Qualified Trust Service Provider (QTSP)

What is a Qualified Trust Service Provider (QTSP)?

The Qualified Trust Service Provider (QTSP) is the basis for the realization of the qualified electronic signature. The Qualified Trust Service Provider (QTSP) must meet strict criteria precisely defined by the relevant authorities. If these criteria are met, the provider is added to a list of trust service providers.

The following is the list of criteria:

• The service provider must provide a valid date and time for the generated certificates.
• Signatures with expired certificates should be revoked immediately.
• Employees of trust service providers must be adequately trained.
• The software and hardware used by the service provider must be trustworthy and capable of preventing certificate tampering.

What is the difference between a Trust Service Provider (TSP) and a Qualified Trust Service Provider (QTSP)?

A Trust Services Provider can offer the following:

• Electronic Signatures
• Electronic seals
• Time stamps
• Certificates for website authentication, etc.

A Trust Services Provider may offer one or more of these services. Generally, there are two types of trust services: general and qualified - Trust Service Provider (TSP) and Qualified Trust Service Provider (QTSP). Only a QTSP can provide a qualified version of the services, which can be described as a type of additional “security.”

Depending on the type of security an organization needs and the requirements of the country in which it operates, qualified trust services may or may not be needed. In most cases, a trust service provider (TSP) is sufficient to accomplish this task. However, if one wishes to have a higher level of confidence in the services provided, one should opt for a QTSP that can provide both regular and qualified trust services.

One of the biggest differences between a TSP and a QTSP is that only a Qualified Trust Service Provider (QTSP) can provide qualified trust services. A QTSP often provides both qualified and non-qualified trust services. The higher costs for the qualified services are usually caused by the reversed burden of proof in disputes, where it is solely up to the QTSP to prove the correctness of the services.

Under the EU eIDAS Regulation, a Qualified Trust Service Provider (QTSP) must undergo an independent audit by an accredited body (i.e., recognized by the national accreditation body) that examines areas such as security, trust levels, and quality. These requirements aim to increase consumer and business trust and encourage the use of qualified trust services.

Qualified Trust Service Provider (QTSP) - why is it so important?

To be listed as a Qualified Trust Service Provider, the provider must meet the requirements set out in the eIDAS Regulation. To become a Qualified Trust Service Provider (QTSP), the organization goes through a rigorous and independent assessment and undergoes regular audits to ensure that they remain compliant with the QTSP requirements of the eIDAS Regulation.

They must have been granted qualified status by a government regulator that grants them permission to provide qualified trust services.

Because qualified trust service providers are subject to a more rigorous review process, they offer stronger specific legal effect than non-qualified providers, as well as greater technical security. Qualified Trust Service Providers (QTSP) therefore offer greater legal certainty and higher security for electronic transactions.

What are the benefits of a Qualified Trust Service Provider (QTSP)?

By engaging a Qualified Trust Service Provider, an organization processing an electronic transaction can be assured that the transaction is completely secure. The following are the 3 key benefits:

1. Security and Trust

The eIDAS Regulation imposes quality and security obligations on Qualified Trust Service Providers (QTSP) and the services they provide. This way, one can be sure that all transactions made are in good hands and can serve as evidence in the event of any legal disputes. When working with a QTSP, one knows that signatures and other trust services are always secure.

2. Any technical problems are quickly resolved

Technical problems can occur in any system, and the trust service provider needs routines to deal with and guard against them. When using a Qualified Trust Service Provider (QTSP), it is almost impossible to manipulate the system or forge anything. To mitigate such vulnerabilities, several requirements must be met, such as the dual control principle. This means that any configuration change in the system must always involve two trusted people, and only in physically secure premises. These types of security measures mean that it is increasingly difficult to tamper with a Qualified Trust Service Provider (QTSP) system.

3. Certainty that it works across borders

Different countries sometimes have very different legal requirements for signatures and legal transactions. So when doing business in different countries, it is important that the electronic signature meets the requirements in all of them. In many cases, an advanced electronic signature is sufficient. In the Nordic countries, for example, there are no legal requirements for qualified signatures, and a non-qualified/advanced service is sufficient. However, if you are doing business in Belgium, for example, there are very specific requirements that electronic signatures must be qualified. When mab chooses a Qualified Trust Service Provider (QTSP), one has the flexibility to choose whether to use advanced or qualified electronic signatures, and regardless of the decision, a QTSP provides the best services for both options.

Why does a Qualified Trust Service Provider (QTSP) need to be audited?

Qualified Trust Service Providers (QTSP) must be audited at least every 24 months at their own expense. This is done by an eIDAS-accredited conformity assessment body, which usually requires an interval of 12 months between audits. This confirms that the qualified trust services provided by the QTSP meet all the requirements of the eIDAS Regulation. The annual audit is a prerequisite for maintaining QTSP status.