Questions & Answers on Trust Services under the European Digital Identity Regulation

Under the European Digital Identity Regulation, the definition of trust services is broader than under the original eIDAS Regulation. The following trust services are covered:

1. Certificates for electronic signatures, certificates for electronic seals, certificates for website authentication or certificates for the provision of other trust services

   The European Digital Identity Regulation maintains the legal framework for certificates, in particular various certificates tailored to specific purposes. These include certificates for electronic signatures, for electronic seals, for website authentication, and for the provision of other trust services. A certificate is defined as an electronic attestation of the identity of the person to whom it is issued and serves as evidence to facilitate certain actions. The differentiation between qualified and non-qualified certificates is maintained, which depends on the status of the trust service provider and on the level of reliability as regard to the attested information. Finally, the only addition with regards to certificates is the capability to request and store these certificates within the European Digital Identity Wallet, regardless of the type of certificate. 

2. Electronic signatures

   The European Digital Identity Regulation maintains the legal framework for electronic signatures to be issued and used by natural persons to sign a document or data. The distinction among, electronic signatures, advanced electronic signatures, and qualified electronic signatures is maintained, with the latter having the same legal effect as handwritten signatures all over the Union. The new European Digital Identity Regulation will make the use of qualified electronic signatures free of charge to all natural persons for non-professional purposes when created by means of the European Digital Identity Wallet.

3. Electronic seals

   The European Digital Identity Regulation modifies neither the definition of electronic seals nor their creation, validation or preservation. Electronic seals are to be issued created and used by legal persons to ensure origin and integrity of data/documents. The Regulation also maintains the distinction between electronic seals, advanced electronic seals, and qualified electronic seals. 

4. Electronic Attestations of Attributes

   The European Digital Identity Regulation has introduced the issuance of Electronic Attestation of Attributes (EAA) as a new trust service. EAAS are defined as an attestation in electronic form that allows attributes to be authenticated. According to Article 45b(1), these attestations cannot be denied legal effect or admissibility as evidence in legal proceedings solely because they are in electronic format. While these trust services may be either qualified or non-qualified, depending on the status of the trust service provider, non-qualified EAAs must still be admitted and recognised in legal proceedings, although cross-border recognition will not be mandatory for them. EAA can also be issued by a public sector body responsible for an authentic source, or by an organisation acting on its behalf. Users will be able to use their European Digital Identity Wallets to receive, validate, and share their EAA.

5. Electronic time stamps

   The European Digital Identity Regulation does not change provisions regarding electronic time stamps. Their issuance intends to ensure the correctness of the time linked to data/documents. The European Digital Identity Regulation does not change provisions regulating trust services which ensure their creation (including at qualified level), and their validation. 

6. Website authentication

   Website authentication was already provided by eIDAS Regulation 910/2014. As per the revised Regulation, a qualified website authentication certificate (QWACs) is issued either to a natural or legal person and makes it possible to authenticate a website and to link the website to the identity of the person to whom the certificate is issued. The Regulation requires web-browsers to recognise a QWAC and to display the identity data of the owner of the website in a user-friendly manner. The certificates can be either qualified or non-qualified and the use of such certificates by websites should be voluntary. 

7. Electronic archiving

   The European Digital Identity Regulation has introduced electronic archiving of electronic data and electronic documents as a trust service which refer to ensuring the receipt, storage, retrieval, and deletion of electronic data and electronic documents. They can be either qualified or non-qualified, when provided by a qualified or non-qualified trust service provider respectively.

8. Signature/seal Creation devices

   The European Digital Identity Regulation has introduced a qualified trust service for the management of remote qualified electronic signature/seals creation devices on behalf of users. In Regulation EU 910/2014, the management of such remote qualified devices was not categorised as a distinct trust service. 

9. Electronic ledgers 

   The European Digital Identity Regulation introduces the recording of electronic data in electronic ledgers as a trust service. Electronic ledgers are defined as services that offer a sequential chronological ordering of data records, guaranteeing the integrity and accuracy of both the records themselves and their chronological order. Two typologies of electronic ledgers can be distinguished: centralised and distributed. The Regulation takes a neutral position regarding such typology or even the technology used. Additionally, electronic ledgers can be either qualified or non-qualified. Overall, the aim is for electronic ledgers, in conjunction with other technologies, to contribute to solutions for more efficient and transformative public services.

