Skip to main content

Qualified trust service provider obligations

Contents

At a glance

As well as meeting the requirements for qualified trust services, if you are a qualified trust service provider, you must:

  • take specific minimum security measures;
  • have clear and comprehensive terms and conditions;
  • have robust identity verification for your qualified certificates;
  • keep a qualified certificate database;
  • keep good records of other relevant data;
  • be able to cover any legal claims for damages;
  • notify the ICO of any changes to your services; and
  • have an up-to-date termination plan.

In brief

What specific security measures should we take?

You must always take all appropriate security measures, but there are some specific minimum security requirements for qualified trust service providers set out in UK eIDAS Article 24(2). Read the section in this guide on security measures for more information.

What information should we include in our terms and conditions?

From the outset, you need to provide clear and comprehensive terms and conditions to anyone seeking to use your service. In particular, your terms and conditions must include any limitations on the use of your service.

Although you need to include sufficient detail, you should make your terms as concise as possible, use clear and straightforward language and try to avoid off putting legal or technical jargon wherever you can.  

How should we verify the identity of our customers?

If you are a qualified trust service provider, UK eIDAS Article 24(1) requires you to verify the identity of any individual or organisation to whom you issue a qualified certificate. It sets out four verification options:

  • in person, by the physical presence of the person or authorised representative of the organisation;
  • using electronic ID that was itself originally verified in person, and meets the eIDAS assurance level of “substantial” or “high” set out in EU eIDAS Regulation Article 8;
  • using a certificate of a qualified electronic signature or seal that was itself verified in person or using electronic ID as set out above; or
  • using another method recognised by the UK government which is confirmed by a conformity assessment body as being as reliable as verification in person. If you choose this option you will need to provide evidence that this is the case.

You can carry the verification out yourself or use a subcontractor.

What is a ‘qualified certificate database’?

If you issue qualified certificates (for electronic signatures, seals or website authentication), you must establish a database of those certificates and keep it up to date.

This enables you to keep track of the status of the qualified certificates you issue. It’s up to you to decide exactly what details you include, but as a minimum it should show the status of each certificate – that is, whether it is valid, suspended, expired or revoked. You will therefore need to include a certificate’s issue date, expiry date, and any revocation date.

If you revoke a qualified certificate, you must record the fact in the database and publish this information as soon as possible and within 24 hours. Certificates are considered to have been revoked as soon as this information is published.

You must provide free, reliable, automated information on the status of a qualified certificate to anyone relying on it. This must be available even after a certificate has expired.

What other records do we need to keep?

You must keep accessible records of all relevant information concerning data you have issued and received, to be used as evidence in court if required and to ensure the continuity of the service.

You must keep these records for an appropriate period of time, even if you stop providing trust services.

Do we need liability insurance?

People who rely on your services could take legal action against you if they have suffered damage as a result of you failing to comply with UK eIDAS. As a qualified trust service provider, you would need to prove that the damage was not deliberate and was not caused by your negligence.

UK eIDAS requires you to either maintain sufficient funds to cover any legal claims, or obtain appropriate insurance cover for this risk.

What do we need to tell the ICO?

You need to report any security breaches to us within 24 hours.

You also need to tell us about any changes to the services you offer, or if you intend to stop offering those services.

What is a ‘termination plan’?

You need to create a plan to deal with the issues that will arise if and when you decide to stop providing a qualified trust service. In particular, the plan needs to set out what records you will keep after termination to provide continuity of service and to provide evidence in court if necessary. You also need to include how long this information will be retained. You must keep the plan updated.