Today, on July 1st 2016 eIDAS* rules for trust services, enter into force.
The Regulation strengthens the provisions for interoperability and mutual recognition of electronic identification schemes across borders, enhances current rules for electronic signatures and also expands the scope of Directive 1999/93/EC to other trust services used in electronic transactions.
Trust services are a key element in increasing the confidence of EU citizens and businesses in electronic transactions. As such, the eIDAS Regulation establishes a stable legal framework for five types of trust services, namely electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services and Website authentication certificates.
“Electronic identity is the backbone of security on the internet. This work therefore represents an important step forward for Europe” said ENISA’s Executive Director Udo Helmbrecht.
ENISA supports the implementation of the Regulation in two flows with:
1) Activities linked to supporting and providing guidelines for trust service providers. These include studies on:
- Minimum security measures and good security practices for trust services providers
- Common audit schemes for trust services providers in Member States
- Analysis of standards related to TSPs and mapping them to the requirements of the eIDAS Regulation (new!)
- Recommendations for the introduction on the market of qualified website authentication certificates
2) Activities linked to incident notifications, by providing mechanisms for reporting security breaches by the trust service providers to the competent bodies.
Furthermore the Agency in collaboration with the European Commission, organises annually the Trust Services Forum, a platform that brings together the communities of trust service providers from the EU Trusted List, conformity assessment bodies and supervisory authorities, providing the opportunity to discuss on issues related to the regulation.
Future work of ENISA in the field
In 2016 ENISA will publish a set of technical recommendations, aimed at facilitating the implementation of the provisions related to trust services in the areas not covered by adopted secondary legislation, which are foreseen to be applied on a voluntary basis by the Member States. These include:
- Procedures for the interaction with trust service providers and conformity assessment bodies. (Article 17)
- Procedures for granting qualified status to a Trust Service Provider. (Article 21)
- Formats and procedures for the initiation of a qualified trust service. (Article 21)
- Minimum content and formats for the conformity assessment report obligatory for the initiation of a qualified trust service. (Article 21)
- Recommended standards to fulfil the requirements of the Trust Service Chapter of the eIDAS Regulation. (Articles 19.4, 24.5, 32.3, 33.2, 34.2, 44.2, 45.2, 28, 38, 42.)
- Risk management and security measures for TSPs. (Article 19.a.)
The Agency also plans on developing a series of documents and informative material to support relying parties and end users of qualified trust services included in the eIDAS Regulation to securely use these services.
* (EC) 910/2014 on electronic identification and trusted services for electronic transactions in the internal market)