To Be, or Not to Be Trust Service Provider?
eIDAS 2.0 and EUDI Wallet are in the spotlight, with so many policymakers and stakeholders heavily involved in doing the European Digital Identity right, safe, and privacy protecting. While the legislative act is closing to the final station (the trilogue for the final form of the Regulation between the European Commission, the European Parliament, and the Council of the European Union started on 21st March 2023), there is one recurring question in the service provisioning community: To be, or not to be Trust Service Provider under eIDAS 2.0?
Here are some cases of verifiable credentials/electronic attestation of attributes that can be issued to citizens and used through the EUDI Wallet:
- I am a bank or financial institution able to provide credentials related to my customer, such as IBAN, or credit score
- I am an insurance company and could provide insurance certificates
- I am a University and can provide education titles
How do I know if I am a Trust Service Provider or not? Are there regulatory requirements I should abide to? Do I have liabilities?
Let’s have a look at the most relevant articles of eIDAS 2.0:
‘This Regulations aims at ensuring the proper functioning of the internal market and providing an adequate level of security of electronic identification means and trust services. For these purposes, this Regulation:
(a) lays down the conditions under which Member States shall provide and recognize electronic identification means of natural and legal persons, falling under a notified electronic identification scheme of another Member State;
(b) lays down rules for trust services, in particular for electronic transactions;
(c) establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services, certificate services for website authentication, electronic archiving and electronic attestation of attributes, the management of remote electronic signature and seal creation devices, and electronic ledgers;
(d)lays down the conditions for the issuing of European Digital Identity Wallets by the Member States.’;
Article 2 Scope
1. This Regulation applies to electronic identification schemes that have been notified by a Member State, European Digital Identity Wallets issued by the Member States and to trust service providers that are established in the Union.
2. This Regulation does not apply to the provision of trust services that are used exclusively within closed systems resulting from national law or from agreements between a defined set of participants.
3. This Regulation does not affect national, or Union law related to the conclusion and validity of contracts or other legal or procedural obligations relating to sector-specific requirements as regards form with underlying legal effects.
(16) ‘trust service’ means an electronic service normally provided against payment which consists of:
(a) the creation, verification, and validation of electronic signatures, electronic seals or electronic
time stamps, electronic registered delivery services, electronic attestation of attributes and
certificates related to those services;
(b) the creation, verification and validation of certificates for website authentication;
(c) the preservation of electronic signatures, seals or certificates related to those services;
(d) the electronic archiving of electronic documents;
(e) the management of remote electronic signature and seal creation devices;
(f) the recording of electronic data into an electronic ledger.’
The answer is that simple: Only services provided to the public having effects on third parties should meet the requirements laid down in the Regulation, so those services as trusted and should comply with eIDAS 2.0 Regulation. All the other services used within closed systems or having recognition between the issuer and verifier based on an agreement are not falling under eIDAS 2.0.
Here you can see the differences between qualified (legal recognition by default) and non-qualified trust services:
|Regulatory requirements: eIDAS, GDPR, NIS2||yes||Yes + additional requirements for qualified status|
|Technical requirements: ETSI, CEN, ISO, sector-specific requirements||Yes + subject to national-specific requirements||Yes + additional requirements for qualified status|
|Audit||Yes, recommended||Yes – by accredited Conformity Assessment Body (CAB)|
|Supervision (National Supervisory Body in the EU country where the TSP is incorporated)||Ex-post||Ex-ante|
|Trust List (TL)||Up to the National rules for country TL – may be or maybe not listed||Yes, listed|
Should you, or your organization need additional information or clarity on eIDAS 2.0, reach out to us at email@example.com
by Viky Maniala