Skip to main content

Becoming a qualified trust service provider

Contents

At a glance

  • To become a qualified trust service provider you need to demonstrate to a ‘conformity assessment body’ that you meet the relevant requirements for qualified trust service providers and the trust services you wish to provide, and submit a conformity assessment report to the ICO for verification.

  • If you make significant changes to your qualified trust service, or intend stopping the service, you must tell the ICO. 

  • The ICO has additional requirements and guidance for prospective UK eIDAS qualified trust service providers to consider.

In brief

How do we become a qualified trust service provider?

In summary, you need to apply to a conformity assessment body who will assess your compliance against the requirements for qualified trust service providers and qualified trust services. The conformity assessment body will produce a conformity assessment report describing if and how the requirements have been met. You then submit this report to the ICO for verification. The ICO will analyse the report to ensure all requirements have been met and will grant you qualified status if appropriate.

The conformity assessment body must be accredited by UKAS for undertaking conformity assessments against UK eIDAS.

The following organisations are currently accredited.

BSI Assurance UK Ltd
Kitemark Court
Davy Avenue
Knowlhill
Milton Keynes
MK5 8PP

Email:[email protected]

When a conformity assessment body is accredited both in the UK and the EU, a single conformity assessment may, subject to approval by the relevant EU supervisory body, be used as the basis for a conformity assessment report issued against UK eIDAS for UK use, and a separate conformity assessment report issued against the EU eIDAS Regulation for EU use.

If you gain qualified status, you will be added to the UK’s trusted list, together with information on your approved services.

To maintain qualified status you will need to undergo the conformity assessment process at least every two years, at your own expense.

If you are considering becoming a qualified trust service provider, you can contact the ICO at [email protected] for further information and guidance.  

What is the trusted list?

The trusted list is a published list of all qualified trust service providers and qualified trust services granted qualified status in the UK by the ICO. 

What if we need to change a qualified trust service?

If you make changes to your qualified trust service you should contact the ICO to determine whether your qualified status is still valid and whether or not you should undergo a new conformity assessment.

What happens if we stop providing a qualified trust service?

If you decide to stop providing a qualified trust service or acting as a qualified trust service provider, you need to notify the ICO of your intention. When stopping a qualified trust service or ceasing being a qualified trust service provider you are required to use your termination plan. After you have implemented your termination plan you need to provide to the ICO a description of how you have implemented the provisions in your termination plan.

You can contact the ICO at [email protected] for further information and guidance on this process.

Additional ICO requirements and guidance

The requirements and guidance listed here is for use by prospective UK qualified trust service providers and their conformity assessment bodies in meeting the requirements of UK eIDAS for qualified services operating in the UK.

The ICO strongly advises all prospective qualified trust service providers to discuss their services with the ICO before they submit their notification. This will allow the ICO to describe the notification process in more detail and understand the prospective qualified trust service provider’s UK services. It will also allow any questions or issues to be addressed.

  1. UK qualified trust service providers

    (a) UK qualified trust services may only be operated under supervision of the ICO. It is not possible for a trust service to be supervised by an alternative supervisory body or by more than one supervisory body. This means, for example, that qualified trust services offered by trust service providers (TSPs) established in the UK cannot also be supervised by an EU member state supervisory body operating under the EU eIDAS Regulation.

    (b) An existing EU qualified trust service provider wishing to operate in the UK may provide the same or different service types as those offered in the EU. UK services of the same type must be legally separate however from the EU services. For example, an EU qualified trust service provider issuing EU qualified certificates may also provide the same type of service in the UK i.e. issuing UK qualified certificates from the UK service approved by the ICO.

    (c) Notifying trust service providers must be established in the UK. For example, a limited company would need to have a UK establishment and be registered or incorporated within the UK. A limited partnership or a limited liability partnership would need to be registered at Companies House and an unincorporated business would need to demonstrate that it has a permanent place in the UK where it carries out its business activities.
  2. Conformity assessment

    (a) Conformity assessment bodies approved to undertake conformity assessments against UK eIDAS must be accredited by UKAS, the UK national accreditation body.