10. Electronic registered delivery service

    The European Digital Identity Regulation maintains the electronic registered delivery services as trust services. These services provide a secure channel for the transmission of documents including proof of sending and receiving the data. They ensure complete certainty in identifying the addressee and maintain a high level of confidence in identifying the sender. They can be qualified or non-qualified, while only qualified electronic registered delivery services are granted an EU wide recognition.

From a legal point of view, both qualified and non-qualified trust services benefit from a non-discrimination clause as evidence in courts. In other words, trust services cannot be discarded in legal proceedings only on grounds that they are in an electronic form or because they are not qualified.

However, because of the more stringent requirements applicable to qualified trust service providers, qualified trust services provide a stronger specific legal effect than non-qualified ones as well as a higher technical security: A qualified electronic signature shall have the equivalent legal effect of a handwritten signature. A qualified electronic seal shall enjoy the presumption of integrity of the data and of correctness of the origin of that data to which the qualified electronic seal is linked. A qualified electronic attestation of attributes and attestations of attributes issued by, or on behalf of, a public sector body responsible for an authentic source shall have the same legal effect as lawfully issued attestations in paper form. Qualified trust services therefore provide higher legal certainty and higher security of electronic transactions. 

There is no change as regards to the legal effect granted to electronic signatures from the original eIDAS to the European Digital Identity Regulation. What will change is the availability and ease for everyone to create qualified electronic signatures. Once on-boarded to a European Digital Identity Wallet, all natural persons will have the ability to sign with a qualified electronic signature by default through a European Digital Identity Wallet free of charge, for non-professional purposes. 

The eIDAS Regulation 910/2014 initially introduced the use of electronic seals by legal entities and this provision remains unchanged under the amended Regulation. Similarly to natural persons, legal entities will also gain access to the functionality of electronically sealing documents by means of using their European Digital Identity Wallet. However, European Digital Identity Wallet providers or Member States are not obliged to offer such functionalities for legal entities and/or for professional use cases free of charge. 

The European Digital Identity Regulation maintains the principle of non-discrimination of electronic documents, stating that these shall not be denied legal effect or admissibility on the sole ground that they are in electronic form. Furthermore, no distinction shall be made among electronic data, electronic documents created in electronic form, and physical documents that have been digitalised. Finally, leveraging on electronic archiving as a trust service, the regulation establishes a framework which facilitates the durability and legibility of electronic documents, as well as the preservation of their integrity, confidentiality, and a proof of origin throughout the preservation period.

As to legal effects, the provisions of eIDAS Regulation that stipulated that a qualified electronic signature or seal based on a qualified certificate issued in one Member State shall be recognised as a qualified electronic signature or seal respectively in all other Member States, has been retained in the European Digital Identity Regulation (EUDI). 

Within 12 months from the date of entry into force of the EUDI Regulation, the Commission will, through implementing acts, establish a list of reference standards, specifications, and procedures, if necessary, for qualified certificates for electronic signatures. Consequently, qualified trust services providers, responsible for either issuing or validating qualified certificates for electronic signatures, will be required to adhere to these specified standards and procedures. Qualified certificates for electronic signatures issued prior to the date of entry into force of those implementing acts shall remain valid up to their expiry or revocation, whichever occurs first. 

Within 12 months from the date of entry into force of the EUDI Regulation, the Commission will, through implementing acts, establish a list of reference standards, specifications, and procedures, if necessary, for qualified certificates for electronic seals. Consequently, qualified trust services providers, responsible for either issuing or validating certificates for qualified electronic seals will be required to adhere to these specified standards and procedures. Qualified certificates for electronic seals issued prior to the date of entry into force of those implementing acts shall remain valid up to their expiry or revocation, whichever occurs first.

1. If a trust service provider (TSP) wishes to provide a qualified trust service, it shall first request an assessment from an accredited conformity assessment body (CAB). The CAB must confirm that the candidate qualified trust service provider and the qualified trust service it intends to provide fulfils the requirements laid down in the European Digital Identity Regulation and in Article 21 of the NIS2 Directive (EU) 2022/2555. This process is commonly referred to as an "audit."
2. Once the TSP obtains the report, it must then submit a request to the supervisory body of the country where it is established along with the report from the conformity assessment body confirming compliance. The supervisory body should verify this claimed compliance within three months. If the supervisory body takes longer than expected to verify, the TSP will be informed of such a delay within three months of submission, explaining the reasons for the delay and an updated timeline will be provided.
3. Once the verification is positively concluded, the supervisory body would grant qualified status. Following this, the national trusted list of qualified trust service providers would be updated. Only after the responsible body has added it to the list, the QTSP will be allowed to start offering its qualified trust service. The offered qualified trust services will benefit from an EU wide cross-border recognition. 

