At a glance
To become a qualified trust service provider you need to demonstrate to a ‘conformity assessment body’ that you meet the relevant requirements for qualified trust service providers and the trust services you wish to provide, and submit a conformity assessment report to the ICO for verification.
If you make significant changes to your qualified trust service, or intend stopping the service, you must tell the ICO.
- The ICO has additional requirements and guidance for prospective UK eIDAS qualified trust service providers to consider.
- How do we become a qualified trust service provider?
- What is the trusted list?
- What if we need to change a qualified trust service?
- What happens if we stop providing a qualified trust service?
- What are the additional ICO requirements and guidance for prospective UK qualified trust service providers?
In summary, you need to apply to a conformity assessment body who will assess your compliance against the requirements for qualified trust service providers and qualified trust services. The conformity assessment body will produce a conformity assessment report, demonstrating how the requirements have been met. You then submit this report to the ICO for verification. The ICO will analyse the report to ensure all requirements have been met, and will grant you qualified status if appropriate.
The conformity assessment body must be accredited by UKAS for undertaking conformity assessments against the UK eIDAS Regulations.
The following organisations are currently accredited.
BSI Assurance UK Ltd
When a conformity assessment body is accredited both in the UK and the EU, for any trust service provider seeking QTSP status in the UK and the EU, a single conformity assessment may (subject to approval by the relevant EU supervisory body) be used as the basis for a conformity assessment report issued against the UK eIDAS Regulations and a separate conformity assessment report issued against the EU eIDAS Regulation.
If you gain qualified status, you will be added to the UK’s trusted list.
To maintain qualified status you will need to undergo the conformity assessment process at least every two years, at your own expense.
If you are considering becoming a qualified trust service provider, you can contact the ICO at [email protected] for further information and guidance.
The trusted list is a published list of all qualified trust service providers and qualified trust services granted qualified status in the UK by the ICO.
If you make changes to your qualified trust service you should contact the ICO to determine whether your qualified status is still valid and whether or not you should undergo a new conformity assessment.
If you decide to stop providing a qualified trust service you need to notify the ICO of your intention to stop the service. To stop providing a qualified trust service you are required to use your termination plan. After you have implemented your termination plan you need to provide to the ICO a description of how you have implemented the provisions in your termination plan.
You can contact the ICO at [email protected] for further information and guidance on this process.
The requirements and guidance listed here is for use by prospective qualified trust service providers and their conformity assessment bodies in meeting the requirements of the UK eIDAS Regulation for qualified services operating in the UK.
The ICO strongly advises all prospective qualified trust service providers to discuss their services with the ICO before they submit their notification. This will allow the ICO to describe the notification process in more detail, allow it to better understand the prospective qualified trust service provider’s intentions and services for the UK, and allow any questions or issues to be addressed.
UK qualified trust service providers
- UK qualified trust services may only be operated under supervision of the ICO. It is not possible for a trust service to be supervised by an alternative supervisory body or by more than one supervisory body. This means, for example, that qualified trust services offered by trust service providers (TSPs) established in the UK cannot also be supervised by an EU member state supervisory body operating under the EU eIDAS Regulation.
- An existing EU qualified trust service provider wishing to operate in the UK may provide the same or different service types as those offered in the EU. UK services of the same type must be legally separate however from the EU services. For example, an EU eIDAS approved qualified trust service provider issuing qualified certificates may also provide the same type of service in the UK i.e., issuing UK qualified certificates from the UK service approved by the ICO.
- Notifying trust service providers must be established in the UK. For example, a limited company would need to have a UK establishment and be registered or incorporated within the UK. A limited partnership or a limited liability partnership would need to be registered at Companies House and an unincorporated business would need to demonstrate that it has a permanent place in the UK where it carries out its business activities.
- Conformity assessment bodies approved to undertake conformity assessments against the UK eIDAS Regulation must be accredited by UKAS, the UK national accreditation body.
- Trust service provider notifications for UK qualified trust services shall only be accepted with a full conformity assessment report. Surveillance audits, or surveillance audits supported by additional supporting information such as service changes notices, are not a sufficient basis for notification and assessment. This applies to all existing qualified trust service providers who currently provide trust services in other jurisdictions e.g., in the EU, who have an established audit regime with an approved conformity assessment body, and who wish to provide similar services in the UK under the UK eIDAS Regulation.
