What Is a QTSP and How to Choose One?
The European Digital Identity is a project the European Union (EU) has initiated to prepare the continent for the future of communication, commerce, and identity verification. By updating the eIDAS Regulation with the European Digital Identity Regulation , known as eIDAS 2, the EU is aiming to create a level playing field for identification and authentication across all member states.
This is where the success of eIDAS 2 qualified trust service providers (QTSPs) comes into play. They are authorized to facilitate the most secure of trust services including electronic signatures and electronic seals. The assurance QTSPs provide will help the Union protect the personal data of its citizens, allowing them to more easily apply for bank accounts, rent cars, and work with businesses across the EU. As the Union declares :
Your personal data tells your life's story; you should be the one to control it and decide when and with whom your data is shared.
For your business to thrive in the digital future, you will need to work with a QTSP. But what is a qualified trust service provider, what does it do, and what should you look for when choosing one for your organization? This article explains more.
What is a qualified trust service provider (QTSP)?
A qualified trust service provider (QTSP) is an entity that has the authority to create, validate, and verify the most secure digital trust services. These include:
- Electronic signatures
- Electronic seals
- Timestamps
Unlike regular trust service providers, qualified ones are required to go under a conformity assessment to achieve their status. This allows them to offer the highest level of assurance and trust in digital interactions. This is why, for example, QTSPs are authorized to issue Qualified Electronic Signatures (QES), which hold the same status as handwritten signatures in EU law.
QTSPs are overseen by the eIDAS and eIDAS 2 regulations to ensure the security, integrity, and authenticity of electronic transactions and communications. They achieve this through rigorous identity verification processes, adhering to high security standards, and undergoing regular audits by supervisory bodies.
This makes a QTSP essential for businesses, governments, and individuals that require secure and reliable qualified services.
Why do you need a QTSP?
As the European Digital Identity approaches, it will be increasingly important for businesses to work with a QTSP. Here are some of the reasons why it is important for your organization to find a QTSP:
- Enhanced digital security: QTSPs offer advanced encryption, secure digital signatures , and electronic seals, helping to ensure your digital communications and transactions are protected against identity fraud, unauthorized access, and tampering.
- Legal compliance assurance: QTSPs help ensure that your business meets the stringent requirements for trust services, but full compliance with eIDAS and eIDAS 2 also requires using qualified electronic signature creation devices and following secure procedures as outlined in the regulations.
- Trustworthy interactions: Your business partners and customers can confidently interact with you, thanks to the strong digital identification processes employed by a QTSP.
- Robust data protection: QTSPs' strong data protection measures help maintain your compliance with GDPR and provide peace of mind for all stakeholders.
- Pan-European requirements: QTSPs' trust services meet pan-European requirements, ensuring interoperability that allows you to do business confidently and securely across the EU.
Types of services offered by QTSPs
Here are the main services that a QTSP can provide:
| Service | Explanation |
| Electronic signatures | A digital mark on a document that signifies acceptance of the contents. There are three levels of e-signatures under eIDAS - SES, AES, and QES. QES offers the highest assurance level, and it can only be provided by a QTSP. |
| Electronic seals | The digital equivalent of a company stamp, ensuring the integrity and origin of electronic documents. It verifies that they have not been altered since being sealed. |
| Timestamps | Digital records that certify when a specific electronic document or transaction was created or signed. It provides an unchangeable record of the time and date. |
| Website authentication certificates | These include the qualified website authentication certificate (QWAC). They prove that a website is secure and protect users from visiting fraudulent sites. |
| Electronic ledgers | A secure and immutable way to record financial transactions and data that ensures transparency and traceability. |
| Archiving services | They help companies store electronic documents securely, ensuring their integrity, authenticity, and accessibility for future reference. |
How to choose the right QTSP for your business
Check certification and accreditation status
Due to the strict requirements under EU regulations, QTSPs are required to meet strict standards to get accredited and provide trust services. This includes making an application to their national regulatory authority so that the company can be verified and assessed. Once this is done, the authority issues a license and adds the QTSP to the EU/EEA List of Trusted List s.
When you are looking for a QTSP to work with, check to see that it is featured on this list and that its license is up to date and active. Each country has a conformity assessment body (CAB) that conducts regular audits on QTSPs, ensuring that they continue to provide an effective and secure service.
