At a glance
In this guide we’ve tried to keep jargon to a minimum. However, there are a few key defined terms, including:
- trust service: a service designed to protect electronic data and demonstrate that it can be trusted. For example, by showing that data is authentic, or hasn't been tampered with, or by identifying the originator of the data e.g. a person or organisation;
- qualified trust service: a trusted service, supported by UK law, that meets the requirements of UK eIDAS and is offered by a ‘qualified’ trust service provider;
- trust service provider: any organisation or person providing trust services; and
- qualified trust service provider: any organisation or person providing trust services granted qualified status by the ICO.
In brief
- What is a ‘trust service’?
- What is a ‘qualified trust service’?
- What is a ‘trust service provider’?
- What is a ‘qualified trust service provider’?
- What is an ‘electronic signature’?
- What is an ‘electronic seal’?
- What is an ‘electronic time stamp’?
- What is an ‘electronic registered delivery service’?
- What is a ‘certificate related to those services’?
- What is a ‘certificate for website authentication’?
- What is a ‘validation service’?
- What is a ‘preservation service’?
- What is a ‘conformity assessment body’?
What is a ‘trust service’?
Trust services aim to ensure trust, security and legal certainty in electronic transactions. For example, an electronic service which helps to confirm that electronic data e.g. a document, is sent from a trusted source, is authentic and hasn’t been tampered with.
The full definition of trust service is in UK eIDAS Article 3:
“an electronic service normally provided for remuneration which consists of:
(a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or
(b) the creation, verification and validation of certificates for website authentication; or
(c) the preservation of electronic signatures, seals or certificates related to those services”.
The definition above results in the following types of trust service covered by UK eIDAS:
- Certificates for electronic signatures.
- Certificates for electronic seals.
- Certificates for website authentication.
- Electronic time stamps
- Electronic delivery services.
- Validation service for electronic signatures.
- Validation service for electronic seals.
- Preservation service for electronic signatures.
- Preservation service for electronic seals.
- Generation service for electronic signatures.
- Generation service for electronic seals.
What is a ‘qualified trust service’?
Qualified trust services are trust services which have been assessed by an eIDAS accredited assessment body and granted qualified status by the ICO. By meeting the requirements set out in UK eIDAS they provide a high degree of confidence and trustworthiness e.g. via stringent methods of authentication and validation of service users, or the adoption of strong operational security controls. Qualified trust services have special recognition in UK law and can only be offered by qualified trust service providers.
What is a ‘trust service provider’?
A trust service provider is anyone who provides a trust service. This term includes both qualified and non-qualified trust service providers.
What is a ‘qualified trust service provider’?
A qualified trust service provider is an organisation providing qualified trust services that has been granted qualified status by the ICO. For any UK eIDAS defined qualified trust service, a trust service provider must comply with the requirements for trust service providers set out in UK eIDAS and demonstrate their compliance via a process which involves an assessment by a UK eIDAS accredited assessment body and approval by the ICO.
Following ICO approval, qualified trust service provider information and the qualified services they provide are published in the UK ‘trusted list’. This list can be used to verify the qualified status of a trust service.
What is an ‘electronic signature’?
An electronic signature is defined in UK eIDAS article 3 as:
“data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”.
As you might expect, this means an electronic signature is any method an individual uses to ‘sign’ an electronic document. This covers a wide range of measures, from the simple act of affixing text or a digital image, to more sophisticated hi-tech methods which meet specific criteria set out in UK eIDAS for advanced or qualified electronic signatures. Electronic signatures are admissible as evidence in court.
Advanced electronic signatures meet the extra requirements set out in UK eIDAS Article 26. They are required to uniquely link to the person signing the data in electronic form and can detect any changes made to the data afterwards.
Qualified electronic signatures have the same features as advanced electronic signatures but are created using technology and procedures which provide a high standard of security, meet stricter validation criteria and are supported by a digital certificate meeting the requirements of UK eIDAS. They have the same legal effect as a handwritten signature.
