When you complete electronic transactions, to make sure you are fully secure, you need to involve a qualified trust services provider.
If you are a small or large business, an international company, or just an individual person, you need to be certain your digital transactions are fully legal, accepted across borders, and completely secure. But in reality what you are signing, when making a deal, is just ones and zeros on a computer. You never sign the actual, physical document, so you need to be very certain that you are able to trust that those bits and bytes are handled securely.
You don’t want to make a business deal, have it fully signed and delivered, and in case of a dispute later, discover that you have no grounds to enforce it. This is why when making these types of agreements, you should always use electronic Trust Service Providers (TSPs) which operate under the EU regulations.
But for the highest level of security, using a qualified trust service provider (QTSP) should be involved for your peace of mind.
What is the difference between a generic trust service provider and a qualified trust service provider?
A trust service provider may offer:
- Electronic signatures
- Electronic seals
- Registered delivery services
- Certificates for website authentication
- And more services...
They can provide just one or several of these services. There are two types of trust services, generic and qualified. Only a QTSP can offer a qualified version of the services, and in a way you can call it some kind of an “insurance”.
Depending on the type of security you need and the requirements of the country you work in, you may or may not actually need qualified trust services. Most times, a regular trust services will do the job for you. But if you are looking for higher confidence in the services delivered, you should choose a QTSP, which can offer both regular and qualified trust services.
One of the biggest differences between a TSP and a QTSP is that only a QTSP can offer qualified trust services. A QTSP will often offer both qualified and unqualified trust services. Typically the higher cost for the qualified services is induced by the reversed burden of proof in any disputes, where it will be solely up to the QTSP to prove the correctness of the services. As a customer you will then decide if you need the extra value provided by the qualified services.
Under the EU eIDAS regulation, a QTSP must undergo an independent audit by an accredited institution (i.e. recognized by the national accreditation body), that looks at areas such as security, level of trust and quality. In other words, QTSP is a quality stamp with strict requirements. These requirements aim to enhance the trust of consumers and enterprises and promote the use of qualified trust services.
An example of a QTSP is Signicat which provides qualified timestamps.
What is eIDAS?
The eIDAS (Electronic Identification, Authentication, and Trust Services) is an EU regulation that provides a legal framework for using electronic identification and trust services for digital transactions in the European Single Market.
QTSP is a certification under eIDAS. The EU maintains an EU Trust List, which contains the providers and services that are given qualified status per each EU/EFTA member state. Only approved QTSP will be on this list, and are allowed to use the EU trust mark. This is a logo which tells users that the provider is qualified and can be trusted to carry out their online transactions in a safe and secure way. According to the Trust List, in June 2020, there are 243 QTSPs with banks, postal services, and notaries included, along with specialist trust service providers like Signicat.
In order to be qualified, the provider must undergo an extensive audit, making qualified status difficult to achieve for just anyone. This means those who pass and are qualified are an incredibly trusted resource.
This is important as when you are making deals that involve legal concerns and money changing hands, you should always choose a provider that has been proven to know what they are doing. For example, a computer mechanic can repair your Mac, but it's only the authorized service providers that provide a guarantee according to the manufacturer's standards. Similarly, any car mechanic can replace spare parts but the brand's own repair shops - which also often go through training and have standardised processes set by the manufacturer - offer a guarantee the manufacturer acknowledges. So if the real world has certifications required to perform tasks, the digital world shouldn’t be any different.
What are the benefits of using a QTSP?
1) You know you can trust them
You need to be absolutely sure that the TSP you choose can be trusted with legal and confidential data.
The eIDAS Regulation imposes quality and security obligations for QTSPs and the services they provide. So you know that any transactions you make are in good hands and they can serve as evidence in case of any type of litigation that may come up. If you deal with a QTSP, you know your signatures and other trust services are always safer.
2) Any technical issues are dealt with quickly
Technical issues can occur within any system and the trust service provider needs routines to handle them and safeguard against this. For example, as what you’re signing is simply the bits and bytes in a computer, you are trusting whatever is on the screen to be accurate. But it’s possible someone could tamper with the system while working within the TSP, and they could show you something entirely different. Or they could even issue fake certificates.
But if you use a QTSP, it is almost impossible to tamper with the system or fake anything. There are several requirements when qualified to reduce such vulnerabilities, such as dual control. This means any configuration change in the system needs to have two trusted people involved at all times and only within physically secure premises.
These kinds of security measures mean it is increasingly difficult to tamper with the system of a qualified trust service provider.
3) You have assurance it can cross borders
Different countries can sometimes have vastly different legal requirements for signatures and legal transactions. So if you are doing business across different nations, for example across Europe, it is vital that electronic signing meets the requirements in all of these countries.
A lot of times, an advanced electronic signature is all that is required. For example, in the Nordics, there are no legal requirements for qualified signatures and a non-qualified/advanced service is enough. However, if you go to do business in Belgium for example, there are very specific requirements that electronic signatures be qualified and several countries are moving to this model. Choosing a QTSP will give you the flexibility to choose whether to use advanced or qualified electronic signatures, and regardless of the decision, a QTSP will provide the best services for both options.
There still needs to be trust in the party performing the signature process. And that this could easily be achieved by requiring a QTSP. A QTSP can also deliver advance signatures, but then you know to trust that the process is done by a trusted party.
Is it better to use a QTSP in a court of law?
Under the eIDAS regulation, ‘An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form’. A Qualified Electronic Signature (QES) offers the highest level of security, and should have the equivalent legal effect of a handwritten signature.
