What Are Qualified Trust Service Providers (QTSP)?

Qualified Trust Service Providers (QTSPs) are trust service providers authorized to deliver one or more qualified trust services, having been granted “qualified” status by a supervisory body. In simple terms, QTSPs are TSPs that have undergone rigorous audits to ensure a high level of security, data protection, and compliance. This certification offers greater assurance of the legal validity of their services.

Penneo A/S is a certified Qualified Trust Service Provider (QTSP) and is officially listed on the EU Trust List. This listing confirms Penneo’s compliance with the stringent requirements of the eIDAS regulation and its authorization to provide qualified trust services, ensuring the highest level of security and legal validity for digital transactions across the EU.

How can a Trust Service Provider become a Qualified Trust Service Provider?

To become a Qualified Trust Service Provider (QTSP), a trust service provider must undergo a rigorous audit by a conformity assessment body. This audit evaluates whether the provider and its services meet the stringent requirements outlined in the eIDAS Regulation. The audit process involves various activities such as calibration, testing, certification, and inspection to ensure compliance.

Once the audit is complete, the trust service provider must submit the conformity assessment report to the national supervisory body. The supervisory body then reviews the report and decides whether to grant qualified status. If approved, the supervisory body informs the European Commission, which updates the EU Trust List accordingly.

After being listed, the QTSP is authorized to provide qualified trust services and can display the EU trust mark on its website.

Becoming a Qualified Trust Service Provider

What are the Trusted lists?

Trusted lists are official directories published and maintained by each EU Member State, listing all Qualified Trust Service Providers (QTSPs) operating within their borders, along with the qualified trust services they offer. These lists provide essential information about the QTSPs, ensuring transparency and trust in digital transactions.

The trusted lists can be accessed through the EU Commission website, where users can explore the Trusted List Browser to view national trusted lists or search for a QTSP by type, name, or through verification of a signed document. This ensures businesses and individuals can easily verify the legitimacy and qualifications of trust service providers across the EU.

What is the EU trust mark?

The EU trust mark is a symbol that Qualified Trust Service Providers (QTSPs) can use after being granted qualified status and listed in the EU’s trusted lists. It serves as a clear and easily recognizable indicator that the service provider meets the stringent requirements of the eIDAS regulation and is authorized to deliver qualified trust services. This trust mark helps users quickly identify QTSPs and enhances confidence in the security and legal validity of the services they offer.

EU trust mark

Maintaining the QTSP status

Being recognized as a Qualified Trust Service Provider (QTSP) requires continuous compliance. QTSPs must undergo an audit at least every two years to verify they are still meeting the eIDAS regulation requirements.

Additionally, the supervisory body has the authority to request audits or conformity assessments at any time to ensure the QTSP maintains full compliance. If a QTSP fails to meet these requirements, its qualified status may be revoked, emphasizing the importance of ongoing adherence to the strict security and legal standards.

How can you verify that an entity is a Qualified Trust Service Provider?

You can verify a Qualified Trust Service Provider (QTSP) through the following methods:

  • Signature Validation: When checking the validity of e-signatures on a document, tools such as the EU validator, Penneo’s validator, or even a PDF reader will display information confirming whether the provider is a QTSP. This provides an additional layer of assurance for digital signatures.
  • Trusted Lists: Use the Trust List Browser on the EU Commission website to confirm whether a provider currently holds qualified status.
  • EU Trust Mark: Look for the EU trust mark logo on the provider’s website, which indicates that they are a certified QTSP.

What does being a QTSP entail?

While we’ve covered the process for a Trust Service Provider (TSP) to become a Qualified Trust Service Provider (QTSP) and how to verify this status, it’s essential to understand what being a QTSP truly means in practice and why it’s important to rely on one.

In simple terms, why is a QTSP more trustworthy than a standard TSP? The answer lies in the strict obligations and responsibilities that QTSPs must fulfill to maintain their status, ensuring a higher level of security and compliance.

The key requirements and responsibilities placed on QTSPs can be summarized as follows:

High technical security

Qualified Trust Service Providers (QTSPs) must ensure the highest level of technical security and reliability by using trustworthy systems and products, and employing staff with the necessary expertise, experience, and qualifications. Additionally, QTSPs are required to provide ongoing training for their employees, focusing on security and personal data protection, and ensuring that procedures align with European and international standards.

Safe data processing and storage

QTSPs must ensure the lawful processing and secure storage of personal data by using reliable systems that guarantee data authenticity. Data must only be accessed with the individual’s consent and can only be added or modified by authorized personnel. Moreover, QTSPs must implement strong safeguards against data theft, fraud, and forgery.

Service continuity and reliability

QTSPs are responsible for maintaining records of all relevant information, keeping them accessible for a legally appropriate period to serve as evidence in legal proceedings and to ensure service continuity. They must also have up-to-date crisis management and business continuity plans in place, alongside adequate financial resources or insurance to cover any liability for damages.

Up-to-date certificate database

QTSPs issuing qualified digital certificates, such as those for electronic signatures, are required to maintain an up-to-date certificate database.

Conclusion: Why You Should Choose a QTSP

The rigorous process that Trust Service Providers (TSPs) must go through to become Qualified Trust Service Providers (QTSPs), along with the extensive responsibilities they bear to maintain this status, make QTSPs a more reliable and secure choice for your digital trust services needs.

QTSPs offer a superior level of security, providing:

  • Robust data protection
  • Continuity and reliability of services
  • Certainty and legal enforceability of transactions

For these reasons, QTSPs are a safer and more trustworthy option compared to standard TSPs.

Explore more resources

Security and trust: How Penneo ensures compliance and protects data

Security and trust: How we ensure compliance and protect data 

READ MORE

Building trust in the age of AI: Reflections on competitiveness, democracy, and digital transformation

READ MORE

Kickstart your company's digital transformation

Kickstart your company’s digital transformation

READ MORE