Paperless transactions: How to get the best from the EU regulation 25/06/2019 Large companies, SMEs and individuals can now complete electronic transactions in a fully legal way and even across borders – thanks to the EU’s eIDAS Regulation. But for the highest level of security, you need to involve a Qualified Trust Services Provider. The eIDAS Regulation provides a framework for people and organisations when they use electronic trust services, such as electronic signatures or seals, time stamps, registered delivery services and certificates for website authentication. It defines the standards, the products and solutions that support these services need to comply with. The overall objective is to help citizens, businesses and public authorities interact electronically, making paperless transactions convenient and safe. No paper? No problem. Thanks to eIDAS, purely electronic evidence has to be accepted. Courts, in particular, shall not deny legal effect and admissibility to electronic documents as evidence in legal proceedings solely on the grounds that it is in electronic form. So, if an individual or organisation wants to complete a transaction electronically – whether they’re registering as a student at a foreign university or tendering for a contract – they can do it legally from anywhere in Europe. To add trust to the transaction they can make use of a trust service such as an electronic signature service or a time stamping service. As well as saving the time and costs related to using paper, the eIDAS Regulation ensures cross-border recognition – of national electronic identities and of the trust services supporting electronic transactions. This boosts security and convenience further, and supports the interoperability of systems across Europe. Trust services you can trust So the potential benefits of the eIDAS Regulation are far-reaching. But for the electronic trust services that support paperless transactions to work smoothly and securely, they should be set up and managed by the right kind of provider – preferably a Qualified Trust Services Provider (QTSP). There are two types of trust services – generic and qualified – and the difference between a QTSP and a non-qualified provider comes down to which of these they can provide. A non-qualified provider can get involved only with generic services, which don’t require the same level of legal confirmation as their qualified equivalent. But these providers still have to meet requirements in accessibility, personal data protection, and managing risk and security – and they are liable for damages caused intentionally or negligently to any individual or organisation due to a failure to comply with the eIDAS obligations. Qualified trust services require the highest level of trust, and this is where you should involve a QTSP. To find one, look for the ‘EU trust mark for qualified trust services’, which is the distinctive logo at the top of the pyramid diagram below. This is your guarantee of quality and trustworthiness in qualified trust services. It isn’t yet another ‘quality mark’ with little or no foundation. As the pyramid shows, the eIDAS Regulation imposes a consistent set of quality and security requirements and obligations for QTSPs and the services they provide. These aim to enhance the trust of consumers and enterprises (SMEs in particular) in the electronic market, and to promote the use of qualified trust services and products. Confidence through rigorous assessment The supervisory regime requires QTSPs and their qualified trust services to pass a two-yearly conformity assessment report, issued by an accredited auditor, confirming they fulfil the requirements of the eIDAS Regulation. National supervisory bodies decide whether to grant qualified status to (or withdraw it from) trust services and trust service providers. These decisions are published in electronically signed or sealed national trusted lists, suitable for automated processing. The pyramid of trust for qualified trust services established by the eIDAS Regulation also relies on, and is strengthened by, the use of best practices and standards. To ensure uniform conditions for implementing the regulation, the European Commission has powers to set implementation specifications and to provide standards with reference numbers, whose use indicates compliance with certain requirements. An easier life for QTSP customers Although those using a QTSP to set up qualified trust services are obliged to carry out certain procedures – such as the secure registration of the services – in most cases, they have to do this only once. And for some procedures, their QTSP can take care of everything. So from a customer’s perspective, using a QTSP to establish and manage qualified services is relatively easy – especially as the burden of proof in cases of damages falls on the QTSP. Also, the legal value of qualified trust services is very clear, and the tools provided by eIDAS – such as the trust mark and machine-processable trusted lists – mean the services can be automatically recognised by off-the-shelf applications. New technology, more benefits As well as helping provide consistent levels of trust, the use of standards in the eIDAS Regulation also makes it easier to develop interoperable and off-the-shelf solutions for different aspects of electronic trust services. And new solutions can be developed to improve services, even if there isn’t yet a related standard, as long as they comply with eIDAS requirements. It’s now a few years since the eIDAS Regulation came into force, and