Trust Service Provider: Qualified Trust Service Provider (QTSP)

Definition

QTSP Certification and Supervision Under eIDAS

Becoming a Qualified Trust Service Provider requires meeting a complete set of requirements defined by the eIDAS Regulation and its implementing acts. The certification process begins with a conformity assessment performed by an accredited Conformity Assessment Body (CAB), which evaluates the organization's security policies, operational procedures, technical infrastructure, personnel qualifications, financial stability, and business continuity arrangements. The assessment verifies that the organization meets the specific requirements for each trust service it intends to offer as qualified.

Once the conformity assessment is successfully completed, the national supervisory body reviews the assessment report and, if satisfied, grants qualified status and adds the QTSP to the national Trusted List. The qualification is not permanent: QTSPs must undergo regular conformity assessments (at least every 24 months) to maintain their qualified status. The supervisory body also has the power to conduct ad-hoc audits, request information, and revoke qualified status if a QTSP fails to maintain compliance. This ongoing supervision ensures that the trust placed in QTSPs remains justified throughout their operational lifetime.

The liability framework for QTSPs provides additional assurance. Under eIDAS, QTSPs are liable for damages caused to any natural or legal person due to failure to comply with the Regulation's requirements, unless the QTSP can prove that the damage was not caused intentionally or through negligence. QTSPs must maintain adequate financial resources or insurance to cover their liability, ensuring that citizens and organizations that rely on QTSP-issued credentials have recourse if something goes wrong. This liability framework is a key trust anchor that distinguishes qualified services from non-qualified alternatives.

QTSPs as EUDI Wallet Credential Issuers

The eIDAS 2.0 Regulation significantly expands the role of QTSPs by enabling them to issue Qualified Electronic Attestations of Attributes (QEAAs) for EUDI Wallets. While government authorities issue the Person Identification Data (PID) that forms the foundation of the EUDI Wallet identity, QTSPs can issue a broad range of qualified attestations covering professional qualifications, educational credentials, organizational memberships, health insurance status, and other attributes that citizens need in their daily digital interactions.

To issue QEAAs, a QTSP must verify the accuracy of the attributes being attested, either by checking against authoritative sources (such as professional registries, educational institution databases, or government records) or by relying on primary documents verified through a defined process. The QTSP then signs the attestation using its qualified certificate, creating a credential that can be stored in the holder's EUDI Wallet and presented to any verifier. The verifier can validate the credential by checking the QTSP's signature against the EU Trusted Lists, establishing the trust chain without needing to contact the original attribute source.

The business model for QTSPs in the EUDI Wallet ecosystem is evolving. Traditional QTSP revenue comes from selling electronic signature certificates and timestamp services. The EUDI Wallet creates new revenue streams: issuance fees for QEAAs (paid by the attribute source or the credential holder), credential management fees for lifecycle operations (renewal, revocation, updates), and value-added services such as credential verification APIs for relying parties. Several major European TSPs, including companies like InfoCert, DocuSign (via its European entities), and Swisscom Trust Services, are developing EUDI Wallet credential issuance platforms to capture this new market.

QTSP Technical Infrastructure for EUDI Wallet Integration

QTSPs integrating with the EUDI Wallet ecosystem must implement specific technical capabilities beyond their traditional trust service infrastructure. For credential issuance, they must support the OpenID4VCI protocol, which defines how wallets discover, authorize, and receive verifiable credentials from issuers. This requires implementing credential offer endpoints, authorization servers, credential issuance endpoints, and deferred issuance capabilities for credentials that require background verification before issuance.

QTSPs must also support the credential formats mandated by the EUDI Wallet Architecture Reference Framework: SD-JWT (Selective Disclosure JSON Web Token) for the W3C Verifiable Credentials profile and ISO 18013-5 mDoc for the ISO credential profile. Each format has different requirements for credential structure, signature algorithms, and selective disclosure mechanisms. QTSPs must implement credential revocation mechanisms (such as status lists or OCSP-like services) that allow verifiers to check whether a credential has been revoked in real-time.

The security requirements for QTSP infrastructure in the EUDI Wallet context are stringent. The signing keys used to issue credentials must be protected in certified hardware security modules (HSMs) meeting at least FIPS 140-2 Level 3 or Common Criteria EAL4+. The infrastructure must be hosted in facilities meeting ISO 27001 requirements, with redundancy, disaster recovery, and business continuity measures that ensure credential services remain available. The QTSP must also implement complete logging and audit trails for all credential lifecycle operations, supporting both regulatory compliance and incident investigation.

Related Terms