At a glance
- You must take appropriate measures to safeguard the security of trust services. This means identifying security risks and taking reasonable action to mitigate them.
- Qualified trust service providers need to take some specific security measures.
- Wherever feasible, you should make trust services accessible for people with disabilities.
- What does the law say about security measures?
- What must we do to comply?
- What are ‘appropriate measures’?
- Do qualified trust service providers need to do more?
- When do we need to ‘inform stakeholders of adverse effects’?
- What are the rules on accessibility?
Article 19 of the eIDAS Regulation sets out trust service providers’ security obligations. Article 19(1) says:
“Qualified and non-qualified trust service providers shall take appropriate technical and organisational measures to manage the risks posed to the security of the trust services they provide. Having regard to the latest technological developments, those measures shall ensure that the level of security is commensurate to the degree of risk. In particular, measures shall be taken to prevent and minimise the impact of security incidents and inform stakeholders of the adverse effects of any such incidents.”
If you are a trust service provider, you need to have appropriate security measures to prevent the services you offer being accidentally or deliberately compromised. In particular, you need to:
- carry out regular risk assessments of the security of your trust services;
- identify and classify security risks according to degree of risk posed and the harm that could result;
- make sure you have appropriate technical security and organisational measures to mitigate those risks, including robust policies and procedures and reliable, well-trained staff; and
- respond to any security incidents that do occur swiftly and effectively to help prevent and minimise their impact.
An appropriate measure is one that is proportionate to the risks it safeguards against. You don’t always have to have state-of-the-art security technology to protect your trust service, but you should regularly review your security measures as technology develops.
Although there is no one-size-fits-all solution to information security, you may find it useful to refer to the security section of the ICO’s guide to the GDPR to understand our approach to ‘appropriate technical and organisational measures’ to safeguard personal data.
All trust service providers must take appropriate security measures, but if you are a qualified trust service provider you also need to comply with some more specific minimum security requirements set out in article 24(2). You should look at these carefully as the requirements are quite specific, but in summary you need to:
- employ reliable staff and subcontractors with the necessary expertise, experience and qualifications;
- ensure staff and subcontractors have received appropriate security and data protection training;
- use trustworthy, secure and reliable products and systems;
- ensure your systems have appropriate access controls to protect data from unauthorised access or modification and ensure that unauthorised changes are detectable;
- implement internal processes and procedures that support the security of the trust service and protect against forgery and theft;
- ensure personal data is processed in line with data protection legislation.
You need to consider whether it is necessary to inform your customers and anyone else who might be affected by a security incident about the harm that could be caused by the incident. In some cases this could include a public statement. Read the breach reporting section of this guide for more information.
You must make trust services accessible for people with disabilities wherever it’s feasible to do so.
In particular, you need to comply with any relevant UK equality laws (such as the Equality Act 2010) to ensure your trust service is accessible to people with a disability.