A digital Europe built on trust – ENISA guidelines on uptake of Qualified Trust Services
In order to ensure a high-level security of qualified trust services, the electronic identification, authentication and trust services regulation (eIDAS) foresees an active supervision scheme of qualified trust service providers (QTSP) and the qualified trust services (QTS) they provide by the national competent supervisory bodies (SB). The SB supervise, ex ante and ex post, the fulfilment of the regulation’s legal requirements and obligations.
eIDAS aims to ensure that the QTSP and the QTS they provide meet the requirements laid down from initiation up to termination of such services. The following reports provide recommendations and guidelines to eIDAS stakeholders:
- Guidelines on initiation of qualified trust services;
- Guidelines on supervision of qualified trust services;
- Guidelines on termination of qualified trust services.
Working towards a harmonized adoption of the eIDAS regulation, further guidance is needed in order to support the fulfilment of requirements originating from the non-mandatory articles of the regulation. QTSP should therefore take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide and to prevent and minimise the impact of security incidents.
Moreover, guidelines are needed to support the QTSP to prepare for the conformity assessment with respect to the eIDAS regulation requirements and obligations. Within this scope, ENISA has prepared the following reports:
- Recommendation for QTSP based on Standards;
- Conformity assessment of QTSP;
- Security framework for QTSP.
The eIDAS regulation provides a regulatory environment for the electronic identification of natural and legal persons and for a set of electronic trust services, namely electronic signatures, seals, time stamps, registered delivery services and certificates for website authentication.
The eIDAS regulation sets the principle of non-discrimination of the legal effects and admissibility of electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and electronic documents as evidence in legal proceedings. Courts (or other bodies in charge of legal proceedings) cannot discard them as evidence only because they are electronic, but have to assess these tools in the same way they would do for their paper equivalent.
To further enhance the trust of small and medium-sized enterprises and consumers in the internal market and to promote the use of trust services and products, the eIDAS regulation introduces the notions of quality trust service and quality trust service provider with a view to indicating requirements and obligations that ensure high-level security and a higher presumption of their legal effect.