As a Qualified Trust Service Provider (QTSP), Penneo has been authorized to offer qualified trust services — such as qualified signature certificates, qualified seals certificates, and qualified time stamps.
But what are qualified trust service providers? How can you become one? And why should you choose one to secure your signing processes? Read on to learn more!
What is a Trust Service Provider (TSP)?
According to the eIDAS Regulation, a Trust Service Provider (TSP) is a person or business that provides one or more trust services.
A trust service is an electronic service for creating, verifying, validating, or preserving electronic signatures, seals, timestamps, documents, and more. A trust service is defined as qualified when it meets certain requirements established under eIDAS and has been audited by a conformity assessment body that certified its compliance.
Therefore, any signing software provider in the EU can be defined as a trust service provider, but only a few of them are qualified trust service providers (like Penneo).
What are Qualified Trust Service Providers (QTSPs)?
Qualified Trust Service Providers (QTSPs) are trust service providers who provide one or more qualified trust services and are granted the qualified status by the supervisory body.
Put simply, they are TSP whose high level of security, data protection, and compliance have been audited and certified. As a result, there is greater assurance of the legal validity of their services.
As we are authorized to offer qualified signature certificates, seals certificates, and time stamps, and our compliance with the eIDAS requirements is audited and certified, Penneo is a full-fledged qualified trust service provider.
Which Qualified Trust Services does Penneo offer?
As a Qualified Trust Service Provider (QTSP), Penneo offers:
- Qualified Certificates for Electronic Seals, which guarantee the origin and integrity of an electronic document.
- Qualified Electronic Time Stamps, which guarantee the existence of an electronic document at a certain date and time, as well as provide proof that it hasn’t been modified.
- Qualified Certificates for Electronic Signatures, which enable the creation of qualified electronic signatures that are as legally valid as handwritten signatures.
How can a Trust Service Provider become a Qualified Trust Service Provider?
As mentioned above, a trust service provider can become qualified only after being audited by a conformity assessment body.
The purpose of the audit is to assess and confirm that the TSP — and the trust services it provides — fulfil the requirements laid down in the eIDAS Regulation. The audit consists of activities including calibration, testing, certification, and inspection.
After being audited, the TSP must submit the resulting conformity assessment report to the supervisory body, which will decide whether to grant the qualified status to the TSP. If the qualified status is granted, the supervisory body informs the EU Commission, which updates the relevant Trusted list.
After that, the QTSP can start providing qualified trust services and use the EU trust mark on its website.
What are the Trusted lists?
The trusted lists are lists of QTSPs published and maintained by each Member State. On each national trusted list, you can find information related to the QTSPs established in that country and the qualified trust services they provide.
The trusted lists are available on the EU Commission website, where you can navigate the Trusted List Browser to access national trusted lists or search for a QTSP by type, name, or through a signed document.
What is the EU trust mark?
After the qualified status has been indicated in the trusted list, QTSPs can use the EU trust mark for qualified trust services. The EU trust mark is represented by the logo below and indicates in a simple, recognizable, and clear manner that the service provider is a Qualified Trust Service Provider.
Maintaining the status of QTSP
Being recognized as a QTSP is not a one-time thing. QTSPs must be audited at least every 2 years to confirm ongoing compliance.
Moreover, the supervisory body may request an audit or a conformity assessment of the QTSP at any time to ensure eIDAS requirements are met continuously and in full. In case of non-compliance, their qualified status can be withdrawn.
How can you verify that an entity is a Qualified Trust Service Provider?
The Trusted Lists and the EU trust mark mentioned above are indicators of the qualified status of a TSP. You can use the Trust List Browser to verify that your provider is currently granted qualified status, and you can look for the EU trust mark logo on their website.
Besides those means, you can also find this information when checking the validity of e-signatures on a document through the EU validator, Penneo’s validator, or a PDF reader.
What does being a QTSP entail?
We’ve gone through the process followed by a TSP to become a QTSP and the methods to verify the qualified status. However, we haven’t touched on the most important aspect of the topic, which is what being a QTSP means in practice and why it is important to rely on a QTSP.
In other words, why is a QTSP more trustworthy than a simple TSP? Because of a number of obligations that QTSPs have to meet.
The requirements and responsibilities placed on QTSPs can be summarized as follows:
High technical security
QTSPs must ensure the technical security and reliability of their services through the use of trustworthy systems and products and the employment of staff who possess the necessary expertise, experience, and qualifications. Moreover, employees need to receive appropriate training regarding security and personal data protection rules and apply safe procedures corresponding to European or international standards.
Safe data processing and storage
QTSPs must ensure lawful processing of personal data and safe data storage through the use of trustworthy systems where the data can be checked for authenticity, only retrieved after the person gave their consent, and only added or changed by authorized persons. Moreover, they must implement appropriate measures against data theft and forgery.
Service continuity and reliability
QTSPs must keep records of all relevant information and keep them accessible for an appropriate period to provide evidence in legal proceedings and ensure service continuity. Up-to-date crisis management and business continuity plans need to be in place, and sufficient financial resources (or appropriate insurance) must be maintained to face potential risks of liability for damages.
Up-to-date certificate database
In the case of QTSPs issuing qualified certificates for a qualified trust service, the QTSP should establish a certificate database and keep it updated. Penneo, for example, is a QTSP issuing qualified certificates for qualified electronic signatures (and acting as a Certificate Authority, CA). Therefore, it’s obliged to maintain a database of the certificates issued.
Conclusion: Why you should choose a QTSP
The complex process that TSPs must undergo to become QTSPs — and the huge responsibilities placed on them to obtain and maintain this status — make QTSPs more reliable, trustworthy, and generally a safer choice when it comes to choosing a provider.
Qualified Trust Service Providers ensure a higher level of security in terms of:
- Data protection
- Continuity and good performance of services
- Certainty and legal enforceability of the transactions carried out through them
For all these reasons, QTSPs are to be preferred to simple TSPs.
Moreover, if your business operates across borders, with QTSPs you can be 100% sure of the validity of your transactions throughout the EU. That’s because QTSPs are mutually recognized in all Member States; in other words, a QTSP established in your country is recognized as legally equivalent to QTSPs based in the other Member States (as well as in the third countries or international organizations which implemented eIDAS — like EEA countries).