Non-qualified trust service providers

Non-qualified trust service providers (TSPs) do not need to notify the supervisory body of their activities. Nevertheless, they have to fulfil general security requirements according to Art. 19 of the eIDAS Regulation. In particular, they must take appropriate technical and organisational measures to control the security risks associated with the trust services they provide. These measures must ensure that the level of security is appropriate to the level of risk, taking into account the respective state of the art. In particular, measures must be taken to avoid or minimise the impact of security breaches and to inform stakeholders of the adverse consequences of such incidents. These measures may be specified by the European Commission by way of implementing acts. As long as such legal acts do not exist, relevant standards (e.g., ETSI policy requirements for the service in question) can be applied.

Non-qualified TSPs must also promptly notify the supervisory body and, as appropriate, other bodies (e.g., the Data Protection Authority) of security breaches and integrity losses that have a significant impact on the trust service provided or the personal data held therein, and in any event within 24 hours of becoming aware of the incident in question. If an incident is likely to adversely affect a natural person or legal entity for whom the trust service was provided, the trust service provider must also notify the natural person or legal entity of the incident without undue delay. The form and procedure of notification may be specified by the European Commission by means of implementing acts. As long as such legal acts do not exist, the supervisory body will be guided in its interpretation of the provision by relevant documents of ENISA. In particular, the document Proposal for Article 19 incident reporting is (also) suitable as a guideline for deciding whether an incident has to be reported or not.

Non-qualified TSPs and the trust services they provide will be added to the Trusted List upon request. Interested parties are requested to contact the Office for Communications in this regard.