New obligations for unqualified trust service providers (TSPs)
The European Commission has published an implementing regulation, which first introduces mandatory circumstantial safety requirements for ineligible TSPs.
This is simply a large change for the full marketplace for trust services.
Regulation refers to key chapters of the standard ETSI EN 319 401 V3.1.1which include, inter alia:
- risk management
- Security policies and practices
- clearly defined roles and responsibilities (including "trusted roles")
- access control
- classification of resources
- physical and environmental safeguards
What does this mean in practice?
Ineligible trust service providers, i.e. companies that supply trust services (e.g. electronic signature, electronic seal, time stamps, signature validation services), but do not have the position of qualified supplier given by the national supervisory authority:
- must implement the requirements of ETSI EN 319 401
- check compliance with your service policy
- and prepare and implement fresh processes, procedures and policies
This is another step towards raising safety standards throughout the infrastructure of trust services.
As an Observatory.biz we aid players in the marketplace for trust and eID services to adapt to these requirements. If you are in a group of companies afraid – delight compose to us: https://observatorium.biz/contact/
Date of publication: 02.12.2025
