At a glance
In this guide we’ve tried to keep jargon to a minimum. However, there are a few key defined terms, including:
- trust service: an electronic signature, electronic seal, electronic time stamp, electronic registered delivery service or website authentication certificate, designed to show that electronic data is authentic and can be trusted.
- qualified trust service: a trust service that meets extra authentication and security standards and is offered by a ‘qualified’ provider.
- trust service provider: any organisation providing trust services.
- qualified trust service provider: an organisation providing qualified trust services and granted qualified status by the ICO.
- What is a ‘trust service’?
- What is a ‘qualified trust service’?
- What is a ‘trust service provider’?
- What is a ‘qualified trust service provider’?
- What is an ‘electronic signature’?
- What is an ‘electronic seal’?
- What is an ‘electronic time stamp’?
- What is an ‘electronic registered delivery service’?
- What is a ‘certificate related to those services’?
- What is a ‘certificate for website authentication’?
- What is a ‘conformity assessment body’?
A trust service is an electronic service which helps to confirm that an online document or other electronic data is sent from a trusted source, is authentic and hasn’t been tampered with. It aims to ensure legal certainty, trust and security in electronic transactions. There are five specific types of trust service covered by the Regulation:
- electronic signatures;
- electronic seals;
- electronic time stamps;
- electronic registered delivery services; and
- website authentication certificates.
The full definition of trust service is in article 3 of the eIDAS Regulation:
“an electronic service normally provided for remuneration which consists of:
(a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or
(b) the creation, verification and validation of certificates for website authentication; or
(c) the preservation of electronic signatures, seals or certificates related to those services”.
Qualified trust services are the most sophisticated and reliable form of trust service. They must meet specific requirements set out in the Regulation to ensure a higher degree of security and stricter methods of authentication and validation, and can only be offered by qualified trust service providers.
A trust service provider is anyone who provides a trust service. This term includes both qualified and non-qualified trust service providers.
A qualified trust service provider is an organisation providing qualified trust services that has been granted qualified status by the ICO. A qualified trust service provider must comply with extra requirements set out in the Regulation and demonstrate their compliance via an assessment process.
Qualified trust service providers can use an EU trust mark and are listed on a ‘trusted list.’ The UK’s trusted list is run by TScheme.
An electronic signature is defined in article 3 as:
“data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”.
As you might expect, this means an electronic signature is any method an individual uses to ‘sign’ an electronic document. This covers a wide range of measures, from the simple act of affixing text or a digital image, to more sophisticated hi-tech methods which meet specific criteria set out in the regulation for advanced or qualified electronic signatures. Electronic signatures are admissible as evidence in court.
Advanced electronic signatures meet the extra requirements set out in article 26 of the Regulation. They are more reliably linked to the person signing the document, and can detect any changes made afterwards.
Qualified electronic signatures have the same features as advanced electronic signatures, but are created using more sophisticated technology, meet a higher standard of security, meet stricter validation criteria, and are supported by a more detailed certificate. They have the same legal effect as a handwritten signature.
An electronic seal is defined in article 3 as:
“data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity”.
Electronic seals allow companies and other corporate bodies to ‘sign’ electronic documents and certify them as genuine, in the same way as an individual can use an electronic signature. They are admissible as evidence in court. As with electronic signatures, there are advanced and qualified electronic seals offering additional benefits to basic electronic seals.
Advanced electronic seals meet the extra requirements set out in article 36 of the Regulation. They are more reliably linked to the organisation creating the seal, and can detect any changes made afterwards.
Qualified electronic seals have the same features as advanced electronic seals, but are created using more sophisticated technology, meet a higher standard of security, meet stricter validation criteria, and are supported by a more detailed certificate.
An electronic time stamp proves that particular data existed at a particular time and hasn’t been changed since then. It is defined in article 3 of the Regulation as:
“data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time”.
‘Qualified’ electronic time stamps display more detailed authentication information and are required to meet a higher standard of security.
An electronic registered delivery service is defined in article 3 as:
“a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations”.
In other words, electronic registered delivery services act as a kind of secure online proof of posting or recorded delivery service. They provide proof that information was sent and received electronically, and that it was not intercepted or altered on the way.
Qualified electronic registered delivery services display more detailed authentication information and are required to meet a higher standard of security.
A certificate for electronic signature or seal is an “electronic attestation” containing the data that verifies the signature or seal is valid and links it back to a specific named person. In very basic terms, a certificate in this context is the underlying digital data that makes a trust service work and confirms the origin and authenticity of the signed or sealed document.
A qualified certificate must be issued by a qualified trust service provider and include the specific information set out in the annexes to the Regulation.
A certificate for electronic signature or seal is different from a certificate for website authentication, which is a specific form of trust service in itself.
Certificates for website authentication identify the person or company behind a website and help to verify that the website is genuine. They are defined in article 3 as:
“an attestation that makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued”.
In this guide we generally use the term ‘website authentication certificates’.
Qualified website authentication certificates must be issued by a qualified trust service provider, display more detailed authentication information and are required to meet a higher standard of security.
Conformity assessment bodies play a key role if you want to become a qualified trust service provider. If you want to gain qualified status, you must first ask a conformity assessment body to look at whether you meet the relevant requirements and produce a ‘conformity assessment report’. Read the section of this guide on becoming a qualified trust service provider for more on this process.
Conformity assessment bodies must be formally accredited by the UK Accreditation Service (UKAS). The ICO is not involved in accrediting or overseeing these bodies. You can contact UKAS for more information. A list of accredited bodies is published by the EU Commission.