What is a QTSP?
A Qualified Trust Service Provider (QTSP) is an organisation that has been assessed and certified by a national supervisory body to provide trust services under the eIDAS regulation. QTSPs must meet stringent technical, organisational, and security requirements that go well beyond what is demanded of non-qualified providers. Their services carry the highest level of legal presumption across all EU member states.
The audit and certification process
To become a QTSP, a provider must undergo a conformity assessment by an accredited body (CAB). This assessment evaluates the provider's policies, physical security, key management, personnel vetting, disaster recovery, and operational procedures. The CAB issues a conformity assessment report that is submitted to the national supervisory body. If approved, the provider is placed on the EU Trusted List.
Technical standards
QTSPs for timestamping must comply with ETSI EN 319 421 (policy and security requirements for TSPs issuing time-stamps) and ETSI EN 319 422 (time-stamping protocol and profile). They must use time sources traceable to UTC with cryptographic binding, and employ HSMs certified to at least Common Criteria EAL 4+ or FIPS 140-2 Level 3.
Ongoing obligations
Qualification is not a one-time achievement. QTSPs must undergo regular surveillance audits (typically every 24 months), maintain detailed event logs, report security breaches to their supervisory body within 24 hours, and keep their infrastructure current with evolving standards. Failure to comply can result in suspension or revocation of qualified status.