Annual Incident Analysis Report for the Trust Service Providers

Back to News

One year after the eIDAS Regulation entered into force, ENISA publishes the first comprehensive overview of the annual summary reporting by the Member States.

Article 19 of the eIDAS Regulation requires providers of trust services to assess risks, take appropriate security measures to mitigate the risks and notify significant incidents and breaches to their supervisory body.

Article 19 also addresses various types of incident reporting to other different stakeholders e.g. users, data protection authorities, competent national bodies for information security, ENISA, which are involved in its implementation. The EU Member States should therefore efficiently analyse and then implement these notification flows in order to comply with the incident notification requirements of the regulation.

In 2014, after eIDAS was adopted, ENISA formed an experts group to work together with specialists from competent authorities on the application of Article 19 and, more generally, on security incidents in trust services.

Only one incident was registered in the second half of 2016, which is the reference period. This incident was related to the validation of qualified certificates for electronic signatures service and the root cause was a system failure due to an update. However, the TSP dealt promptly with this issue and took the appropriate measures to avoid its recurrence.

To download the full report: Annual Incident Analysis Report for the Trust Service Providers

Background information:

The regulation for electronic identification and trust services ‘Regulation (EU) No 910/2014’ – also known as ‘the eIDAS Regulation’ – was adopted on 23 July 2014.

The eIDAS Regulation enables the use of electronic identification and trust services by citizens, businesses and public administrations, to access online services or manage electronic transactions.

eIDAS plays an important role in fulfilling the Digital Single Market strategy, as it provides one common legal framework for all parties while relying on or providing electronic transaction services.

The eIDAS Regulation introduces the notions of ‘qualified trust service’ and ‘qualified trust service provider’ with the purpose of further enhancing the trust of small and medium-sized enterprises (SMEs) and consumers in the internal market. This novelty wishes to indicate the requirements and obligations that ensure high-level security. As a consequence, they are granted a higher presumption of their legal effect.

More on ENISA’s activities in the area of incident reporting: https://www.enisa.europa.eu/topics/incident-reporting

For more information on incident reporting, please contact us at incidents@enisa.europa.eu.