- Conformity assessment reports for qualified trust service providers wishing to operate in the UK must be specifically produced against the UK eIDAS Regulation and for the trust service provider UK established legal entity. The subject of a conformity assessment report must be a UK legal entity owning the trust services. This means a conformity assessment report produced for an existing non-UK qualified trust service provider, eg, an EU qualified trust service provider, cannot be accepted directly by the ICO as part of the required notification process documentation.
- Conformity assessment reports produced by an EU accredited conformity assessment body may be used by a UK accredited conformity assessment body as part of its assessment for UK based services. This would require the UK conformity assessment body to have an outsourcing agreement with the EU conformity assessment body (See ISO 17065, 6.2.2), satisfy itself that the EU produced conformity assessment report was fit for purpose, and carry out any additional auditing to meet the UK requirements.
- Where a conformity assessment body is accredited in the UK for performing UK eIDAS assessments and also accredited in the EU for undertaking EU eIDAS assessments, the ICO will accept a conformity assessment report issued against the UK eIDAS Regulations which is based on the results of a single conformity assessment undertaken by the conformity assessment body which covers both jurisdictions. It is expected this would also require approval of the relevant EU supervisory body should a trust service provider and conformity assessment body wish to pursue this approach.
- Conformity assessment reports for UK qualified trust service providers must contain the information specified by the ICO in its qualified trust service provider notification form.
- UK services must be identified as such in trust service provider documentation e.g., certificate policy and certification practice statement documents for qualified certificate services.
- Where a qualified trust service provider operates services in the UK and the EU, it is not necessary for separate service documents to exist e.g., a separate certificate policy for the UK services and one for the EU services. All documentation however should clearly distinguish UK services and EU services. For example, it is not possible to use an existing EU based certificate policy directly for a UK service without modification to make the policy applicable to both EU and UK services.
- Qualified trust service provider services users (subscribers, relying parties) shall contract with the qualified trust service provider UK legal entity for the provision of the services. Any associated documentation e.g., subscriber or relying party agreement, should also support this.
- It should be clear to service users that trust service outputs e.g., qualified certificates for signatures or seals issued from UK qualified trust service provider services, are issued in compliance with the UK eIDAS Regulation. These are legally distinct from those issued under the EU eIDAS Regulation.
- ICO approved qualified services operating in accordance with UK eIDAS Regulations are not recognised within the EU, therefore UK qualified trust service outputs e.g., qualified certificates for signatures or seals, do not carry qualified status under the EU eIDAS Regulation. The UK however recognises qualified trust services operating under the EU eIDAS regulation and thus EU qualified trust service provider trust service outputs are recognised as legally equivalent e.g., a qualified electronic signature created using an EU issued qualified certificate would have the same legal recognition as a qualified electronic signature created using a UK qualified trust service provider issued qualified certificate.
- UK qualified trust services must use separate trusted list service digital identities if the same service types are also provided under the EU eIDAS Regulation or other regime.
- UK qualified certificate based services should use different certificate policy object identifiers (OIDs) if the equivalent services are also provided under the EU eIDAS Regulation or other regime.
- Qualified trust service provider termination plans must align with the ENISA guidelines. See Guidelines on Termination of Qualified Trust Services — ENISA (europa.eu).
- A qualified trust service provider may provide services in the UK and the EU using shared service components and practices, provided the UK eIDAS Regulation is met for UK provided services, the EU eIDAS Regulation is met for EU provided services, and any risks introduced to services through the use of such sharing are identified and addressed as part of the qualified trust service provider’s risk management process. Prospective UK qualified trust service providers who currently provide equivalent services under the EU eIDAS Regulation or other regime, or intend to do so, are advised to check with the relevant body in other jurisdictions regarding the use of shared service components and practices.
- Qualified signature creation devices (QSCDs) certified in accordance with the EU eIDAS regulation are acceptable for use in the UK.
- Where remote identity proofing is used, the ICO shall review and approve the mechanisms used before their first use in qualified services.