Email archiving:
no longer optional.

Mailbox backup is no longer enough

In most Italian SMEs corporate email is «retained» in one of three ways: left in each user's mailbox, backed up periodically as part of the Microsoft 365 or Google Workspace tenant, or occasionally exported into PST files on a NAS. None of these three methods meets the legal retention requirements set by Italian and European regulation.

The distinction between backup and archivingis not a semantic exercise. Backup is about restoring data after an incident; archiving is about proving that a document existed in a certain form on a certain date. They are two tools with different goals, answering different questions: backup answers «can I restore?», archiving answers «can I prove?». Many regulations require both.

What the law requires

Article 2220 of the Italian Civil Code requires accounting records to be retained for ten years. Emails that document orders, confirmations, payments or invoices attached or transmitted via PEC qualify as accounting records. The ten-year term is not a best practice: it is a civil law obligation.

Layered on top of the Civil Code:

• Italian Digital Administration Code (CAD) article 43— sets out the requirements for compliant retention of electronic documents, applicable to any communication carrying evidentiary value.
• Electronic invoicing via the SdI exchange system— adds a further obligation of compliant retention with technical requirements defined by the Italian Revenue Agency, which extends to emails accompanying the invoices.
• Regulation (EU) 2016/679 (GDPR)— requires a documented legal basis for the extended retention of personal data contained in business communications, and access control strong enough to demonstrate who saw what.
• Directive (EU) 2022/2555 (NIS2)— for in-scope organisations it requires the preservation of logs and evidence to support incident management and notification to the competent authority.
• Italian PEC (Certified Email)— carries the same legal weight as registered mail with return receipt. The acceptance receipt and delivery receipt are legally relevant evidence: they must be retained in a suitable container, otherwise their evidentiary value is lost.

What a compliant email archive must do

An email archive that holds up in litigation, a NIS2 audit or an inspection by the Italian Data Protection Authority has very specific characteristics, quite different from those of a simple backup:

• 1Immutability— once written, an email can no longer be modified or deleted before the retention policy expires. Not even a system administrator with full privileges should be able to alter the archive.
• 2Digital signing with RFC 3161 certified timestamp— each email receives a timestamp issued by an external certification authority. Integrity can be verified independently of the archive itself, a critical requirement to present a message as evidence in court.
• 3Legal hold— the ability to selectively block a set of emails for litigation or inspections, preventing deletion even when the ordinary retention has expired.
• 4Full-text eDiscovery— search the entire content of messages and attachments across millions of emails, at response times compatible with the demands of a court-appointed technical consultant or an inspector.
• 5Dedicated Privacy Officer— a role separate from the system administrator, authorised to control access to sensitive data and grant temporary authorisations. Even admins must request permission to consult the archive, and every consultation is tracked.
• 6PEC compatibility— the archive must preserve the legal validity of the acceptance receipt, the delivery receipt and the transport envelope, via a dedicated IMAP connector that keeps metadata intact.

The ATWS Email Archiving service

To address these needs AtWorkStudio offers Email Archiving, a compliant email archiving service compatible with Microsoft 365, on-premise Exchange, Google Workspace, Zimbra and any other mail server via SMTP or IMAP. Native support for Italian PEC, digital signing with RFC 3161 timestamps and AES-256 encryption. Available as a managed cloud service with data in the EU or on-premise in the customer's own datacentre.

AtWorkStudio has been operating from Piacenza since 2000. We are certified ISO/IEC 27001, 27017, 27018 and ISO 9001, with ACN qualification for cloud services. We are members of Clusit (the Italian Association for Information Security) and affiliated with Confindustria Piacenza through the RICT cluster. We design and operate archiving services as components of a broader compliance architecture, aligned with GDPR, NIS2 and ISO 27001 requirements.