Qualified trust services shall undergo a conformity assessment every 24 months. A conformity assessment body will audit the QTSP and the qualified trust service provided. If it still fulfils the requirements laid down in the European Digital Identity Regulation, a report will be issued to the QTSP. Upon receipt, the QTSP has three working days from the date of receipt to submit the report to the supervisory body. After positive verification by the supervisory body, the qualified status is maintained. However, the supervisory body reserves the right to request additional evidence or conduct further assessments anytime as needed. 

Whenever a QTSP plans an audit, it must inform the supervisory body at least one month in advance. Additionally, the supervisory body is entitled to attend the audit with the conformity assessment body if the supervisory body so desires.

In between two regular audits, the supervisory body may at any time audit or request a conformity assessment body to perform a conformity assessment, to confirm the qualified status of the services provided and itself. 

If a QTSP has already obtained a qualified status for the issuance of qualified certificates, before the regulation comes into force, it must submit a conformity assessment report to a supervisory body no later than two years after the regulation's entry into force.

If the QTSP fails to meet the requirements outlined in the European Digital Identity Regulation and does not rectify them within the specified timeframe after being informed, the qualified status may be withdrawn, and the national trusted list updated accordingly. 

Since the moment the qualified status of the trust service provided by the TSP is indicated as withdrawn in the trusted list, the TSP is no longer authorised to provide that qualified trust service. 

In the European Digital Identity regulation, a conformity assessment body (CAB) is defined as an entity competent for evaluating qualified trust service providers and the services they offer.

Initially, there was no obligation for National Accreditation Bodies (NABs) or Member States to inform the European Commission about accredited CABs under Article 3(18) of eIDAS.

However, thanks to the cooperative efforts of NABs and supervisory bodies, the Commission compiled a list of eIDAS-accredited CABs.

Under the eIDAS regulation 910/2014, CABs are listed under the country where the accrediting NAB is located, which might differ from the CAB's establishment country.

The European Digital Identity Regulation introduces a change as Member States will be required to promptly notify the Commission about accredited CABs, including their names, addresses, and accreditation details, along with any subsequent changes. This information will be shared with all Member States and remain accessible to the public.

Trusted Lists are essential in ensuring certainty and building trust among market operators. Trusted lists continually indicate the qualified status of a trust service provider and the trust service it offers. The list fosters the interoperability of qualified trust services by facilitating the validation of, among others, qualified electronic signatures and qualified electronic seals.

Under the European Digital Identity Regulation, national Trusted Lists continue to have a constitutive legal effect as it was already the case under the original eIDAS Regulation. In other words, a provider/service will be qualified only if it appears with a valid qualified status in the national Trusted List of the Member State in which it is established. Consequently, the users (citizens, businesses or public administrations) will benefit from the legal effect associated with a given qualified trust service only if the latter is listed (as qualified) in the relevant Trusted List.

Under the new European Digital Identity Regulation, there is no obligation for browser vendors to recognise, integrate or make use of the Trusted Lists in their products. The obligation for browsers is limited to display the certified identity data and the other attested attributes to the end-user in a user-friendly manner in the browser environment, by technical means of their choice. This aims to enhance the security and transparency of the Internet as trusted services.

No. It is a business decision of the trust service providers on whether to provide one, more than one or all trust services, including the provision of those in their qualified version.

Yes, in the context of providing a qualified certificate or a qualified attestation of attributes, a Qualified Trusted Service Provider (QTSP) is required to verify the identity of the natural or legal person. This requirement extends to cases where a qualified electronic registered delivery service is issued. According to Article 24 of the European Digital Identity Regulation, when issuing a qualified certificate or a qualified electronic attestation of attributes, a QTSP must verify the identity and any necessary attributes of the person in question. This ensures that the QTSP has certainty in the accuracy and correctness of the individual's identity, as well as any relevant attributes, at the time of issuance. Verification can be carried out using various methods, including the European Digital Identity Wallet, qualified electronic signatures or seals, or other highly reliable methods. Additionally, physical presence of the natural person or an authorised representative of the legal person can also serve as a means of verification. 

