Secure digital identity in critical sectors
The digitisation of the TELCO, energy and insurance sectors has boosted operational efficiency, but has also increased the risks of identity theft in online contracting. In the face of this growing threat, Trusted Electronic Services, regulated by the eIDAS Regulation, are positioned as key solutions to guarantee the authenticity of transactions, enhance legal certainty and comply with regulatory requirements. The incorporation of qualified services such as electronic certificates, certified delivery and digital seals helps to prevent fraud, protect consumers and strengthen corporate reputation.
1. Sectoral context and emerging legal challenges
Accelerated digitalisation in the telecommunications, energy and insurance sectors has transformed customer relationship models, facilitating processes such as remote contracting, document management and after-sales service through electronic channels. This evolution has led to significant advances in terms of operational efficiency, commercial scalability and accessibility of services.
However, this new reality has also increased the exposure of organisations to risks derived from identity fraud, especially in procedures where the authenticity of the user is not adequately guaranteed. In many cases, identity theft through the use of stolen documents, illegally obtained personal data or fake profiles has led to situations of improper recruitment, fraudulent claims, non-payment and legal disputes that directly affect the operational viability and reputation of the companies concerned.
Traditional identity verification practices, such as sending photocopies of ID cards or simple data entry, have proven to be insufficient in the face of the increasing sophistication of these forms of fraud. Such vulnerabilities can lead to legal liability for operators, as well as sanctions by the Spanish Data Protection Agency (AEPD), which has stressed the need to apply diligent, proportional and secure measures in the processing of personal data and in the verification of the identity of data subjects.
At the same time, sectoral regulatory bodies such as the CNMC have also focused on commercial practices that do not incorporate effective documentary control systems or sufficient technical evidence to accredit the informed consent of customers. In this regard, both the General Data Protection Regulation (GDPR) and recent Supreme Court case law point to a growing legal requirement for digital service operators, especially in sectors with a high volume of remote contracting.
At ECIJA Lawyers, we believe that this scenario configures a transversal legal challenge for companies: to evolve towards digital models that incorporate technical solutions with regulatory support, capable of reducing the risk of identity theft without compromising the user experience. To this end, it is essential to implement auditable and traceable measures, establish clear internal protocols and commit to trustworthy electronic services as strategic tools to shield legal security in digital business relations.
2. Phishing fraud: impact and regulatory response
Impersonation fraud has established itself as one of the main threats in e-procurement in the telecommunications, energy and insurance sectors. This phenomenon, characterised by the misuse of forged personal data or documents to access products or services on behalf of third parties, has proliferated with the increasing migration of registration, modification or complaint processes to digital environments.
In the TELCO area, there has been an increase in the number of cases of contracting mobile lines and duplicate SIM cards made with impersonated identities, which has led to claims for services not contracted, non-payment and litigation between users and operators. The impact has been such that specific regulations have been approved, such as Order TDF/149/2025, which imposes reinforced verification obligations on companies providing electronic communications services, especially with regard to the identification of commercial calls and non-face-to-face contracting.
For its part, the insurance sector has seen a significant increase in fraudulent policy underwriting, using stolen or forged ID cards to obtain illicit coverage or compensation claims without legitimate entitlement. According to the latest ICEA reports, these practices have grown by more than 18% in some types of insurance, especially health and automobile, affecting both the technical solvency of insurers and their exposure to internal fraud.
In the energy sector, several marketers have reported unauthorised contracting using illegally obtained personal data. Identity theft has made it possible to register electricity and gas supplies, generating debts in the name of persons not involved in the operation. Likewise, practices such as energy phishing - impersonating companies in the sector to capture banking or identity information - have been the subject of warnings from the National Markets and Competition Commission (CNMC), which has warned of the increased risk in digital environments that are not sufficiently secured.
From a regulatory and judicial point of view, both the AEPD and the Supreme Court have reiterated in various rulings the requirement to implement effective identity verification systems that allow accreditation not only of informed consent, but also of the reliable link between the user and the data used in the transaction. The mere display of an identification document, without a verifiable process, is no longer considered sufficient in digital contexts. This new doctrine requires companies to adopt solutions that provide technical traceability, regulatory support and proportionality in the processing of personal data.