Assess security and encryption technologies
Look into the details of the offering from the QTSP. Do they have the necessary security, and do they meet the standards that you need to ensure a safe process for your business?
For example, to issue QWACs, QESs, and qualified electronic seals, the QTSP must use a qualified signature creation device (QSCD). When in contact with a potential QTSP, make sure you ask about this to find out if the provider has completed the required qualification processes.
Also, ask about the security certifications and accreditations. This will help you understand how safe the service is. One example is the ISO/IEC 27001 standard , which provides requirements for establishing, implementing, maintaining and continually improving an information security management system." Having this certificate shows that the QTSP meets high standards for digital security.
Consider geographic and legal coverage
Consider the locations where you will work and check that the QTSP meets the regulatory requirements in those countries. eIDAS 2 is intended to improve the interoperability of trust services across the European Union, meaning that a valid QES in Poland will also be accepted in Italy, for example.
However, not all QESs are the same. In 2021, A Swiss train manufacturer almost missed out on a €3 billion contract to supply the Austrian railway because a Swiss QES differs slightly from the EU version and is not legally recognized in the European Union. This shows the importance of working with a QTSP that covers multiple jurisdictions and is compliant with the various pieces of legislation.
Review services and scalability
Not all QTSPs might provide the full range of trust services and that means they may not be able to fulfill your requirements. Make sure that your chosen partner offers the services that you need for your business. You can check using the EU Trust Service browser to find a list of each QTSP's services or check on the company's website.
Make sure that you consider what will happen if you scale the business and require additional trust services. Check that the QTSP will be able to accommodate your future plans, or you will have to find a new QTSP at some point along the way.
Analyze integration capabilities
Many QTSPs might require that you divert customers to a web portal or separate app for authentication before validating the transaction, identification, or signature. Instead, you might want to integrate the solution into your current system for a seamless process that aligns with your existing workflows. Check that your chosen QTSP offers this capability.
Also, find out if the solution integrates with the third-party software you already use to streamline the way you use products like Salesforce. This can make it more convenient and efficient for your employees to use.
Compare pricing and contract terms
The next stage is to compare the pricing structures between the different QTSPs under consideration. Besides the fee for your current needs, also find out how much more it will cost if you scale the business up and require additional services.
Check the contract offered by the QTSP to ensure it will provide you with everything you need to take advantage of the qualified trust services that will help you run your business more effectively. The contract will also explain the QTSP's commitment to cybersecurity, the measures in place to meet compliance requirements, and the termination and exit conditions.
Take a look at customer service and support
As with any technology project, you need to know if the QTSP you work with is dedicated to helping you implement and use the product in the most streamlined way. This means having experienced, available customer service representatives and a support portal to help you find the answers to common questions with ease.
Knowing that there are resources to help you integrate the solution into your business can give you peace of mind that you will minimize downtime and limit any potential revenue losses.
FAQ
How can you verify that an entity is a qualified trust service provider?
The EU's trust service browser is a central depository of trust service providers. Search for the provider on the list and find its entry. If it is a qualified trust service provider, it will be on this list.
How can you ensure your QTSP is compliant with current regulations?
QTSPs are audited regularly to make sure they stay compliant with the latest regulations, provide the required service, and meet all necessary standards. If they fail to meet their compliance obligations, they will be taken off the trust service browser list or marked as inactive.
What are the first steps a company should take to implement QTSP services?
A company should decide on which services it wants to offer to customers. Then it should look for a QTSP that meets those needs and consider its pricing structure, reputation, and working methods to decide if it is a good fit. Many services allow businesses to sign up for free initially to get a better understanding of how good a fit the QTSP is.
Conclusion
Using a QTSP is a must for companies looking to provide digital authentication and verification. This enables processes to occur online instead of relying on paper documentation, making them more cost-effective and eco-friendly, backed by strong security measures.
Partner with Entrust Signhost for compliant electronic signature and digital identification services that seamlessly integrate into your existing workflow. Enjoy a convenient, streamlined, and secure process. Contact us for more information.
References and further reading
Is an e-signature legally binding?
How to create a valid electronic signature
*Disclaimer:This content does not constitute legal advice. The suitability, enforceability or admissibility of electronic documents will likely depend on many factors such as the country or state where you operate, the country or state where the electronic document will be distributed as well as the type of electronic document involved. Appropriate legal counsel should be consulted to analyze any potential legal implications and questions related to the use of electronic documents.