Digital authentication is no longer just about convenience; it is about survival. Managing customer onboarding, contracts, or remote transactions online requires a shift in strategy, as static security measures cannot keep up.

Ever since Spain's anti-money laundering authority (SEPBLAC) pioneered remote video identity verification back in 2016, the adoption curve has skyrocketed globally. Today, the world's leading financial institutions and fast-scaling digital brands have completely replaced manual checks with frictionless, camera-first video identification.

The modern standard is simple: a secure, compliant onboarding process completed in under five minutes from any device. This setup delivers flawless compliance with European AML directives, international KYC protocols, and stringent SEPBLAC mandates, all while tackling the single biggest threat to your bottom line: identity fraud.

The threat landscape is changing fast. Recent cybersecurity data shows that identity theft now accounts for 33% of digital fraud in Spain.

Thanks to the democratisation of generative AI, bad actors are deploying incredibly realistic deepfakes to bypass traditional security perimeters. To protect your business from catastrophic financial and legal fallout, upgrading your digital authentication posture is an urgent priority.

Winning the war against digital fraud requires an interconnected ecosystem:

• Biometric Authentication & Liveness Detection: Ensuring a real human is present, not a photo or video loop.
• Automated Document Verification: Real-time analysis of international ID patterns.
• Multi-Factor Authentication (MFA): Adding dynamic verification layers to every high-risk action.

At Lleida.net, we engineer these exact frameworks, built for rapid deployment, high conversion, and total compliance.

Identity validation is no longer a compliance checkbox; it is a critical revenue-protection layer.

High-security onboarding doesn't have to mean high-friction development. Lleida.net's eKYC Video engine integrates into your existing digital ecosystem in under 48 hours with minimal coding required.

Your users only need a camera-enabled smartphone or laptop, an internet connection, and a valid ID. To match your specific business model, the platform operates across two flexible modalities:

• Real-Time Assisted Video: A live verification expert guides the user through a secure video consultation.
• Automated Unassisted Video: The user completes a self-service workflow, while our advanced Back Office verifies documents and biometric markers in the background.

To maximise conversions, you can trigger automated SMS or email invites to push users directly into this secure digital authentication funnel. The entire experience is fully white-labelled, meaning your customers enjoy a seamless, trusted journey under your own corporate brand.

While identity verification checks who a user is upfront, digital authentication ensures they remain that same person across every interaction. It goes way beyond initial video onboarding, solving a critical security puzzle: how do you guarantee there's a legitimate user on the other side of that screen?

To keep your platform secure without destroying the user experience, deploying a robust digital authentication strategy means choosing the right methods:

• Two-Factor Authentication (2FA): Also known as two-step verification, this combines two independent security layers, such as a standard password and a one-time SMS code.
• Multi-Factor Authentication (MFA): Takes security a step further by adding additional layers of validation, usually requiring a physical token or biometric data.
• Biometric Authentication: Uses unique physical traits for instant verification, relying on fingerprints, facial recognition, or voice tech

Lleida.net provides a versatile suite of authentication tools designed to secure electronic signatures and shield sensitive portal entry points. When choosing a digital authentication method to secure electronic signatures, businesses can deploy several advanced frameworks to shield sensitive portal entry points.

Securing the Electronic Signature Journey

1. Direct-to-User OTPs (SMS, Email, or WhatsApp)

The backbone of modern Two-Factor Authentication (2FA). Lleida.net generates and delivers One-Time Passwords directly to your users' preferred messaging channels, without exposing them to third parties. For high-stakes operations, this delivery can be fully certified to provide ironclad admissible evidence in court.

2. Pre-Arranged Access Codes

Perfect for closed enterprise environments or B2B transactions. Signees authenticate using a confidential, pre-established code that is never transmitted over vulnerable communication channels.

3. Dynamic Smart Attachments

An adaptive security layer that prompts users to upload specific evidence (such as a payslip, identity document, or reference contract) mid-workflow to validate eligibility before signing.

4. eIDAS-Compliant Digital Certificates

Authenticate both individual users and corporate entities instantly, zero passwords required. By pulling certified electronic IDs, the system handles automated, real-time validity and revocation checks (via OCSP/CRL lookups) against eIDAS-trusted Certification Authorities (TSL). It's the ultimate way to deliver secure digital authentication without compromising on strict European regulatory compliance.

5. Instant Biometric & Document Profiling

A complete verification suite triggered by a simple ID scan and a selfie to complete the digital authentication journey

• AI Document Parsing: Instant OCR data capture and MRZ code analysis covering documents from over 240 countries.
• Graphic Verification: Automated integrity checks on embedded signatures, fingerprints, and holographic features.
• Facial Matching: Advanced algorithms compare the document asset against a live liveness check in real-time.

