What is a trust service provider and how is it defined in the eIDAS?

As part of the program called the Digital Agenda for Europe announced in 2010, the EU is working to build a digital single market. The main aim is to remove barriers to electronic commerce and all types of electronic transactions between the different European states, therefore creating a common space, free and safe for online interactions between citizens, companies and states in the European Union.

To achieve this goal, a series of laws have been drafted aimed at breaking down digital barriers and establishing the necessary legal bases for electronic transactions in a secure and reliable way.

One of these laws, specifically the Regulation (EU) Nº 910/2014 (eIDAS) on electronic identification and trust services for electronic transactions, defines what are the trust service providers (sometimes called electronic trust services providers).

In this post we explain who these providers are and what they do.

eIDAS: a European regulation necessary to build the digital single market

Prior to the approval of the eIDAS, each member state issued its own digital certificates, which are electronic documents that are used to identify people and companies.

The problem was that the validity of these documents outside of each country’s borders was not guaranteed, and depended on the existence of agreements between the issuing authority and its counterpart (in this case, any other EU state).

In order to achieve the goal of the digital single market, this problem had to be solved. And from this need the Regulation eIDAS was created – whose initials stand for Electronic Identification and Authentication Services – to set an electronic identification standard to achieve safe and smooth online transactions across Europe. And for doing that, the Regulation relies on what is called electronic trust services.

Therefore, with the clear goal of eliminating borders for electronic transactions in the EU and building a climate of trust, the eIDAS establishes and regulates two concepts:

1. The electronic trust services. 
2. The providers of these electronic trust services.

 1. What is an electronic trust service according to the eIDAS?

Basically, electronic trust services allow to verify the identity of the sender of a message on the Internet, and also the integrity of messages that are exchanged through the Internet. They are therefore a fundamental source in eliminating the barriers for the digital market, as they reinforce the information security and contribute to the generation of trust (thus the name). 

Article 3 of Regulation eIDAS includes the definition of electronic trust services. In subsection 16 it establishes that a “trust service” is an electronic service that is usually provided in exchange for remuneration, and consists of:

1. “the creation, verification and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services; or

2. the creation, verification and validation of certificates for website authentication; or

3. the preservation of electronic signatures, seals or certificates related to those services.”

2. What is an electronic trust service provider according to eIDAS?

Similarly Article 3, sub-section 19, of the Regulation eIDAS, contains the definition of a Trust Service Provider (TSP): “a natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider”.

As established in the Regulation, electronic trust service providers can be qualified or non-qualified. In order to be a qualified provider of electronic trust services, you must provide qualified electronic trust services and should have recognition as such from a supervisory body. 

3. What requirements must a trust service provider meet to be qualified?

Qualified providers for electronic trust services are those who, in order to issue a digital certificate to a natural or legal person, must verify their identity.

Article 24.1

“When issuing a qualified certificate for a trust service, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom the qualified certificate is issued.”

In order to verify the identity, the qualified providers of electronic trust services may do so directly, or relying on a third party in accordance with the national law.

The Regulation eIDAS establishes 4 ways to verify the identity:

1. “In the physical presence of a natural person or an authorized representative of the legal person.”

2. “Remotely, using electronic identification means, for which prior to the issuance of the qualified certificate, a physical presence of the natural person or of an authorised representative of the legal person was ensured and which meets the requirements set out in Article 8 with regard to the assurance levels ‘substantial’ or ‘high’.” 

3. “By means of a certificate of a qualified electronic signature or of a qualified electronic seal issued in compliance with point a) or b).”

4. “By using other identification methods recognized at national level which provide equivalent assurance in terms of the reliability to physical presence. The equivalent assurance shall be confirmed by a conformity assessment body.” 

In Spain, the Secretary of the State for the Information Society and the Digital Agenda from the Ministry of Energy, Tourism and Digital Agenda is the supervisory body responsible for verifying that qualified trust service providers meet these requirements, and also the requirements that are established for the qualified electronic trust services.

Signaturit is a company recognized as an Trust Service Provider (TSP) by the supervisory body mentioned, and as a Trusted Third party according to the Spanish Law on the Services of the Information Society (LSSI – Law 34/2002, of July 11 of the Information Services Society and Electronic Commerce).