    (b) Trust service provider notifications for UK qualified trust services shall only be accepted with a full conformity assessment report. Surveillance audits, or surveillance audits supported by additional supporting information such as service changes notices are not a sufficient basis for notification and assessment. This applies to existing qualified trust service providers who currently provide trust services in other jurisdictions e.g., in the EU, who have an established audit regime with an approved conformity assessment body, and who wish to provide similar services in the UK under UK eIDAS.

    (c) Conformity assessment reports for qualified trust service providers wishing to operate in the UK must be specifically produced against UK eIDAS and for the trust service provider UK established legal entity. The subject of a conformity assessment report must be a UK legal entity owning the trust service(s). This means a conformity assessment report produced for an non-UK qualified trust service provider e.g. an EU qualified trust service provider, cannot be accepted directly by the ICO as part of the required notification process documentation.

    (d) Conformity assessment reports produced by an EU accredited conformity assessment body may be used by a UK accredited conformity assessment body as part of its assessment for UK based services. This would require the UK conformity assessment body to have an outsourcing agreement with the EU conformity assessment body (See ISO 17065, 6.2.2), satisfy itself that the EU produced conformity assessment report was fit for purpose, and carry out any additional auditing to meet the UK requirements.

    (e) Where a conformity assessment body is accredited in the UK for performing UK eIDAS assessments and is also accredited in the EU for EU eIDAS assessments, the ICO will accept a conformity assessment report issued against UK eIDAS which is based on the results of a single conformity assessment undertaken by the conformity assessment body which covers both jurisdictions. It is expected this would also require approval of the relevant EU supervisory body should a trust service provider and conformity assessment body wish to pursue this approach.

    (f) Conformity assessment reports for UK qualified trust service providers must contain the information specified by the ICO in its qualified trust service provider notification form.
  3. Qualified services

    (a) UK services must be identified as such in trust service provider documentation e.g. certificate policy and certification practice statement documents for qualified certificate services.

    (b) Where a qualified trust service provider operates services in the UK and the EU, it is not necessary for separate service documents to exist e.g. a separate certificate policy for the UK services and one for the EU services. All documentation however should clearly distinguish UK services and EU services. It is not possible to use an existing EU based certificate policy directly for a UK service without modification to make the policy applicable to both EU and UK services.

    (c) Qualified trust service provider users (subscribers, relying parties) shall contract with the qualified trust service provider UK legal entity for the provision of the services. Any associated documentation e.g. subscriber or relying party agreement, should also support this.

    (d) It should be clear to service users that trust service issued certificates e.g. qualified certificates for electronic signatures, and trust service outputs e.g. qualified electronic signatures, are issued or created in compliance with UK eIDAS. These are legally distinct from those issued or created under the EU eIDAS Regulation.

    (e) ICO qualified services operating in accordance with UK eIDAS are not recognised within the EU. This means UK qualified trust service outputs e.g., qualified electronic signatures and seals, do not carry qualified status under the EU eIDAS Regulation and are not recognised as qualified in the EU. The UK however recognises qualified trust services operating under the EU eIDAS regulation and thus EU qualified trust service outputs are recognised as legally equivalent e.g. a qualified electronic signature associated with an EU qualified certificate would have the same legal recognition as a qualified electronic signature associated with a UK qualified certificate.

    (f) UK qualified trust services must use different trusted list service digital identities if the same service types are also provided under the EU eIDAS Regulation or another regime.

    (g) UK qualified certificate-based services should use different certificate policy object identifiers (OIDs) if the equivalent services are also provided under the EU eIDAS Regulation or other regime.

    (h) Qualified trust service provider termination plans must align with the ENISA guidelines. See Guidelines on Termination of Qualified Trust Services — ENISA (europa.eu).

    (i) A qualified trust service provider may provide services in the UK and the EU using shared service components and practices, provided the UK eIDAS requirements are met for UK provided services and any risks introduced to services through the use of such sharing are identified and addressed as part of the qualified trust service provider’s risk management process. Prospective UK qualified trust service providers who currently provide equivalent services under the EU eIDAS Regulation or other regime, or intend to do so, are advised to check with the relevant body in other jurisdictions regarding the use of shared service components and practices.

    (j) Qualified signature creation devices (QSCDs) certified in accordance with the EU eIDAS Regulation are acceptable for use in the UK.

    (k) Where remote identity proofing is used, the ICO shall review and approve the mechanisms used before their first use in qualified services.