This is one of the many reasons why using a QTSP can be a safer and more secure choice, but one of the biggest reasons is the burden of proof.
There are a few things to consider:
If you use a non-qualified/advanced TSP and you are harmed in some way by using the service, the burden falls on you to provide proof of the negative intention or negligence of the service provider or other party. This can oftentimes be very difficult to prove and therefore you are at a loss. However, a qualified trust provider has the legal obligation to assume full responsibility for anything that went wrong.
For example, if you signed a contract with a client using a TSP, and you suspect that they are not operating properly, then you are the one who must provide evidence of this wrongdoing.
But if you are using a QTSP, you can at any time ask the QTSP to provide proof that it is operating according to rules, regulations and policies and therefore the burden of proof lies with them.
Using the qualified services of a qualified trust provider, from signatures to seals to timestamps and more, can prove you are trustworthy and save you from the stress of a client trying to renege on their contract.
What are the requirements for a Qualified Trust Service Provider?
In order to achieve and sustain the qualified status, the qualified trust provider must meet many requirements. For example, the provider must carry out all services subject to yearly audits. All standards, such as organizational, technical, or financial procedures need to be followed to the letter by the qualified provider. These specific examples include:
A valid time and date certificate - If the service provider offers timestamps, they must provide a trusted time, fetched from a trusted time source. The date and time are bound to the data based on an accurate time linked to Coordinated Universal Time (the standard by which the world regulates clocks). This prevents the possibility of the data being changed without anyone knowing about it. In addition, the Time Stamping Authority (TSA) will be the guarantee that a timestamp embedded into a document is correct.
Fully trained staff - Trusted personnel employed by the qualified trust service provider must be appropriately trained in their respective areas. They will also go through thorough background checks, for example, a police code-of-conduct report. Staff must have expertise and experience to make sure that the security and personal data protection rules and procedures all line up with international standards and there are no human errors. The QTSP must be able to provide proof on-demand that such checks on the personnel have been completed.
Updated software and hardware - The software and hardware used by the service provider must be trustworthy and capable of preventing certificate forgery. For specific QTSPs, such as those creating qualified electronic signatures and certificates, the qualified provider requires a qualified signature creation device (QSCD). This is the hardware required to create qualified electronic signatures. A QTSP needs this piece of hardware which has been approved according to EU standards and gone through a long line of processes and validations.
Operational processes - A QTSP must implement an ISMS (Information Security Management System). This is a framework of policies and procedures that includes all legal, physical, and technical controls in an organization's processes. An example of this is the ISO 27001 which is the international standard. This provides the specifications for a best-practice ISMS and covers the compliance requirements. This enables compliance with many different laws, including GDPR.
The level of security of information must be at least equal to the detected level of risk and the provider should take care to have the latest technological developments. In order to ensure a tamper-proof as well as tamper-resistant system, the provider must use trustworthy systems protected against any modification and ensure the technical security and reliability of the processes. And important part of this is dual control, which requires two people working together to make critical changes to the system.
Typically the service will be halted if any abnormalities are detected, to ensure that erroneous results are not produced. In addition, hardware can be configured to wipe itself out.The QCSD, which is specific to creating qualified electronic signatures, ensures that only the signatory is in control of their own signature and the signature data is handled by a QTSP.
Include a termination plan - If a QTSP ever wants to stop providing a qualified trust service, or they go out of business for any reason such as bankruptcy or an acquisition, they must have a termination plan in place. This involves detailing what they intend to do with the data they have issued and received in the course of providing the qualified trust service, as well as offering assistance in transferring the services to another QTSP.
Full verification of identities - The QTSP issuing qualified certificates must fully verify the identity of the person whose signature or other service is being certified in accordance with the national law. For example in Germany, they require video-identification via a video chat to prove an identity.
Incident reporting - If any incidents do occur, a QTSP is required under the eIDAS regulation to:
- Report the incident in a timely manner and make sure all details of the case are included in the report. Depending on the incident, the relying party, auditor and national body may need to be alerted. For more serious incidents, the QTSP may have as little as 24 hours from the incident occurred to send the reports.
- Do a root cause analysis to figure out exactly what went wrong and how.
- Have a plan for mitigating risk in the future so this never happens again.
Why does a QTSP need to be audited?
Qualified Trust Service Providers have to be audited at their own expense at least every 24 months. This is done by an eIDAS-accredited conformity assessment body, which usually requires 12 months between audits. This confirms that the qualified trust services provided by the QTSP fulfil all the requirements under the eIDAS Regulation. The yearly audit is a requirement to keep the QTSP status.
1) An organizational audit
This tests the structure of the organization. They may interview staff, observe regular practices, and review the processes and policies including financial checks and training.
2) A technical audit
This tests if the provider complies with all the necessary, up-to-date technical standards. Examples of this are dedicated, tamper-resistant hardware and IT network infrastructure to safeguard the services and data. For example, an auditor will check how the provider ensures the system is tamper-proof and tamper-evident which is known as a trustworthy system. The use of alarms and secure access control is required to keep the system protected.
The auditor may find some minor issues which the QTSP is given an opportunity to fix. The auditor will issue a report to the National Authority and they can either approve it or choose to do their own audit on the provider. This is on a yearly basis so the provider has to stay on top of everything that goes on in their organization all the time in order to uphold their qualified status.
With this many checks and balances to prove a provider deserves the coveted qualified mark, it is clear that they are a secure and trustworthy service provider.
Using the services of a qualified trust provider means:
- Lower risk
- Higher quality of services
- Reversed burden of proof
- Continuity of service
- Insurance against litigation and less liability for you