In short, phishing fraud is not only an operational or IT security problem, but a matter of great legal, commercial and reputational relevance that requires structural responses. At ECIJA Abogados, we recommend that entities in these sectors analyse their current onboarding and digital contracting processes to identify legal gaps and adopt corrective measures to ensure customer authenticity and regulatory compliance.
3. Qualified trust services as a solution to prevent digital fraud
With the increasing sophistication of phishing fraud techniques in digital environments, traditional verification mechanisms are no longer effective in ensuring user authenticity. Organisations in the TELCO, energy and insurance sectors face the challenge of implementing legal and technological tools that provide security, traceability and legal validity to their e-procurement processes, without negatively affecting the user experience or compromising data protection.
In this context, Qualified Trust Services, regulated by Regulation (EU) No. 910/2014 (eIDAS), are configured as advanced legal solutions, capable of providing regulatory support to digital transactions and preventing the fraudulent use of identities in critical business processes.
Qualified Trust Service Providers (TSPs) operate under strict supervision, certification and auditing requirements, allowing companies to outsource identification, authentication and electronic signature processes to them, in accordance with European standards recognised throughout the Union. This outsourcing allows entities to incorporate robust verification capabilities without directly assuming the technical burden and regulatory risks associated with their implementation.
Among the most relevant services to prevent digital fraud, the following stand out:
- Qualified Electronic Certificates, which enable the electronic identification of natural or legal persons with a high level of security. The issuance of these certificates requires rigorous prior verification of identity (in person or by video-identification) in accordance with the requirements established by eIDAS, which makes them valid instruments before third parties and with full evidentiary force.
- Certified Electronic Delivery, which guarantees that a document or message has been sent and received under conditions of integrity, traceability and legal validity, with a record of date, time and content. This service is especially useful in contracting procedures, notification of conditions or documentation of consent between parties.
- Qualified Electronic Seal, which allows companies to ensure that the documents they issue have not been modified, legally attributing the authorship and authenticity of the issue.
- Qualified Time Stamp, which gives electronic documents a certain and verifiable date, with probative value in administrative or judicial proceedings, as well as establishing a reliable chronological framework in digital contractual relations.
By incorporating these services, organisations not only strengthen their control and compliance systems, but also reduce the risk of identity theft, guarantee informed consent and comply with the principles of data minimisation and proactive responsibility required by the RGPD and the doctrine of the AEPD.
4. Conclusions
The growing incidence of phishing fraud in digital contracting processes poses a direct threat to legal certainty, consumer confidence and the operational stability of strategic sectors such as telecommunications, energy and insurance. Despite technological advances and the consolidation of digital environments in the business environment, structural weaknesses persist in electronic identification models which, if not properly addressed, can lead to legal liability, administrative sanctions and losses.
Traditional verification practices, based on easily manipulated documents or systems without technical validation, are insufficient to cope with an environment increasingly exposed to identity manipulation. The consequences are not limited to the economic sphere: they include breach of contractual obligations, non-compliance with data protection principles and infringement of the right to informational self-determination by data subjects.
In this scenario, Qualified Trust Services, provided by qualified and supervised entities in accordance with the eIDAS Regulation, represent a solid and legally backed response to prevent fraud, reinforce the authenticity of electronic transactions and ensure regulatory compliance in remote contracting. The use of tools such as qualified electronic certificates, certified deliveries, entity seals and time stamps with evidentiary value allows traceability and control systems to be established that raise the legal and technical standards of companies, without sacrificing agility or operational efficiency.
At ECIJA Abogados, we understand that the structured and progressive incorporation of these services should not be considered an additional expense, but a strategic investment in legal security, corporate reputation and digital competitiveness. Their adoption not only prevents regulatory contingencies, but also positions companies as responsible agents, committed to the integrity of their processes and the effective protection of their clients' rights.
In short, responding to phishing fraud in digital environments requires a proactive, integrated vision that is aligned with current regulations. And on this path, Trusted Electronic Services are consolidated as essential allies to build a secure, verifiable and legally protected electronic contracting model.
Informative note written by the Privacy and Data Protection area of ECIJA Madrid.
