A QTSP (Qualified Trust Service Provider) is a TSP who provides one or more qualified trust services (QTS) and is granted the qualified status by the national supervisory body. The decision of the supervisory body to grant the qualified status is reflected in the corresponding national Trusted List. In this respect, QTSPs are mandatorily listed in the corresponding national Trusted List while TSP could be but are not mandatorily listed in these Trusted Lists.
Trusted Lists, and therefore the providers listed in it, can be browsed in a user-friendly way using the Trusted List Browser. The actual content of these Trusted Lists is managed and published by each Member State and ‘Trusted List Browser’ is “merely” browsing these Trusted Lists.
The qualified trust service provider plays an important role in the process of qualified electronic signing. The trust service providers must be given qualified status and permission for a supervisory government body to provide qualified digital certificates which can be used to create qualified electronic signatures. eIDAS requires that the EU will maintain an EU Trust List that lists the providers and services that have received qualified status. A trust service provider is not entitled to provide qualified trust services if they are not on the EU Trust List.
Trust service providers that are on the EU Trust List are required to follow the strict guidelines established under eIDAS. They need to provide stamps valid in time and date, when creating certificates. Signatures that have expired certificates need to be revoked immediately. The EU obliges the trust service providers to deliver appropriate training for all personnel employed by the trust service provider. They shall further provide tools such as software and hardware that is trustworthy and capable of preventing forgeries of the certificates that are produced.
TSPs are responsible for assuring the electronic identification of signatories and services by using strong mechanisms for authentication, digital certificates and electronic signatures. eIDAS defines how Trust Service Providers perform authentication and non-repudiation services and how they are to be regulated and recognized throughout EU member states.
Difference between a generic trust service provider and a qualified trust service provider?
A trust service provider may offer:
- Electronic signatures
- Electronic seals
- Timestamps
- Registered delivery services
- Certificates for website authentication
- And more services…
They can provide just one or several of these services. There are two types of trust services, generic and qualified. Only a QTSP can offer a qualified version of the services, and in a way you can call it some kind of an “insurance”.
Depending on the type of security you need and the requirements of the country you work in, you may or may not actually need qualified trust services. Most times, a regular trust services will do the job for you. But if you are looking for higher confidence in the services delivered, you should choose a QTSP, which can offer both regular and qualified trust services.