Brief Introduction to “European Union’s Recommendations for QTSPs Based on Standards”

Brief Introduction to “European Union’s Recommendations for QTSPs Based on Standards”

2022/06/24

I. Introduction

　　The Electronic Identification and Trust Services Regulation (eIDAS)[1] of the European Union was passed in 2014 and came into effect in July 2016. The eIDAS consists of six chapters and its core elements are covered in two parts: Chapter 2 Electronic Identification and Chapter 3 Trust Services. Chapter 3 provides the legal framework for trust services (TS) in relation to electronic transactions and encompasses electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and website authentication. Each trust service can be provided by trust service providers (TSP) or qualified trust service providers (QTSP). Qualification from the supervisory authority of each member state is required to become a QTSP and provide qualified trust services (QTS).

　　In March 2021, the European Union Agency for Cybersecurity (ENISA) published “Recommendations For QTSPs Based On Standards[2]” for those interested in becoming QTSPs.

II. Highlights

　　The eIDAS is technology neutral regarding trust service security requirements, without specifying any technology. In other words, TSP can achieve the level of security required by the eIDAS with different technologies. In fact, the European Union hopes to drive standardization with common grounds gradually formed with industry self-regulation in the legal framework and the trust framework under the eIDAS[3].

　　Since 2009, the European Union has been formulating the standardisation framework related to electronic signatures with the assistance from standardization bodies such as European Committee for Standardization (CEN) and European Telecommunications Standards Institute (ETSI). The vision is to establish a comprehensive standardization framework to resolve the problems of using electronic signatures across borders within the European Union. A series of standards on electronic signatures and relevant trust services have been put in place, to meet the international requirements and the eIDAS[4]. The ETSI/CEN standards of digital signatures related to QTSP are as follows[5]:

1. Provision of qualified certificates for electronic signatures (Article 28 of the eIDAS)
　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-2 and EN 319 412-5).

2. Provision of qualified certificates for electronic seals (Article 38 of the eIDAS)
　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-3 and EN 319 412-5).

3. Provision of qualified certificates for website authentication (Article 45 of the eIDAS)
　 ETSI EN 319 411-2 (and in adherence to EN 319 401, EN 319 411-1, EN 319 412-4 and EN 319 412-5).

4. Qualified electronic time stamping service (Article 42 of the eIDAS)
　 ETSI EN 319 421 (and in adherence to EN 319 401), EN 319 422.

5. Qualified validation service for qualified electronic signatures (Article 33 of the eIDAS)
　 ETSI TS 119 441 (and in adherence to EN 319 401), TS 119 442, EN 319 102-1, TS 119 102-2 and TS 119 172-4.

6. Qualified validation service for qualified electronic seals (Article 40 of the eIDAS)
　 ETSI TS 119 441 (and in adherence to EN 319 401), TS 119 442, EN 319 102-1, TS 119 102-2 and TS 119 172-4.

7. Qualified preservation service for qualified electronic signatures (Article 34 of the eIDAS)
　 ETSI EN 319 401, TS 119 511 and TS 119 512.

8. Qualified preservation service for qualified electronic seals; (Article 40 of the eIDAS)
　 ETSI EN 319 401, TS 119 511 and TS 119 512.

9. Qualified electronic registered delivery service (Article 44 of the eIDAS)
　 ETSI EN 319 401, EN 319 521, EN 319 522, EN 319 531 and EN 319 532.

III. Comment and Analysis

　　The ENISA recommendations demonstrate the European Union’s intention to encourage ICT service providers to become QTSPs by introducing relevant standards in electronic signatures formulated by the European Union standardization bodies. The purpose is to provide companies and users in the European Union with more secure and trustworthy services in relation to electronic signatures. This enhances the confidence of users and promotes the vibrant development of electronic transactions throughout the European Union.

　　Over recent years, Taiwanese companies have been proactively involved in digital transformation. The process toward digitalization often requires assistance from external ICT service providers. However, the unfamiliarity in ICT makes it difficult for companies to judge the professional expertise of providers. Perhaps companies can refer to the introduction above to understand whether a provider meets the requirements of the European Union standards. This serves as a basis for the selection of ICT service providers to ensure a certain level of competences. This will be beneficial to the digital transformation and entrance in the European Union market for companies.

[1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv%3AOJ.L_.2014.257.01.0073.01.ENG (last visited Jun. 24, 2022).

[2] European Union Agency for Cybersecurity [ENISA], Recommendations for Qualified Trust Service Providers based on Standards (2021), https://www.enisa.europa.eu/publications/reccomendations-for-qtsps-based-on-standards (last visited Jun. 24, 2022).

[3] id. at 8

[4] id. at 8-9.

[5] id. at 11-12

Links

※Brief Introduction to “European Union’s Recommendations for QTSPs Based on Standards”,STLI, https://stli.iii.org.tw/en/article-detail.aspx?no=105&tp=2&i=170&d=8842 (Date:2023/10/03)

Quote this paper