At a glance

  • Qualified trust services can only be offered by a qualified provider.
  • They must comply with specific requirements to ensure a higher degree of security, integrity and authenticity.

In brief

What are the rules on qualified electronic signatures?

Qualified electronic signatures must:

  • be offered by a qualified trust service provider;
  • meet the specific requirements for an advanced signature;
  • be created using a qualified creation device; and
  • be supported by a qualified certificate.

The requirements for advanced and qualified electronic signatures are set out in article 26. They must be uniquely linked to an identifiable signatory who has sole control of the data used to create the signature. They must also ensure that any changes made to the signed data can be detected.

Qualified electronic signature creation devices (the hardware or software used to create the signature) must meet the requirements in annex II of the Regulation and must be certified by a designated body in line with security assessment standards laid down by the EU Commission. There is no designated body in the UK, but providers can use creation devices certified in other European member states. The Commission publishes a list of all designated bodies and certified creation devices in the EU.

Qualified certificates for electronic signatures (the supporting data that verifies the signature is valid and links it to the named signatory) must include all of the details listed in annex I of the Regulation, including your advanced electronic signature or seal as the qualified provider. You must verify the identity of the signatory, and keep a record of all the qualified certificates you issue. Please read the Qualified trust service providers section of this guide for more information on identity verification and record-keeping.

If you are confirming the validity of a qualified electronic signature to end-users, you must follow the validation criteria in article 32. If you are a qualified provider, you can offer qualified validation services if your process gives automated, reliable and efficient results which bear your advanced electronic signature or seal.  

You can also offer a qualified preservation service to guarantee qualified electronic signatures for an extended period of time, if you have the procedures and technology to do so.

What are the rules on qualified electronic seals?

The rules on qualified electronic seals are essentially the same as those on qualified electronic signatures. They must:

  • be offered by a qualified trust service provider;
  • meet the specific requirements for an ‘advanced’ seal;
  • be created using a ‘qualified creation device’; and
  • be supported by a ‘qualified certificate’.

The requirements for ‘advanced’ and ‘qualified’ seals are set out in article 36. They must be uniquely linked to an identifiable organisation who has sole control of the data used to create the seal. They must also ensure that any changes made to the sealed data can be detected.

Qualified electronic seal creation devices (the hardware or software used to create the seal) must meet the requirements in annex II of the Regulation and must be certified by a designated body in line with  security assessment standards laid down by the EU Commission. There is no designated body in the UK, but providers can use creation devices certified in other European member states. The Commission publishes a list of all designated bodies and certified creation devices in the EU.

Qualified certificates for qualified electronic seals (the supporting data that verifies the seal is valid and links it to the named organisation) must include all of the details listed in annex III of the Regulation, including your advanced electronic signature or seal as the qualified provider. You must verify the identity of the organisation using the seal, and keep a record of all the qualified certificates you issue. Please read the Qualified trust services providers section of this guide  for more information on identity verification and record-keeping.

If you are confirming the validity of a qualified electronic seal to end-users, you must follow the validation criteria in article 32. If you are a qualified provider, you can offer qualified validation services if your process gives automated, reliable and efficient results which bear your advanced electronic signature or seal.

You can also offer a qualified preservation service to guarantee qualified electronic seals for an extended period of time, if you have the procedures and technology to do so.

What are the rules on qualified electronic time stamps?

The extra requirements for qualified electronic time stamps are in article 42. To provide this service you must:

  • be a qualified trust service provider;
  • use a method of binding the date and time to the data that is reasonably certain to prevent undetectable changes;
  • use a time source linked to Coordinated Universal Time (UTC); and
  • sign or seal it with your advanced electronic signature or seal.

What are the rules on qualified electronic registered delivery services?

The extra requirements for qualified electronic registered delivery services

are in article 44. To provide this service you must:

  • be a qualified trust service provider;
  • ensure the identity of the sender ‘with a high level of confidence’;
  • ensure the identity of the receiver of the document before delivery;
  • apply your own advanced electronic signature or seal to the document to prevent any undetectable changes in transit; and
  • use a qualified electronic time stamp to indicate when a document is sent, received or changed.

What are the rules on qualified website authentication certificates?

Qualified website authentication certificates must include all of the details listed in annex IV of the Regulation, including your advanced electronic signature or seal as the qualified provider.