Under Regulation (EU) No 910/2014 (eIDAS), a Trust Service Provider (TSP) is defined as “a natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider."
TSPs are responsible for assuring the electronic identification of signatories and services by using strong mechanisms for authentication, digital certificates and electronic signatures. eIDAS defines how Trust Service Providers perform authentication and non-repudiation services and how they are to be regulated and recognized throughout EU member states.
What is a Trust Service?
A trust service is an electronic service that involves one of the following:
- Creating, verifying and validating electronic signatures, seals or time stamps, electronically-registered delivery services and certificates that are related to those services.
- Creating, verifying and validating certificates to be used for website authentication.
- Preserving electronic signatures, seals or certificates related to those services.
For a trust service to be considered a qualified trust service, the trust service must meet the requirements that have been put forth in the eIDAS Regulation. The use of trust services provides a trust framework for ongoing relations for electronic transactions conducted between countries and organizations.
Legal Implications of Electronic Signatures Created by Trust Service Providers
Under eIDAS, an advanced electronic signature is considered legally binding, whereas a qualified electronic signature, such as those produced through qualified trust service providers, carries higher probative value (if used as evidence in a court of law) and cannot be challenged easily because the authorship is considered non-repudiable. Where a qualified electronic signature has been created with a qualified certificate from a EU member state, all other EU members are required to recognize the signature as valid. A qualified signature is considered the equivalent of a handwritten signature in the eyes of the courts according to eIDAS Regulation, Article 24 (2).
ETSI Standards for Trust Service Providers
There is a whole set of current and upcoming standards prepared by the European Telecommunication Standarisation Institute (ETSI) aimed at optimising the process with respect to polices and security. The full list of current and future standards can be found on the ETSI Portal for trust service providers.
Crucial Role of Qualified Trust Service Providers
A qualified Trust Service Provider plays a crucial role in regards to the qualified electronic signing process. The Trust Service Provider must have been granted qualified status from a supervisory government body that gives permission to that entity for providing qualified trust services used in creating qualified electronic signatures. Under eIDAS, the EU maintains an EU Trust List, which contains the providers and services that are given qualified status. If an entity is not on that list, they are not permitted to provide qualified trust services. Those providers that are listed on the EU Trust List must abide by the strict guidelines created under eIDAS, including:
- Providing valid time and date stamps for the certificates they create.
- Immediately revoking signatures that possess expired certificates.
- Providing appropriate training to all their personnel.
- Using hardware and software that is considered trustworthy and is able to prevent forgeries of certificates.
References and Further Reading
- Selected articles on Digital Signatures (2014-16), by Ashiq JA, Guillaume Forget, Peter Landrock, Torben Pedersen, Dawn M. Turner and Tricia Wittig
- REGULATION (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC(2014) by the European Parliament and the European Commission