No. According to the internal market principle (article 4) and Article 24a of the European Digital Identity Regulation, a qualified trust service provided in one Member State shall be recognised as a qualified in all other Member States.

The European Digital Identity Regulation makes the process of mutual recognition of trust services more straightforward by adding to the international agreement of Article 218 TFEU the possibility of the adoption of implementing acts to establish the conditions under which trust frameworks of third countries may be considered equivalent to the framework for qualified trust services in the Union.

The European Digital Identity Regulation sets out a new comprehensive governance framework for electronic identification and trust services. This framework is designed to facilitate the implementation and supervision of both, the European Digital Identity Wallets and trust services. The new governance framework notably includes a new cooperation and coordination body, the European Digital Identity Cooperation Group. This body was mandated with a wide range of tasks, e.g. to exchange advice and cooperate with the Commission on emerging policy initiatives, organise peer reviews of notified electronic identification means other than the European Digital Identity Wallet, discuss requests for mutual assistance and exchange views, best practices, and other information between all parties. The new set-up will improve the consistency and effectiveness of the current governance system and replace the current fragmented structure.

Yes, Member States can establish other trust services. However, if these services do not adhere to the legal framework outlined by the amended eIDAS Regulation, notably for qualified trust services, they will lack legal effect across borders. 

As a general principle, electronic signatures and electronic seals shall not be denied legal effect and admissibility as evidence in legal proceedings, including by public administrations, solely on the grounds that they are in an electronic form or that they do not meet the requirements for qualified electronic signatures/seals. Such electronic signatures/seals should benefit from this principle irrespectively of their technical format. The EUDI Regulation has retained the obligation for online services offered by, or on behalf of, a public sector body, to recognise at least those technical formats or methods that are listed in an implementing act adopted pursuant to Art.27/37I.

No, it is forbidden for national laws to regulate on the validity period of qualified certificates as this is harmonised by the European Digital Identity Regulation. 

No, it is forbidden for national laws to regulate on that matter as this is harmonised by the European Digital Identity Regulation. The European Digital Identity Regulation establishes that the validity of such a certification shall not exceed five years provided that vulnerability assessments are carried out every two years. The Commission will be in charge of issuing guidelines on the certification and recertification of qualified electronic signature creation devices and qualified electronic seal creation devices, including their validity and time limitations. This will ensure consistency in certification practices across the Union.

The European Digital Identity Regulation stipulates that Member States must define penalties for infringements, including for the misuse of the EU trust mark for qualified trust services by non-qualified trust service providers. To ensure effective enforcement of the Regulation while guaranteeing that penalties are effective, proportionate, and dissuasive, the Regulation foresees the establishment of guidelines for administrative fines for both qualified and non-qualified trust service providers. The regulation establishes a threshold for the maximum penalties that may be applied to trust service providers found violating the rules concerning natural persons.

After the entry into force of the European Digital Identity Regulation, the Commission will issue a series of implementing acts aimed at harmonising the implementation of the regulation requirements. Additionally, the Commission will foster close and structured cooperation with various stakeholders, including Member States, civil society, and the private sector. This collaboration will be facilitated through expert groups, targeted stakeholder consultations, and public consultations.

The European Digital Identity Regulation is directly applicable in all 27 EU Member States. Among others, Members States shall ensure to: 

• Designate one or more supervisory bodies and notify the Commission of their names and addresses.
• Designate conformity assessment bodies for the certification of European Digital Identity Wallets and notify the Commission of their names, addresses, and accreditation details.
• Collaborate with the Commission to designate representatives in the Cooperation Group for cross-border cooperation.
• Implement effective, proportionate, and dissuasive penalties for infringements.
• Ensure that qualified trust service providers of electronic attestation of attributes can electronically verify key attributes upon the user's request. These attributes, at minimum, include those listed in Annex VI, of the European Digital Identity Regulation, wherever those rely on authentic sources within the public sector.
• Consider incorporating qualified certificates for website authentication on governmental websites.
• Continue to publish and maintain a national Trusted Lists in line with Article 22.
• Ensure public sector bodies recognise formats of advanced electronic signatures and electronic seals in accordance with Art.27/37.

The Regulation is not applicable to the EU Institutions which are governed by their own adopted rules of procedures. The European Commission is currently regulated in this field by Commission Decision 2021/2121 setting Commission's own provisions on electronic and digitised documents.