What is an ‘electronic seal’?
An electronic seal is defined in UK eIDAS Article 3 as:
“data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity”.
Electronic seals allow companies and other corporate bodies to ‘seal’ electronic documents and certify them as genuine, in the same way as an individual can use an electronic signature. They are admissible as evidence in court. As with electronic signatures, there are advanced and qualified electronic seals offering additional benefits over basic electronic seals.
Advanced electronic seals meet the extra requirements set out in UK eIDAS Article 36. They are more reliably linked to the organisation creating the seal, and like advanced and qualified electronic signatures allow detection of any changes made afterwards to the sealed data.
Qualified electronic seals have the same features as advanced electronic seals but are created using technology and procedures which provide a high standard of security, meet stricter validation criteria, and are supported by a digital certificate meeting the requirements of UK eIDAS.
What is an ‘electronic time stamp’?
An electronic time stamp proves that particular data existed at a particular time and hasn’t been changed since then. It is defined in UK eIDAS Article 3 as:
“data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time”.
Qualified electronic time stamp services must be operated by a qualified trust service provider and are required to meet UK eIDAS requirements for qualified electronic time stamps.
What is an ‘electronic registered delivery service’?
An electronic registered delivery service is defined in UK eIDAS Article 3 as:
“a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations”.
In other words, electronic registered delivery services act as a kind of secure online proof of posting or recorded delivery service. They provide proof that information was sent and received electronically, and that it was not intercepted or altered on the way.
Qualified electronic registered delivery services must be operated by one or more qualified trust service providers and are required to meet UK eIDAS requirements for qualified electronic registered delivery services.
What is a ‘certificate related to those services’?
A certificate for an electronic signature or seal is an “electronic attestation” containing the data that verifies the signature or seal is valid and links it back to a specific named person (for signatures) or organisation (for seals). In very basic terms, a certificate in this context is the underlying digital data that makes a trust service work and confirms the origin and authenticity of signed or sealed data e.g. a document.
A qualified certificate must be issued by a qualified trust service provider and include the specific information set out in the annexes to UK eIDAS.
A certificate for electronic signature or seal is different from a certificate for website authentication.
What is a ‘certificate for website authentication’?
Certificates for website authentication identify the person or company behind a website and help to verify that the website is genuine. They are defined in UK eIDAS Article 3 as:
“an attestation that makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued”.
In this guide we generally use the term ‘website authentication certificate’.
Qualified website authentication certificates must be issued by a qualified trust service provider and are required to meet UK eIDAS requirements for qualified web authentication certificates.
What is a ‘validation service’?
Validation is defined in UK eIDAS Article 3 as:
“the process of verifying and confirming that an electronic signature or a seal is valid”.
The output from a validation service can assist in deciding whether to rely on an electronic signature or seal.
What is a ‘preservation service’?
A preservation service can be used to ensure the long-term preservation and legal validity of electronic signatures and electronic seals over extended periods of time and guarantee that they can be validated irrespective of future technological changes.
What is a ‘conformity assessment body’?
Conformity assessment bodies play a key role if you want to become a qualified trust service provider. If you want to gain qualified status, you must first ask a conformity assessment body to look at whether you meet the relevant UK eIDAS requirements for trust service providers and the trust service(s) you wish to provide. The conformity assessment body will conduct an assessment and produce a ‘conformity assessment report’ that is provided to the ICO for review. Read the section of this guide on becoming a qualified trust service provider for more on this process.
UK conformity assessment bodies must be formally accredited by the UK Accreditation Service (UKAS). The ICO is not involved in accrediting or overseeing these bodies. You can contact UKAS for more information on organisations that have been accredited by UKAS as UK eIDAS conformity assessment bodies. You can also read the section of this guide on becoming a qualified trust service provider to see organisations that are currently accredited.