6. Pre-Signature Video Auditing

The absolute gold standard for high-risk corporate actions, financial service activation, and digital banking. Capturing a full audio-video record of the signing intent provides ironclad compliance with the Spanish Anti-Money Laundering Act (PBC/FT) and with strict SEPBLAC and Banco de España mandates.

It guarantees your platform is fully covered across all major European regulatory frameworks, including:

• KYC & AML (Know Your Customer / Anti-Money Laundering)
• GDPR (Data Privacy)
• PSD2 (Open Banking)

Securing Gateway and Customer Portal Access

Protecting user login pages is just as critical as verifying identities during the signing process. Lleida.net delivers two frictionless methods to deploy two-factor digital authentication across your portals:

• SMS & Email 2FA (One-Time Passwords): Users log in with their standard credentials and instantly verify their identity using a secure, single-use OTP code delivered straight to their preferred channel (SMS or email).
• Certvalidator: Complete passwordless ecosystem entry using pre-verified digital certificates aligned with global eIDAS frameworks.

Every workflow is unique. Let our solutions team analyse your processes and architect the optimal, conversion-friendly security mix for your brand.

Which verification method fits your needs? Let us analyse your process and recommend the ideal setup. Book your personalised demo today

YOU MIGHT ALSO BE INTERESTED IN:

The Top 5 Digital Frauds to Watch in 2025 and How to Stop Them

Fulfilling mandatory ADR requirements is no longer just a procedural recommendation; following the enactment of Spain's Organic Law 1/2025 (January 2, 2026), making Alternative Dispute Resolution (ADR) attempts a mandatory prerequisite for court admissibility has turned into a strict pre-litigation hurdle. As regional courts heavily scrutinise digital communications, corporate legal departments face a simple question: What constitutes definitive proof that you tried to negotiate and successfully met all mandatory ADR requirements?

While early case law focused on defining basic criteria for digital evidence, the legal landscape has evolved rapidly. In our previous article, "How to Prove ADR Compliance", we broke down the core requirements this evidence must meet and analysed the first three landmark rulings that backed Lleida.net’s certified email. Since then, ADR case law has grown exponentially.

To date, eight separate benchmark rulings issued by six different Regional High Courts (Navarra, Gipuzkoa, Ourense, Huelva, Álava, and Palma de Mallorca) have aligned on a single corporate standard: the Certificate of Digital Evidence issued by Lleida.net as a Qualified Trusted Third Party provides full, irrefutable proof that satisfies all statutory mandatory ADR requirements.

This analysis breaks down the current state of this landmark case law and deep dives into the recent High Court of Álava ruling No. 88/2026. It extracts the consolidated legal principles that every global compliance and litigation team should implement immediately to guarantee adherence to these mandatory ADR requirements.

One of the most consequential decisions for pre-litigation technology and mandatory ADR requirements is Ruling No. 88/2026 (March 9, 2026), issued by the First Section of the High Court of Álava (Vitoria-Gasteiz, Case Ref: ROJ: AAP VI 82/2026 – ECLI:ES:APVI:2026:82A).

The Case Facts

A consumer holding a credit line agreement executed in 2010 filed a lawsuit in July 2025 seeking a declaration of nullity. To satisfy the mandatory ADR requirement, the claimant submitted a Lleida.net Registered Email Evidence Certificate. The document verified that the dispute notice was successfully delivered to the customer service inbox of the defendant financial institution, logging the exact date, timestamp, and metadata that matched the subject line of the attached claims document.

However, the lower Court of First Instance No. 6 of Vitoria-Gasteiz dismissed the claim on a technicality, arguing the certificate only proved the operator sent the email, not the exact date the defendant opened it.

The claimant appealed on three core legal grounds to prove they had met all necessary mandatory ADR requirements:

1. Consumer Protection Statutes: Under the Additional Provisions of Organic Law 1/2025, consumers are only required to show that a good-faith out-of-court claim has remained unanswered or unresolved to satisfy their statutory mandatory ADR requirements.
2. Verified Delivery Channel: The notice was delivered to a public, corporate email address explicitly provided by the institution in its own standard terms, with delivery fully certified by an independent third party.
3. Constitutional Right to Process: Proving actual visual opening on the receiving end was impossible due to the recipient's internal server configurations or potential IT errors, making dismissal a violation of due process and a misinterpretation of mandatory ADR requirements.

The Core Ruling: Delivery Equals Notice (The "Control Sphere" Principle)

The Regional High Court reversed the lower court’s dismissal, ruling the pre-litigation requirement fully satisfied, based on the following key legal rationales:

• On the Verified Email Channel: The court emphasised that the corporate inbox used for the dispute notice was a public, standard channel designated by the enterprise itself in its adhesion contracts. Therefore, it constitutes a fully valid vector for legal notice.
• On Delivery vs Reading Receipts: The High Court was categorical: whether the corporate recipient chose to open, click, or read the email or its attachments is entirely beyond the claimant's control. Requiring proof of an internal opening imposes an unfair burden on the sender and violates the fundamental right to judicial protection.

