The ICO exists to empower you through information.

Qualified trust services

Share Download options

Pages

Format

At a glance

  • Qualified trust services can only be offered by a qualified trust service provider.

  • They provide a high degree of confidence and trustworthiness in the service and must comply with the UK eIDAS Regulations requirements for qualified trust services.

In brief

What are the rules on qualified electronic signatures?

Qualified electronic signatures must:

  • meet the specific requirements for an advanced signature;
  • be created using a qualified signature creation device; and
  • be based on a qualified certificate.

The requirements for advanced and qualified electronic signatures are set out in UK eIDAS Regulation Article 26. Advanced and qualified electronic signatures must be uniquely linked to an identifiable signatory who has sole control of the data used to create the signature. They must also ensure that any changes made to the signed data can be detected.

Qualified electronic signature creation devices (the hardware or software used to create the signature) must meet the requirements in annex II of the UK eIDAS Regulation, must be certified by an approved body (designated as such by the UK), and must conform to the security assessment standards stated in UK eIDAS Regulation Article 30.

Qualified certificates for electronic signatures (the supporting data that verifies the signature is valid and links it to the named signatory) must include all of the details listed in annex I of the UK eIDAS Regulation, including the advanced electronic signature or seal of the qualified provider.

The validity of a qualified electronic signature can be confirmed by following the validation criteria in UK eIDAS Regulation Article 32. If you are a qualified trust service provider, you can offer qualified validation services if your process gives automated, reliable and efficient results which bear your advanced electronic signature or seal.

You can also offer a qualified preservation service to guarantee qualified electronic signatures for an extended period of time, if you have the procedures and technology to do so. See UK eIDAS Regulations Article 33.

What are the rules on qualified electronic seals?

The rules on qualified electronic seals are essentially the same as those on qualified electronic signatures. They must:

  • meet the specific requirements for an ‘advanced’ seal;
  • be created using a ‘qualified electronic seal creation device’; and
  • be based on a qualified certificate.

The requirements for advanced and qualified seals are set out in UK eIDAS Regulation Article 36. They must be uniquely linked to an identifiable organisation who has control of the data used to create the seal. They must also ensure that any changes made to the sealed data can be detected.

Qualified electronic seal creation devices are governed by the same rules as qualified signature creation devices discussed in the previous section.

Qualified certificates for qualified electronic seals (the supporting data that verifies the seal is valid and links it to the named organisation) must include all of the details listed in annex III of the UK eIDAS Regulation.

The validity of a qualified electronic seal can be confirmed by following the validation criteria in UK eIDAS Regulation Article 32. If you are a qualified trust service provider, you can offer qualified validation services if your process gives automated, reliable and efficient results which bear your advanced electronic signature or seal.

You can also offer a qualified preservation service to guarantee qualified electronic seals for an extended period of time, if you have the procedures and technology to do so. See UK eIDAS Regulation Article 33.

What are the rules on qualified electronic time stamps?

The requirements for qualified electronic time stamps are stated in UK eIDAS Regulation Article 42. To provide a qualified electronic time stamp service you must:

  • be a qualified trust service provider;

  • use a method of binding the date and time to the data that is reasonably certain to prevent undetectable changes;

  • use a time source linked to Coordinated Universal Time (UTC); and

  • sign or seal it with your advanced electronic signature or seal.

What are the rules on qualified electronic registered delivery services?

The requirements for qualified electronic registered delivery services are stated in UK eIDAS Regulation Article 44. To provide this service you must be a qualified trust service provider and the service must:

  • ensure the identity of the sender ‘with a high level of confidence’;
  • ensure the identity of the receiver of the document before delivery;
  • apply your own advanced electronic signature or seal to the data being delivered (e.g. a document) to prevent any undetectable changes in transit;
  • clearly indicate any changes to the data required to support its sending or receipt; and
  • use a qualified electronic time stamp to indicate when data is sent, received or changed.

What are the rules on qualified website authentication certificates?

Qualified website authentication certificates must include all of the details listed in annex IV of the UK eIDAS Regulation, including the advanced electronic signature or seal of the qualified trust service provider issuing the certificate.