establishes a new kind of qualified certificate (advanced electronic seal) that does not include personal data:

“a) The certificate shall identify the legal person or entity without legal personality that seals the electronic invoice, through its corporate name and tax identification number.

b) The application for an advanced electronic seal may be made either by face appearance of an individual stating his representative power, either electronically through the electronic ID card and submitting the documents proving his power of attorney, in paper or electronic format.

The electronic seal is the set of data in electronic form, entered or associated with electronic invoices, which can be used by corporations and unincorporated businesses to guarantee the origin and integrity of content.”

What solution would you propose ?

Between the position of Annika Fritsch (“The business processes themselves in sending and receiving  will ensure the authenticity of the e-invoice) and a qualified electronic signature, there are grays.

Of course, the first position seems too lax, and mandatory electronic signature seems wholly disproportionate to electronic invoices signatures .

The advanced electronic signature based on qualified certificate seems inadequate, by compulsion, by definition of a qualified certificate - need to incorporate personal data -, and therefore, in each of the invoices to be signed .

I think the best way to ensure the authenticity and integrity of electronic invoices is using electronic signature, yes, but based on a Corporate Electronic Seal like this (ES), an electronic certificate equivalent to the company’s rubber stamp, fully identifying the Corporation, but with no personal data.

>>Are you interested in writing a guest post for the E-invoicing Platform? Contact us here

Related posts

Comments are closed.