Consequently, the court ruled that delivering a certified message to the recipient’s server establishes a serious, active attempt to settle, thereby clearing any mandatory ADR requirements. This aligns perfectly with the established "control sphere" doctrine (acto recepticio): legal notice is effective the moment it enters the recipient’s domain of control, regardless of whether they choose to ignore or delete it.

Key Precedents: High Court ADR Case Law Tracker

No.	Regional High Court	Ruling Ref.	Evidence Level Evaluated	Court Decision & Criterion
1	AP Ourense	AAP OU 785/2025	Sent, Content, Delivered, Opened	Full, indisputable legal notice established.
2	AP Huelva	AAP H 368/2025	Server Reception	Prior out-of-court claim delivery is sufficient.
3	AP Navarra	AAP NA 1770/2025	Sent, Received, Content Integrity	Satisfies evidence standards under strict scrutiny.
4	AP Gipuzkoa	AAP SS 1/2026	Sent, Delivered	Delivery implies access; proof of reading not required.
5	AP Navarra	AAP NA 555/2026	Sent, Server Reception	Receipt at destination fulfils statutory ADR rules.
6	AP Álava	AAP VI 78/2026	Sent, Delivered	Technical digital certification provides sufficient proof.
7	AP Álava	AAP VI 82/2026	Sent, Delivered	Consolidates the evidentiary sufficiency of Registered email.
8	AP Baleares	AAP IB 51/2026	Sent, Delivered	Recognised as a valid, binding pre-litigation proof.

From a forensic and legal-tech perspective, corporate counsel must also study the boundaries where digital notice fails to meet mandatory ADR requirements.

The most illustrative example is a recent ruling by the High Court of Madrid (AAP M 1168/2026). In this instance, the lawsuit was dismissed because the claimant could not prove that the destination email address actually belonged to the defendant, nor that it had been agreed upon or designated as an official communications channel between the parties.

Crucial Takeaway: This ruling does not challenge the technical validity of Registered email. Instead, it highlights that even the best digital evidence cannot fulfil mandatory ADR requirements if it is sent to an unverified or unlinked communication vector.

From this massive block of High Court case law, we can extract four core principles that establish a uniform standard for fulfilling mandatory ADR requirements:

1. Qualified Third-Party Dominance: Electronic evidence certified by an independent, trusted operator (such as Lleida.net) constitutes a valid, sufficient, and highly effective legal proof in court.
2. The Delivery Standard: Legal certitude is achieved when the document is successfully placed at the recipient’s disposal (control sphere). Actual user reading or click tracking is entirely optional to satisfy mandatory ADR requirements.
3. Recipient Passivity Protection: A defendant’s failure to open, read, or reply to a Registered email cannot be used to penalise the claimant who acted in good faith.
4. Channel Integrity: The digital notice must invariably be sent to a channel, server, or inbox explicitly authorised, public, or legally attributable to the counterparty.

Taken together, these criteria define with precision the objective and uniform evidentiary standard that courts are progressively applying.

Lleida.net’s Registered Email, which provides explicit indication of the recipient's email address, exact date and server delivery timestamps, message subject, cryptographic content hashes of attachments, and full communication audit trails, completely satisfies this standard when directed to the correct channel. The reiteration of these criteria across multiple rulings from various Regional High Courts firmly confirms this.

The latest judicial updates confirm a mature, objective evidentiary standard for corporate dispute resolution. For compliance and legal operations teams running high-volume claims, ensuring your workflow strictly aligns with mandatory ADR requirements is vital.

YOU MAY ALSO BE INTERESTED IN :

How to prove an ADR in Spain: three court rulings endorse Registered email as valid evidence

Achieving SMS Compliance Spain is now a top priority for international brands. If your business sends alphanumeric messages to the Spanish market (+34), you must adapt to a new regulatory framework.

According to Order TDF/149/2025, the Spanish National Regulatory Authority (CNMC) has mandated that every Alphanumeric Sender ID must be registered. To ensure your SMS Compliance Spain, your brand names must be verified in the national database by 7 June 2026. Messages from unregistered aliases will be blocked by local operators, with no exceptions.

After this date, any SMS, MMS, or RCS message sent to a Spanish mobile number using an unregistered alias will be summarily blocked by local network operators. There will be no grace period beyond this date

This shift in SMS Compliance Spain is part of a European-wide effort to combat smishing (SMS phishing). By creating a verified SMS Sender ID registration system, authorities ensure only legitimate owners can use specific brand names.

