Information for trust service providers
Non-qualified trust service providers
Non-qualified trust service providers (TSPs) are not required to notify the supervisory body of their activities. They are nonetheless obliged to meet certain general security requirements as specified in Art. 19 of the eIDAS Regulation. In particular they are required to control the security risks involved in providing their trust services by taking appropriate measures in terms of technology and organisation. In taking such measures, they are required to ensure that the level of security is appropriate for the amount of risk, while consistently implementing the most advanced technology. Measures are to be specifically taken to avoid the effects of any breach of security or to limit such effects as far as possible, and to inform those affected by such incidents of the detrimental consequences. The European Commission can detail such measures in implementing acts. In the absence of such acts, relevant standards can be applied (e.g. the ETSI policy requirements for the particular trust service).
Non-qualified TSFs are also obliged to notify the supervisory body and, where applicable, other bodies (e.g. the data protection authority) of any breach of security or loss of integrity that has a significant impact on the provided trust service or on the personal data maintained as part of the service, without undue delay but in any event within 24 hours after having become aware of the particular incident. Where an incident is likely to adversely affect a natural or legal person to whom the trust service has been provided, the TSP is also required to notify the natural or legal person of the breach of security or loss of integrity without undue delay. The European Commission can issue implementing acts specifying details of the form and procedures for notification. In the absence of such acts, the supervisory body will align its interpretation of this provision with relevant documents issued by ENISA. In particular, the Proposal for Article 19 incident reporting is (also) useful as a guideline for determining whether or not to report an incident.
Non-qualified TSPs as well as the trust services they provide are to be included in the trusted list on request. Interested parties are asked to contact RTR on this matter.
Qualified trust service providers
All requirements applying to non-qualified trust service providers (TSPs) also have to be met by qualified TSPs. Qualified TSPs are additionally responsible for meeting special requirements.
The general requirements applying to qualified TSPs are specified in Art. 24 of the eIDAS Regulation. Special requirements for certain types of qualified trust services are specified in Articles 25 to 45 of the eIDAS Regulation.
Where TSPs intend to start providing qualified trust services pursuant to Art. 21 of the eIDAS Regulation, they are required to submit to the supervisory agency notification of their intention together with a conformity assessment report issued by a conformity assessment body. Generally, every TSP can choose which conformity assessment body to mandate with the assessment. However, the supervisory body can perform a review itself or mandate a conformity assessment body to carry out an assessment at the expense of the TSP – in particular in those cases where the conformity assessment report submitted by the TSP does not fully meet the requirements.
An informal list published by the European Telecommunications Standards Institute (ETSI) includes conformity assessment bodies for trust services for which qualified certificates are issued that are used for the purpose of website authentication. It should be noted, however, that only the accreditation body of the Member State in which the conformity assessment body is established is qualified to give accreditation status information on that conformity assessment body. A list of the national accreditation bodies is published on the website of the European co-operation for Accreditation (EA).
Note: Due to the high standards applying to qualified trust services, potential providers of such services are advised to contact RTR well in advance.