2PSECURE
← Back to Learn
PKI June 8, 2026 8 min read Mario Egoavil

Digital signatures in Peru: the infrastructure is already here, execution is what's missing

The legal framework has existed since 2000, RENIEC operates the state CA, and you can sign with full legal validity today. So why don't companies use it, and what does a well-executed project look like?

Every time a Peruvian company brings up a digital-signature project, the conversation opens with the same surprise: “Really, is it all legal already? Why isn’t anyone using it?” It’s a fair question. Peru has had since the year 2000 a solid legal framework, an operational public infrastructure, and accredited certification authorities. Digital signatures with full legal validity —equivalent to handwritten signatures— are legally possible today.

What’s missing isn’t framework. What’s missing is clean execution.

What already exists (and most people don’t know)

Legal framework:

  • Law 27269 — Digital Signatures and Certificates Act (2000).
  • Supreme Decree 052-2008-PCM — its operational regulation.
  • Recognition of digital signatures with the same legal value as handwritten signatures, provided they’re issued under the Official Electronic Signature Infrastructure (IOFE).

Operational infrastructure:

  • RENIEC operates the Certification Authority for the Peruvian State (ECERNEP) — the national root that sustains the trust of the entire chain.
  • RENIEC also operates issuing CAs that deliver certificates for natural persons (via electronic DNI) and for legal entities.
  • INDECOPI accredits Certification Service Providers (PSCs) — the set of organizations authorized to issue certificates under IOFE. RENIEC is one; other accredited private PSCs also exist.

What this means in practice:

A Peruvian company can, today, sign a contract with legal validity without paper, ink or procedural ambiguity. All it needs is for each signer to have a certificate issued under IOFE and a signing process that respects the technical format (typically PAdES over PDF).

So why does almost no one sign this way

Despite having all the pieces, real adoption at medium and large companies is low. The reasons we see repeated across projects:

1. Confusion between electronic signature and digital signature

Peruvian law clearly distinguishes:

  • Simple electronic signature — any electronic mark (a click, a typed name, a PIN). Conditional evidentiary value, not equivalent to handwritten.
  • Advanced electronic signature — with greater technical guarantees, but still not automatically equivalent to handwritten.
  • Digital signature — issued under IOFE, with a certificate from an accredited CA. This one is equivalent to handwritten by law.

Most SaaS “electronic signature” solutions sold by foreign vendors operate at the second level, not the third. For processes that require full legal validity —employment contracts, commercial agreements, corporate minutes— you have to make sure you’re using digital signatures under IOFE, not generic electronic signatures.

2. Technical integration with the national PKI

Connecting a company’s internal processes with RENIEC’s certification chain is non-trivial:

  • Validating the chain of trust up to ECERNEP.
  • Revocation checking (CRL or OCSP) during signing and during later validation.
  • Handling the recognized signature formats (PAdES for PDF, XAdES for XML, CAdES for arbitrary data).
  • Time stamping with recognized authorities to guarantee long-term validity (LTV).

Each of these is solvable. But it requires a team that understands the national PKI and the underlying ETSI standards. If the company improvises, you end up with technically valid signatures that an independent expert witness can challenge.

3. Operational certificate management

A digital-signature certificate expires (typically every 1-3 years). If the bulk renewal process isn’t designed, you get to a moment where half your enabled signers are disabled overnight.

For a company with 50 signers this is solved manually. For one with 500, without documented and automated process, it becomes a recurring crisis.

4. Private-key custody

Here the real security dimension enters. The private keys associated with the certificates can live:

  • In the signer’s physical token (cryptographic USB, smart card). Maximum security, minimum scalability.
  • In a corporate HSM with the person authenticating remotely. Better scalability, requires careful architecture.
  • In the PSC’s cloud with the person authorizing each signature. Convenient, depends entirely on the provider’s security posture.

The choice depends on the use case: bulk signing requires corporate HSM, individual high-value signatures admit physical tokens, casual low-risk signatures can live in the PSC’s cloud. No scheme is universal.

Use cases where it makes sense to start

Not every company signature needs to migrate to digital signature at once. We recommend prioritizing by legal value and volume:

  • Employment contracts and amendments — high legal value, medium volume, fast ROI.
  • Corporate and board minutes — very high value, low volume, low resistance to change.
  • B2B commercial agreements — depends on the counterparty’s readiness.
  • Internal approvals with evidentiary value — internal invoices, vacations, expenses, access.
  • Customer communications requiring non-repudiation — operation confirmations, contractual modifications.

Cases where it’s not yet worth starting: marketing emails, generic web forms, surveys, anything simple electronic signature already solves.

What a well-executed project looks like

When we accompany a digital-signature project at a Peruvian company, the recipe that repeats with good results:

  1. Use-case inventory — all the processes where things currently get printed, signed and scanned. Prioritize by legal value × volume.
  2. PSC selection — RENIEC or a private PSC, depending on certificate volume, signer profile and required support.
  3. Key custody architecture — token vs. HSM vs. cloud, decided per use case.
  4. Technical integration — signing libraries (typically PAdES over PDF), OCSP/CRL validation, time stamping.
  5. Operational manuals — for signers and for the team that governs the system. How to renew, how to revoke, what to do if a smart card is lost.
  6. Pilot — one real use case with a bounded group, 60-90 days, before extending.
  7. Gradual extension — subsequent use cases leverage all already-validated infrastructure.

A project like this typically takes 6-9 months for a first operational wave. The organization is left with a permanent capability, not a point solution.

The argument that does close with the board

When you have to convince the board, the technical argument (legal validity, operational efficiency) usually isn’t enough. What closes:

  • Reduced audit cost — digitally signed processes are easier to audit and trace.
  • Operation close time — weeks become hours when signature is no longer the bottleneck.
  • Resilience facing disruption — pandemic and remote work become non-problems.
  • Positioning vs. international counterparties — contractual digitization grade is now an eligibility factor in some markets.

At 2PSECURE we design and implement end-to-end digital-signature projects for Peruvian companies: key-custody architecture, IOFE integration, signing libraries, operational manuals and team training. As official representatives in Peru of Utimaco and HST, we also size HSM infrastructure when volume requires it. If your company wants to implement digital signatures with full legal validity, let’s talk about your case.

Let's talk

If your organization is in a similar situation, let's talk.

A 30-minute technical conversation, no commitment, to understand if your case fits what we do.

Contact us