From CEM to REM: a push toward the future, also for Intesi Group

A coffe with Francesco Barcellini

The year that has just begun will be remembered as the one that – barring any unlikely surprises – will have marked the transition from the popular CEM – routinely used by so many citizens, businesses and public administrations – to the new REM. Or, to put it without acronyms, from the Italian Posta Elettronica Certificata to the European Registered Electronic Mail.

But why this change? What changes will it imply for users? And what has it entailed and will it entail for service providers?

Francesco Barcellini helps us answer these and other questions. Originally from Saronno – Italy, 51, an engineer with a degree from Politecnico di Milano, Barcellini is the Head of Qualified Trust Services at Intesi Group. But he is also the Product Owner of the qualified certificate delivery service, SPID, CEM and REM. He puts at the service of the company a wide wealth of skills and experience gained in roles of increasing responsibility, working in the industry since 2001 and specifically in Intesi Group since 2016.

“It was the European Union, with Regulation No. 910/2014 on digital identity, better known as eIDAS (electronic IDentification Authentication and Signature), that had introduced the possibility of providing certified delivery services. Since then, complex work has been underway to devise and develop the European standards that will characterize the REM. This will be very similar to CEM but, at the same time, profoundly different. The experience gained over the years from CEM has, in fact, been of great use in the development of the REM, especially in the fine-tuning of its mode of operation. This, however, differs in the number and level of constraints to be met since the REM is a qualified trust service as opposed to its “older sister.”

But if CEM is a notoriously Italian success story, how do you explain its influence on REM?

The definition of the Registered Electronic Mail protocol was curated by ETSI (European Telecommunications Standards Institute), an international certification body of which we at Intesi Group are also members. A number of representatives from our country have made significant contributions to ETSI’s activities, also thanks to the close discussion that took place in parallel among the Italian operators at the national table, wanted by AgID precisely to govern the transition from CEM to the new certified delivery service. Just think of the great prominence given – at the international level – to the Italian remarks on interoperability: a concept initially not present in the EU vision but indispensable to allow European users of different REM providers to exchange messages with each other with full legal value. As was already the case in Italy with CEM.

Since REM is different from CEM, what will change for users?

There are two key changes. First, the assignment of a REM box will require certain identification of the holder. After all, nothing different from what is already in place for the issuance of a qualified electronic signature or SPID (Digital Identity) but never provided for CEM. It will require, therefore, either in-person or remote identification by an authorized operator or attestation of identity by signature or digital identities. And this is a major change: one will in fact know with certainty who the sender of a message is (and, if addressed to another REM box, also who the recipient is), whereas with the current CEM one is only sure of the provenance of a given message from a specific certified e-mail address (without any guarantee of the identity of its owner but only of its successful delivery).

What about the second innovation you mentioned before? It concerns the strengthening of security levels. Currently, for CEM access, entering a username and password is enough. REM, on the other hand, will also require an OTP, i.e., the “classic” single-use password that is increasingly required – for example – for online bank account access or the use of payment cards. I’d like to underline that there will not be other changes in terms of user experience than what CEM has accustomed us to.

When will the final transition from CEM to REM take place? And what will it mean for users?

The date will be formalized and announced by AgID in an appropriate measure. Probably, but it is just a feeling, in the second half of the year. In any case, CEM holders – who, in the past, have already been subject to identification – will benefit from the transformation of the box to REM practically without noticing it. The others will have to proceed according to the instructions of their respective providers who, in some cases, are already providing them to their customers. Those, finally, who forget or refuse identification will inevitably see the old CEM …shut down. As far as holders of CEMs issued by Intesi Group are concerned, I am pleased to point out that the vast majority of our users – as many as 90 percent – have already been subject to certain identification at the time of activation of their CEM box, since we have already developed it from a REM perspective. It will be particularly easy, therefore, to manage the identification of the remaining holders.

It sounds like the adjustment was really straightforward….

The evolution of our service to absolutely new standards, such as those defined by ETSI for REM, presented several undeniable complexities. The fact that we are completely ready today fills us with satisfaction, precisely because we were able to brilliantly resolve these complexities to the total benefit of our users.

Beyond the launch of the new service, what does all this effort leave to you and to Intesi Group?

A great confidence toward the future. A confidence based on our historical expertise and change management skills demonstrated once again on this occasion. The best premise for responding promptly also to the possible evolutions of REM, for example in the hypothesis of certification – in the who knows how distant future – not only of email communications but also through other messaging systems. But not only that. I am convinced that, for Intesi Group, the advent of REM may prove to be an additional driver for the progressive internationalization of our business. Because, yes, we have all the credentials to now successfully enter those European markets where certified messaging services are widespread and which, therefore, we had not explored so far.