The ICO exists to empower you through information.

At a glance

  • You must take appropriate measures to safeguard the security of trust services. This means identifying security risks and taking reasonable action to mitigate them.
  • Qualified trust service providers need to take some specific security measures.
  • Wherever feasible, you should make trust services accessible for people with disabilities.

In brief

What does the law say about security measures?

UK eIDAS sets out trust service providers’ security obligations. Article 19(1) says:

“Qualified and non-qualified trust service providers shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to the latest technological developments, those measures shall ensure that the level of security is commensurate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of the adverse effects of any such incidents.”

What must we do to comply?

If you are a trust service provider, you need to have appropriate security measures to prevent the services you offer being accidentally or deliberately compromised. In particular, you need to:

  • carry out regular risk assessments of the security of your trust services;
  • identify and classify security risks according to the degree of risk posed and the harm that could result;
  • make sure you have appropriate technical security and organisational measures to mitigate those risks, including robust policies and procedures and reliable, well-trained staff; and
  • respond to any security incidents that do occur swiftly and effectively to help prevent and minimise their impact.

What are ‘appropriate measures’?

An appropriate measure is one that is proportionate to the risks it safeguards against. You should consider the current developments in security technology when choosing appropriate measures to protect your trust service, and you should regularly review your security measures as technology develops.

ENISA has published a set of detailed guidelines on security requirements, risk assessments and risk mitigation for trust service providers which may be relevant to your assessment of appropriate security measures.

Most EU organisations seeking to provide qualified trust services use the ETSI trust service provider standards as the basis for the development and evaluation of their services. These are highly detailed and comprehensive standards which cover all of the EU and UK eIDAS defined trust services. 

You may find it useful to refer to the security section of the ICO’s guide to UK GDPR to understand the ICO’s approach to ‘appropriate technical and organisational measures’ to safeguard personal data.

Do qualified trust service providers need to do more?

All trust service providers must take appropriate security measures, but if you are a qualified trust service provider you also need to comply with specific minimum security requirements set out in UK eIDAS Article 24(2). You should look at these carefully as the requirements are detailed and require specific consideration, but in summary you need to:

  • employ reliable staff and subcontractors with the necessary expertise, experience and qualifications;
  • ensure staff and subcontractors have received appropriate security and data protection training;
  • use trustworthy, secure and reliable products and systems;
  • ensure your systems have appropriate access controls to protect data from unauthorised access or modification and ensure that unauthorised changes are detectable;
  • implement internal processes and procedures that support the security of the trust service and protect against forgery and theft;
  • ensure personal data is processed in line with data protection legislation.   

The ENISA guidance and ETSI standards referenced in the previous section are also very useful here.

When do we need to ‘inform stakeholders of adverse effects’?

You need to consider whether it is necessary to inform your customers and anyone else who might be affected by a security incident about the harm that could be caused by the incident. In some cases this could include a public statement. Read the Breach reporting section of this guide for more information.

What are the rules on accessibility?

You must make trust services accessible for people with disabilities wherever it’s feasible to do so.

In particular, you need to comply with any relevant UK equality laws (such as the Equality Act 2010) to ensure your trust service is accessible to people with a disability.

ETSI standard EN 301 549 may support your assessment of the accessibility of your trust service.