Requirements to find a trustworthy Trust Service Provider
There are plenty of high-tech providers when it comes to electronic signatures and identity services. Most of them offer intuitive and compliant solutions. And all of them will tell you they are Trust Service Provider (TSP). But how can you tell? By checking the following requirements you will be able to determine the company’s (and its solution’s) reliability.
1. electronic IDentification, Authentication and trust Services regulation (eIDAS)
The eIDAS Regulation (no 910/2014) stands for electronic IDentification, Authentication and trust Services. It ensures that electronic signatures and other trust services (including time stamping, electronic seal, electronic delivery,…) are legally valid across European borders and have the same legal status as traditional paper based processes.
When you choose a provider you must ensure the solution was developed in accordance with all the technical standards and requirements of the eIDAS regulation.
N.B. eIDAS does not regulate when a signature is actually required for a transaction or what type of signature is necessary. Make sure to discuss this with your provider.
2. EU General Data Protection Regulation (GDPR)
Another regulation to take into account is the GDPR (EU 2016/679).
On the 25th of May 2018 this European regulation to protect and empower all EU citizens’ data privacy will be enforced in all European member states. Everyone has been preparing themselves for this regulation in the last months or will be doing this in the coming months.
Ask your provider how they will apply the GDPR in their business and how it will be embedded in the systems they offer. This will give you a hint about their trustworthiness and, more importantly, ensure that you will be complying with GDPR should you choose their solution.
3. ETSI Standards for a Trust Service Provider
The European Telecommunication Standardisation Institute (ETSI) has set up a comprehensive list of standards and practices for a Trust Service Provider (TSP’s). These contain both organisational and technical requirements. By living up to these standards, TSP’s prove to have taken appropriate measures to manage the risks posed to the security of the trust services they provide.
Ideally, the provider you choose has successfully passed the ETSI Plug Tests, which demonstrates the conformity of its electronic signatures with these standards.
4. ISO 2700x
And finally there is ISO 2700X. This ISO series is a token for you to be assured the Trust Service Provider (TSP) of your choice is constantly safeguarding the security of its information applications. It comprises individual standards: 27001 to 27006, all of which have a specific information security application.
To qualify for these standards the company needs to set up an Information Security Management System (ISMS). This is a set of policies designed and implemented to manage the risk to its information system. Once established it is a continuous process to remain up to standard.
Extra tip: talk to other customers
Reliability is a major factor for the outcome of the project but during intensive IT projects like these, collaboration and service level of the provider is equally important. Therefore we advise you not just to check the before mentioned standards, but also the provider’s references.
Before choosing your partner for electronic signatures and identity services, check their portfolio or ask for references and give one of their customers a call. They can tell you what it is really like to work with the provider and their solution. More importantly you can ask them how their customers experience the usability of the new digital service. In the end that’s what it is all about!
Author: Filip Verreth