Certifying digital procurement platforms (PADs)

The Italian version of this article has been published on September 13, 2024 on AgendaDigitale.eu, within our “Legal Health” monthly column.

Digital procurement platforms (Piattaforme di Approvvigionamento Digitale, or “PADs”) are infrastructure used by contracting authorities for digital management of procurement in accordance with the provisions of the Public Procurement Code.^[1] They are necessary for digital execution of the entire lifecycle of public contracts and are an integral part of the Italian digital procurement ecosystem (e-procurement).

Only PADs that have completed the certification and compliance process with the Agency for Digital Italy (Agenzia per l’Italia Digitale, or “AgID”) can be used by Italian contracting authorities. This procedure, discussed in greater detail below, guarantees the operability and security of PADs and their integration with the services of the Italian Database of Public Contracts (Banca Dati Nazionale dei Contratti Pubblici, or BDNCP), managed by the Italian Anticorruption Authority (Autorità Nazionale Anticorruzione, or ANAC).

Key players in the certification process are the AgID, platform owners (i.e., public and private entities that have rights, including non-exclusive rights, to one or more components of a platform (e.g., PAD developers)), and platform operators (i.e., public (such as contracting stations) and private entities (commissioned by contracting stations ) that are responsible for managing the operation of a platform and guaranteeing its operation and security). In some cases the owner and operator may be the same.

Certification and technical rules

AgID certification ensures that PADs used by contracting authorities and contracting entities comply with the legal, security, functional, and technical requirements set out in the Procurement Code^[2] and in the AgID Technical Rules adopted on June 1, 2023.^[3]

The AgID Technical Rules list the technical requirements for PADs, which are divided into three different classes:

• Class I: general requirements derived from the provisions of the Digital Administration Code (CAD) and other general regulations;^[4]
• Class II: specific functional requirements;^[5]
• Class III: requirements for interoperability with other platforms and infrastructure that make possible management of the lifecycle of public contracts.

Requirements are assessed for each component of the PAD, i.e., each service or computer system that performs one of the activities cited in Article 22 of the Public Procurement Code (electronic access to tender documents, submission of tenders, management of tender dossiers, and so on). Consequently, the same AgID certificate is issued for each component of the platform.

PAD certification procedure

For certification of individual components, the Technical Rules cite a different AgID document, the Operational Scheme,^[6] which establishes the following:

• the certification and conformity process;
• application for certification.

The procedure starts with a request from the platform owner to the AgID for certification of a new component or a new version of a previously certified component that extends its functionality. The request is sent electronically to the authority’s PEC address using a form available on the institution’s website.^[7]

The application is accompanied by a self-assessment document of the platform’s compliance with the AgID Technical Rules, known as the checklist. This also serves as the basis for establishing tests that the manager must subsequently perform on the platform.

Once the application has been received, the AgID verifies that the documentation is complete. If the authority finds anything missing in the application, it sends the holder a request for additional information and provides a deadline for providing it. Failing to meet the deadline causes the application to be rejected.

Verification of requirements

After verifying that the application is complete, the AgID begins its preliminary assessment by notifying the holder and sending the file identifier.

The first step of the assessment checks whether the platform meets the Class II functional requirements. If the assessment has a negative outcome, the process is terminated without the certificate being issued. With a positive outcome, the AgID informs the holder and sends a request to the ANAC to allow the platform manager to access the IT application for verification of the Class III requirements (test environment).

Once a manager is authorized, the holder provides the manager with the checklist validated by the AgID so that the manager can verify that Class III requirements (interoperability requirements) are being met; the results of the tests carried out by the manager are included in an updated checklist that the holder then sends to the AgID within 60 days of AgID notification of successful completion of the first step, under penalty of rejection of the application.

Decision on application and component certification

The decision on the application for certification is communicated by the AgID to the holder. If the decision is positive, the AgID sends the certificate for the individual platform component to the holder and notifies the ANAC so it can update the Register of Certified Platforms.

Notification of authorized operators

After obtaining the certificate for a platform component, the holder communicates to the AgID the contact information for platform operators to whom the holder intends to grant use of the authorized components (if the holder is also the manager, they must communicate this circumstance in the same way). The authority verifies that the components have been certified and sends the ANAC the information needed to update the section of the platform register on authorized managers.

The holder must inform the AgID of any change in the authorized managers. Failing to do so may lead to withdrawal of certification.

Declaration of PAD compliance

Once the certification process is complete, an authorized manager who integrates one or more certified components on a platform and puts it or them into service performs the integration tests in the test environment provided by the ANAC and then issues a declaration of conformity.^[8]

In the declaration of conformity, the operator certifies compliance with the general requirements of Class I and guarantees:

• that the platform interoperability requirements are met;
• that users are correctly authorized in accordance with the Technical Rules;
• that management and supervision of the platform is carried out in accordance with the Technical Rules;
• that the activities carried out on the platform ensure compliance with protection of personal data in accordance with national and European data protection legislation;
• that there is compliance with the indications of the Technical Rules on the protection of personal data and with information relating to the processing and adoption of organizational measures adequate to guarantee the exercise of the rights of the data subjects;
• in the case of use by third parties, that a data controller has been appointed in accordance with the Technical Rules.

The authorized manager then sends the platform’s declaration of compliance to the AgID, which in turn sends it to the ANAC to update the register of certified platforms in the section on digital procurement platforms that have obtained platform declaration of compliance.

Maintenance of certification and post-certification checks

The certificate issued by the AgID to the holder for a new platform component is valid for a maximum of one year. To maintain certification, the holder must request renewal from an ISO/IEC 17065-accredited third-party assessment body under the procedure in the Operational Scheme.

An assessment body carries out an audit (at the holder’s expense) to verify that the platform components still comply with the Technical Rules and the AgID Operational Scheme.

If critical issues are identified during the audit, within 30 days the holder must provide the assessment body with an analysis of the causes and the risk that noncompliance extends to other elements of the platform, and within 90 days it must provide the body with evidence of the corrective actions it has taken to address critical issues (the timeframe may be shorter in the case of particularly serious issues).

If the audit is successful, the body issues a certificate of compliance for the platform components, and the holder must notify the AgID within five working days.

The recertification process must be carried out every two years.

Transitional measures

Finally, until December 31, 2025, platform holders may renew certificates previously issued by the AgID and due to expire on the basis of self-declarations and the results of the relevant interoperability tests, without the involvement of a third party.^[9]

[1] Legislative Decree 36/2023.

[2] Articles 21, 22, 25. and 26 of Legislative Decree 36/2023.

[3] By Resolution No. 137/2023. Technical requirements and certification procedures for digital e-procurement platforms, https://trasparenza.agid.gov.it/page/9/details/2894/adozione-del-provvedimento-requisiti-tecnici-e-modalita-di-certificazione-delle-piattaforme-di-approvvigionamento-digitale-ai-sensi-dellart-26-del-decreto-legislativo-31-marzo-2023-n-36-recante-codice-dei-contratti-pubblici-1372023.html.

[4] Article 19, Par. 1, Public Procurement Code.

[5] Art. 21 (1) and 22 (2) of the Public Procurement Code.

[6] Approved by the AgID Directorial Decree of 25 September 2023 (https://www.agid.gov.it/it/piattaforme/procurement/regole-tecniche-procurement), supplemented by the information provided on the AgID website in the section on e-procurement.

[7] Authorized managers are entities authorized by the controller to use the certified platform components once the AgID has issued certification for the individual component.

[8] Known as a platform instance.

[9] Pursuant to Article 12, col. 16-quater, of Legislative Decree No. 19 of 2 March 2024 – converted by Law No. 56 of 29 April 2024.