In order to remove barriers for cross-border trust services and having regard to results from successful European projects like STORK, which have shown that technical issues of interoperability can be overcome, the European Parliament and the Council of the European Union adopted the Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC on a community framework for electronic signatures, which provided for the legal recognition of electronic signatures. The Regulation strengthens the provisions for interoperability and mutual recognition of electronic identification schemes across borders, enhances current rules for electronic signatures and provides a legal framework for other types of trust services (electronic seals, electronic delivery services, electronic documents, time stamping services and web site authentication).
Trust Services – as the name suggests – require a trustful provision of the corresponding service. The word trustful has to be defined in this context as highly reliable for the user, that the service promised is being delivered strictly according to:
- Terms and conditions of the Trust Service Provider,
- Standards (like ETSI/CEN/ISO),
- Legal requirements as well as according to
- State of technology (like cryptographic algorithms and parameter sets).
ENISA Guidelines for Trust Service Providers:
In this context, the European Union Agency for Network and Information Security (ENISA) has developed in 2013 the Guidelines for trust services providers, discussing the minimal security levels to be maintained by the trust services providers. The study is split into three parts:
- Security framework: describing the framework surrounding trust service providers (TPSs), focusing on EU standards, but taking into account others where relevant.
- Risk assessment: discussing the principles and concepts of managing the risks applicaple to TSPs by defining and controlling threats and vulnerabilities.
- Mitigating the impact of security incidents: recommending measures to mitigate the impact of security incidents on trust service providers (TSP) by proposing suitable technical and organisational means to handle the security risks posed to the TSP.
All three parts can also be used separately, as they address different issues and target different audience, so the introductory sections overlap.
These studies were complemented in 2014 by the fourth part (to be published):
- , containing recommendations for both, Conformity Assessment Bodies (auditing entities) and TSPs.
ENISA has also published three other reports on the subject of TSPs:
- Trusted e-ID Infrastructures and services in EU: Analysing risks of trust services reported by their providers, and justifying recommendations to improve their security
- Trusted provision of e-government services in the EU: containing recommendations for e-Government service providers, supervisors and citizens to improve their security
- eID Authentication methods in e-Finance and e-Payment services: analysing risks associated to identification of citizens and use of credentials, and providing good practices for financial institutions, merchants and payment service providers to improve citizens' security when they access financial and payment services