At a glance
In this guide we’ve tried to keep jargon to a minimum. However, there are a few key defined terms, including:
- trust service: a service designed to protect electronic data and demonstrate that it can be trusted. For example, by showing that data is authentic, or hasn't been tampered with, or by identifying the originator of the data e.g. a person or organisation.
- qualified trust service: a trusted service, supported by UK law, that meets the requirements of the UK eIDAS Regulations and is offered by a ‘qualified’ trust service provider.
- trust service provider: any organisation or person providing trust services;
- qualified trust service provider: an organisation or person providing qualified trust services and granted qualified status by the ICO.
- What is a ‘trust service’?
- What is a ‘qualified trust service’?
- What is a ‘trust service provider’?
- What is a ‘qualified trust service provider’?
- What is an ‘electronic signature’?
- What is an ‘electronic seal’?
- What is an ‘electronic time stamp’?
- What is an ‘electronic registered delivery service’?
- What is a ‘certificate related to those services’?
- What is a ‘certificate for website authentication’?
- What is a ‘conformity assessment body’?
Trust services aim to ensure trust, security and legal certainty in electronic transactions. For example, an electronic service which helps to confirm that electronic data e.g. a document, is sent from a trusted source, is authentic and hasn’t been tampered with.
There are five specific types of trust service covered by the UK eIDAS Regulations:
- electronic signatures;
- electronic seals;
- electronic time stamps;
- electronic registered delivery services; and
- website authentication certificates.
The full definition of trust service is in UK eIDAS Regulations Article 3:
“an electronic service normally provided for remuneration which consists of:
(a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or
(b) the creation, verification and validation of certificates for website authentication; or
(c) the preservation of electronic signatures, seals or certificates related to those services”.
Qualified trust services are trust services which have been assessed by an eIDAS accredited assessment body and granted qualified status by the ICO. By meeting the requirements set out in the UK eIDAS Regulation they provide a high degree of confidence and trustworthiness e.g. via stringent methods of authentication and validation of service users, adoption of strong operational security controls etc. Qualified trust services have special recognition in UK law and can only be offered by qualified trust service providers.
A trust service provider is anyone who provides a trust service. This term includes both qualified and non-qualified trust service providers.
A qualified trust service provider is an organisation providing qualified trust services that has been granted qualified status by the ICO. For any UK eIDAS defined qualified trust service, a trust service provider must comply with the requirements for trust service providers set out in the UK eIDAS Regulations and demonstrate their compliance via a process which involves an assessment by an eIDAS accredited assessment body and approval by the ICO.
Following ICO approval, qualified trust service provider information and the qualified services they provides are published on a ‘trusted list’. This list can be used to verify the qualified status of a trust service
An electronic signature is defined in UK eIDAS Regulation article 3 as:
“data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign”.
As you might expect, this means an electronic signature is any method an individual uses to ‘sign’ an electronic document. This covers a wide range of measures, from the simple act of affixing text or a digital image, to more sophisticated hi-tech methods which meet specific criteria set out in the UK eIDAS Regulation for advanced or qualified electronic signatures. Electronic signatures are admissible as evidence in court.
Advanced electronic signatures meet the extra requirements set out in UK eIDAS Regulation Article 26. They are required to uniquely link to the person signing the data in electronic form and can detect any changes made to the data within the document afterwards.
Qualified electronic signatures have the same features as advanced electronic signatures, but are created using more sophisticated technology, meet a higher standard of security, meet stricter validation criteria, and are supported by a more detailed certificate. They have the same legal effect as a handwritten signature.
An electronic seal is defined in UK eIDAS Regulations Article 3 as:
“data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity”.
Electronic seals allow companies and other corporate bodies to ‘seal’ electronic documents and certify them as genuine, in the same way as an individual can use an electronic signature. They are admissible as evidence in court. As with electronic signatures, there are advanced and qualified electronic seals offering additional benefits over basic electronic seals.
Advanced electronic seals meet the extra requirements set out in UK eIDAS Regulation Article 36. They are more reliably linked to the organisation creating the seal, and like advanced and qualified electronic signatures allow detection of any changes made afterwards to the sealed data.
Qualified electronic seals have the same features as advanced electronic seals, but are created using more sophisticated technology, meet a higher standard of security, meet stricter validation criteria, and are supported by a more detailed certificate.
An electronic time stamp proves that particular data existed at a particular time and hasn’t been changed since then. It is defined UK eIDAS Regulation Article 3 as:
“data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time”.
Qualified electronic time stamp services must be operated by a qualified trust service provider and are required to meet the UK eIDAS requirements for qualified electronic time stamps.
An electronic registered delivery service is defined in UK eIDAS Regulation Article 3 as:
“a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations”.
In other words, electronic registered delivery services act as a kind of secure online proof of posting or recorded delivery service. They provide proof that information was sent and received electronically, and that it was not intercepted or altered on the way.
Qualified electronic registered delivery services must be operated by one or more qualified trust service providers and are required to meet the UK eIDAS Regulation requirements for qualified electronic registered delivery services.
A certificate for an electronic signature or seal is an “electronic attestation” containing the data that verifies the signature or seal is valid and links it back to a specific named person (for signatures) or organisation (for seals). In very basic terms, a certificate in this context is the underlying digital data that makes a trust service work and confirms the origin and authenticity of signed or sealed data e.g. a document.
A qualified certificate must be issued by a qualified trust service provider and include the specific information set out in the annexes to the UK eIDAS Regulation.
A certificate for electronic signature or seal is different from a certificate for website authentication.
Certificates for website authentication identify the person or company behind a website and help to verify that the website is genuine. They are defined in UK eIDAS Regulation Article 3 as:
“an attestation that makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued”.
In this guide we generally use the term ‘website authentication certificates’.
Qualified website authentication certificates must be issued by a qualified trust service provider and are required to meet the UK eIDAS Regulation requirements for qualified web authentication certificates.
Conformity assessment bodies play a key role if you want to become a qualified trust service provider. If you want to gain qualified status, you must first ask a conformity assessment body to look at whether you meet the relevant UK eIDAS Regulation requirements for trust service providers and the trust service(s) you wish to provide. The conformity assessment body will conduct an assessment and produce a ‘conformity assessment report’ that is provided to the ICO for review. Read the section of this guide on becoming a qualified trust service provider for more on this process.
UK conformity assessment bodies must be formally accredited by the the UK Accreditation Service (UKAS). The ICO is not involved in accrediting or overseeing these bodies. You can contact UKAS for more information on organisations that have been accredited by UKAS as UK eIDAS Regulation conformity assessment bodies.