the market seems to be self-regulating. The European Commission is referencing very few standards – and auditors, professional organisations like the CA/Browser Forum, and private companies like Adobe have chosen which standards they want QTSPs to be audited against. One result of this flexibility in using the standards is the rise of interoperable solutions that help individuals and organisations at both ends of an electronic transaction communicate in an open, trustworthy way. For example, one person’s qualified electronic signature, created by a trusted signature-creation service in one country, can be validated by someone else in another country, thanks to an application on the latter’s laptop. The two don’t need to share the same application or provider. Another example is sending and receiving electronic registered mail without the sender and receiver being customers of the same service provider. Not only can these applications understand each other by ‘speaking’ the same standardised language, but – thanks to the national trusted lists mentioned earlier – they can also let their users know whether or not a trust service output is qualified. QTSP status makes a vital difference to paperless interactions. Fortunately, the regulation that specified this status has encouraged the development of technology that makes it very easy to identify. About the author Sylvie Lacroix, CISA (Certified Information Systems Auditor), Managing Director of SEALED, is an eSecurity consultant with +20 years of experience. With a Master from the Ecole Polytechnique de Louvain as technical background, Sylvie started her career as researcher in cryptography at the UCL University. She acquired a significant experience in business representation and exploitation of security, cryptography and PKI topics. Sylvie participated to the implementation of major projects within Europe and beyond, such as national eID cards and ePassports projects. Sylvie was expert for several European studies on eSignatures that served as a milestone to draft the eIDAS Regulation. She worked for prestigious organisations such as European Governments, the European Commission, large enterprises and CEN and ETSI, the two major European standardisation bodies. Sylvie is leading the ETSI Special Task Force on signatures validation (STF 524) and is also the editor of security policies for TSPs. Want to know more? Find us on LinkedIn Salutation Mr.Mrs.Miss. Ms. First Name * Last Name * Email Address * Country * Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bosnia and Herzegovina Botswana Bouvet Island Brazil Brit/Indian Ocean Terr. Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos (Keeling) Islands Colombia Comoros Congo The Dem. Republic Of Cook Islands Costa Rica Côte D'Ivore Croatia Cuba Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Terr. Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guinea Guinea-Bissau Guyana Haiti Heard/McDonald Isls. Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Israel Italy Jamaica Japan Jordan Kazakhstan Kenya Kiribati Korea (North) Korea (South) Kuwait Kyrgyzstan Laos Latvia Lebanon Lesotho Liberia Libya Liechtenstein Lithuania Luxembourg Macau Macedonia Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montserrat Morocco Mozambique Myanmar N. Mariana Isls. Namibia Nauru Nepal Netherlands Netherlands Antilles New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Reunion Romania Russian Federation Rwanda Saint Kitts and Nevis Saint Lucia Samoa San Marino Sao Tome/Principe Saudi Arabia Senegal Serbia and Montenegro Seychelles Sierra Leone Singapore Slovak Republic Slovenia Solomon Islands Somalia South Africa Spain Sri Lanka St. Helena St. Pierre and Miquelon St. Vincent and Grenadines Sudan Suriname Svalbard/Jan Mayen Isls. Swaziland Switzerland Sweden Syria Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks/Caicos Isls. Tuvalu Uganda Ukraine United Arab Emirates United Kingdom US Minor Outlying Is. United States Uruguay Uzbekistan Vanuatu Vatican City Venezuela Viet Nam Virgin Islands (British) Virgin Islands (U.S.) Wallis/Futuna Isls. Western Sahara Yemen Zambia Zimbabwe Department * eCommerce / Marketing Engineering Finance General InStore IT Logistics Maintenance None Packaging Production Purchasing Quality Sales Supply Chain Transport / Distribution Warehouse Level * Director Manager Collaborator Company * Industry * Trade - Food Retail Trade - Non-Food Retail Trade - Wholesale Trade - Food Service Manuf - Metal & non-ferro Manuf - (Petro)Chemical Manuf - Pharma & Cosmetics Manuf - Construction Supplies Manuf - Equipment & Electro Manuf - Automotive & Aeronautics Manuf - Paper & Carton Manuf - Textile & Leather Manuf - Food, Bev. & Cleaning Manuf - Others (furniture, toys, …) Services - Banking & Insurance Services - Hospitality Services - Utilities & Telecom Services - Healthcare Services - Maint., Constr., Others Services - Postal & CEP Services - Transport & Logistics Services - People Transportation Services - IT & Consultancy Services - Manuf. w/o local prod. Public, Gov, Army, Education Extraction, Agricult., Breeding Manuf – Medical Devices & Optical Business Phone Message * What's the color of the sky ? Consent text Please notify me periodically of future industry reports, case studies, events and solutions that are relevant to me. (You can unsubscribe at any time.) Please notify me periodically of future industry reports, case studies, events and solutions that are relevant to me. (You can unsubscribe at any time.) Yes, please No, thank you Thank you message!