As a licensed Tier-1 operator in Spain, Lleida.net is managing the SMS compliance transition for our international partners to ensure zero service interruption.

This guide breaks down exactly how international senders must register their SMS aliases with the CNMC.

Key Requirements for SMS Compliance Spain

The CNMC Alias Registry (regulated under Circular 1/2026 serves as the official clearinghouse for all alphanumeric traffic. Understanding the registry's rules is the first step toward SMS Compliance Spain. It provides the legal framework for the security requirements set out in Order TDF/149/2025.

What is an SMS Sender ID?

A Sender ID is the alphanumeric string (e.g., LLEIDA.NET, HMRC, or ROYAL-MAIL) that identifies your brand. To maintain your SMS Compliance Spain, these names can no longer be used freely without prior validation.

Until now, any business could use virtually any name as a sender, a loophole frequently exploited by scammers to impersonate trusted brands. The new SMS Registry shuts this door: if a Sender ID is not registered and verified, the message will be blocked at the gateway.

Does this apply to your business?

Yes. To ensure full SMS Compliance Spain, any business sending messages to Spanish mobile numbers (+34) must register their aliases to ensure SMS Compliance Spain., regardless of their company’s headquarters.

To maintain SMS Compliance Spain, you have three paths for registration:

• The Sender ID owner (company or public body)
• The Registered Originating Provider (ROP) on their behalf
• An expressly authorised third party

To maintain SMS Compliance Spain, registration is mandatory for these services:

• Standard & Registered SMS, RCS
• Click & Sign (E-signature)
• Openum
• Tailored SMS workflows.

All custom SMS Sender IDs must be CNMC-registered, regardless of the platform you use.

Registration Roadmap: 3 Steps to Comply

To guarantee your SMS Compliance Spain, follow this technical process:

1. Audit your IDs: Identify every alphanumeric sender you use for the +34 market.
2. Log in to the CNMC E-Office: is managed through the CNMC’s electronic office. The process requires authentication via digital certificate or the Cl@ve system, and for your convenience, multiple aliases can be registered within a single application.

3. Await Approval: The maximum processing time is one month.

Need help? Our team is available to support you throughout the process.

Step-by-Step: The Filing Process

To secure your SMS Compliance Spain, applicants (whether the owner or an authorised third party) must provide the following details in the form:

• The Sender ID to be registered
• Proof of legitimate link to the owner
• Owner’s details and activation date
• Expected end date (optional)
• Third-party details (ROP or other authorised entity), if applicable

If the applicant is not the owner, the CNMC will require the owner to expressly confirm authorisation within 10 working days.

Step-by-Step Guide: CNMC Portal

The critical distinction is between the Sender ID owner and the filer, as this dictates the specific workflow and timelines.

Registering your SMS Sender ID as a Lleida.net client:

• Access the CNMC E-Office: Log in using a digital certificate or the Cl@ve system.
• Select Applicant Type: Choose "On own behalf" and enter your credentials (NIF/Tax ID, name, company, email, address, and phone).
• Select Submission Type: Choose "Sender ID Registration"
• Legal Representative: Enter the details for the owner’s authorised signatory.
• Configure your Alias: Set the name, activation date, and upload your Proof of Authority (legitimate link documentation). Finally, select your provider; if you are a Lleida.net client, we are listed as an available originating provider in the dropdown menu.

Need help with your registration? Contact the support desk at: [email protected]

What about your existing Sender IDs?

To guarantee a seamless transition, the regulation allows Registered Providers to perform a one-time bulk migration of all active IDs. Lleida.net will handle this process on behalf of its clients, who must confirm the registration of their Sender ID within 10 working days by following the instructions sent to them by email.

If you would like your IDs included in this priority upload, please submit your details via our portal by 26 April 2026.

When does the mandatory blocking of unregistered Sender IDs begin?

The enforcement of these blocking obligations officially kicks in on 7 June 2026. Until 6 June, providers will have access to a dedicated testing environment to recalibrate their systems and finalise the SMS Sender ID registration for all active IDs.

Beyond the Registry: Real-Time Verification

The new SMS database is just one pillar of a major anti-fraud offensive led by the Spanish Ministry for Digital Transformation. To add a second layer of defence, the CNMC is launching a Public Lookup Portal. This "transparency hub" will allow businesses and consumers to verify Sender ID ownership on the fly, making it significantly harder for scammers to operate under the radar.

Do you use alphanumeric senders for your SMS campaigns in Spain? You must take action now to ensure your SMS Compliance Spain is up-to-date. Contact us today if you require assistance or further information.

Contact Lleida.net Support

Source: CNMC (National Markets and Competition Commission, Spain)