Guidelines for Trust Service Providers

In order to remove barriers for cross-border trust services and having regard to results from successful European projects like STORK, which have shown that technical issues of interoperability can be overcome, the European Parliament and the Council of the European Union adopted the Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC on a community framework for electronic signatures, which provided for the legal recognition of electronic signatures. The Regulation strengthens the provisions for interoperability and mutual recognition of electronic identification schemes across borders, enhances current rules for electronic signatures and provides a legal framework for other types of trust services (electronic seals, electronic delivery services, electronic documents, time stamping services and web site authentication).

Trust Services – as the name suggests – require a trustful provision of the corresponding service. The word trustful has to be defined in this context as highly reliable for the user, that the service promised is being delivered strictly according to:

  • Terms and conditions of the Trust Service Provider,
  • Standards (like ETSI/CEN/ISO),
  • Legal requirements as well as according to
  • State of technology (like cryptographic algorithms and parameter sets).
The Article 19 of the above mentioned regulation stipulates that trust services providers have to demonstrate due diligence, in relation to the identification of risks and adoption of appropriate security practices, and notify competent bodies of any breach of security or loss of integrity that has a significant impact on the trust service provided and on the personal data maintained therein.

ENISA Guidelines for Trust Service Providers:

In this context, the European Union Agency for Network and Information Security (ENISA) has developed in 2013 the Guidelines for trust services providers, discussing the minimal security levels to be maintained by the trust services providers. The study is split into three parts:

  • Security framework: describing the framework surrounding trust service providers (TPSs), focusing on EU standards, but taking into account others where relevant.
  • Risk assessment: discussing the principles and concepts of managing the risks applicaple to TSPs by defining and controlling threats and vulnerabilities.
  • Mitigating the impact of security incidents: recommending measures to mitigate the impact of security incidents on trust service providers (TSP) by proposing suitable technical and organisational means to handle the security risks posed to the TSP.

All three parts can also be used separately, as they address different issues and target different audience, so the introductory sections overlap.

These studies were complemented in 2014 by the fourth part (to be published):

  • Auditing framework for Trust Service Providers, containing recommendations for both, Conformity Assessment Bodies (auditing entities) and TSPs.

ENISA has also published three other reports on the subject of TSPs:

— filed under: