Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

RD 88/2026 and digital contracting evidence: what teams must prove


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 10745
Topic starter  

TL;DR: Spain’s RD 88/2026 shifts digital contracting from convenience to evidential proof, requiring organisations to verify identity, capture exact acceptance, timestamp the agreement, and preserve audit-ready records, according to Vintegris. The governance challenge is no longer whether a contract is signed digitally, but whether the process can withstand legal challenge, audit, and dispute review.

NHIMG editorial — based on content published by Vintegris: RD 88/2026 and the new requirements for defensible digital contracting

By the numbers:

Questions worth separating out

Q: How should organisations prove who accepted a digital contract?

A: They should use identity assurance that is proportionate to the legal and business risk of the transaction, then preserve the evidence chain behind that acceptance.

Q: When do lightweight login checks fail in digital contracting?

A: They fail when the organisation needs to prove not just that a session existed, but that a specific person saw, understood, and accepted specific terms under conditions that can be defended later.

Q: What do security teams get wrong about audit trails for signing flows?

A: They often treat logs as a by-product of the process rather than as part of the control itself.

Practitioner guidance

  • Define evidential identity requirements for every contract flow Map which journeys need simple authentication and which need legally defensible proof of identity, then assign different assurance levels, record retention rules, and approval paths accordingly.
  • Centralise contract evidence capture and retention Ensure the acceptance record, identity verification artefacts, timestamps, and document versions are stored in a single audit-ready chain, with immutable logs where possible.
  • Review qualified trust service dependencies Confirm that your certificate and signature providers meet the assurance level needed for regulated transactions, and that the service model supports legal recognition, audit traceability, and cross-border validity where relevant.

What's in the full article

Vintegris's full article covers the operational detail this post intentionally leaves for the source:

  • How qualified digital certificates change the evidential strength of a signing flow
  • How integrated identification, issuance, and signature workflows reduce traceability gaps
  • How different user starting points can still fit within a compliant contract process
  • How the legal role of QTSPs changes procurement and governance decisions

👉 Read Vintegris's analysis of RD 88/2026 and digital contracting proof requirements →

RD 88/2026 and digital contracting evidence: what teams must prove?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 10300
 

Identity assurance is becoming part of contract governance, not a supporting control. RD 88/2026 shows how quickly a digital workflow becomes a governance problem when the organisation cannot prove who acted and under what evidence chain. That is the same underlying logic that drives stronger IAM and NHI governance: identity is not only about access, it is about defensible accountability. Practitioners should treat proof of identity as a control objective, not just a user experience feature.

A question worth separating out:

Q: Who is accountable when digital contracting evidence cannot be defended?

A: Accountability usually spans IAM, legal, compliance, and the business owner of the signing process. If the identity proofing standard was too weak, the evidence chain was fragmented, or records were not retained correctly, the failure is governance-wide, not just a technical defect.

👉 Read our full editorial: RD 88/2026 makes digital contracting auditable by design



   
ReplyQuote
Share: