The eIDAS regulation came into force on July 1, 2016, bringing with it a lot of changement for trusted service providers, including a new compliance study.
As a result, from 1 July 2016, every trusted service provider (PSCo) is required to do what is called an “eIDAS compliance audit”, carried out by accredited conformity assessment bodies in accordance with Regulation No 765/2008 of 9 July 2008.
This in order to obtain the “holy grail”: the certification of his services.
This certification confirms the compliance with the various standards relating to trusted services (certificates, timestamps) according to the eIDAS regulation.
With the eIDAS regulation each trusted service provider must first obtain the qualification of his services through an audit before being able to present them as such.
This qualification offers the advantage of allowing the change of the proof of the liability to the PSCo in case of litigation.
How does an eIDAS’ conformability audit takes place ?
The auditors of the official body (LSTI) check that the certification policies respect the rules defined in the standards:
They shall ensure agreement between:
– The requirements of European and national standards and our certification and timestamping policies
– What is written in the policies and the actual actions.
This includes, but is not limited to, the following controls :
– Checking record procedures files
– Management of the authorizations (who does what, how the departures are managed, …) and follow-up of the secrets (i.e. maps)
– Architecture of the platform (visit of data centers, checks of security measures, network, …)
– Physical security (headquarters and data centers)
– Operational management of the platform (monitoring of evolutions, monitoring, crisis management, PCA, backups, …)
As a result of this audit, a report is drawn up and submitted to the Psco. The supervisory body then pronounces his decision of certification.
A new legal framework since July 2016
In order to promote the adoption of electronic signatures and accelerate the dematerialization of processes, the European Commission has put in place the eIDAS regulation, applicable since 1 July 2016.
This new transnational regulation lays the groundwork for a “digital trusti” sngle market by promoting the harmonization of electronic signatures, interoperability between countries and actors, and harmonizing the processes for creating the electronic signature.
At what pace ?
Every 2 years from July 2016. The entry into force of the eIDAS regulation has changed the frequency of the annual compliance audits.