Electronic signatures and other eIDAS services

Trust services: enabling secure electronic services

Provision of trust services

Previously, EU legislation only included provisions on electronic signatures. The eIDAS Regulation (EU) No 910/2014 expanded the scope of reliability requirements to several other features used in online services. In the Regulation, these features are called trust services. The majority of trust services are included in the structures of services, invisible to the users. The eIDAS Regulation entered into force on 1 July 2016, and it extended the scope of supervision activities to electronic seals, electronic time stamps, electronic registered delivery services and website authentication.

The eIDAS Regulation enables service providers to clearly indicate that the products or features they offer for online services are reliable. If they wish, trust service providers can apply for approval for their services from the authorities.

Using trust services

These days, more and more transactions are conducted online. In both public and private services, it is important to reliably identify the customer and to ensure the security of the services.

The use of trust services or qualified trust services is voluntary, unless the legislation governing the service requires the use of trust services. For example, payment services provisions require the use of qualified seals or certificates for website authentication and legislation on electronic prescriptions lay down rules for the use of qualified certificates for electronic signatures.

Trust services

Trust services supervised under the eIDAS Regulation include electronic signatures and seals, the related validation and preservation services, electronic time stamps, electronic registered delivery services and website authentication.

Qualified and non-qualified trust services

Trust services may be either qualified or non-qualified. The status of a qualified trust service requires a conformity assessment by an accredited conformity assessment body and a notification to Traficom before commencing operations.

Non-qualified services are subject to ex post supervisory activities, which are substantially lighter than those applied to qualified trust services. For example, the service for creating an electronic signature is not a qualified trust service because qualification cannot be sought for it.

Qualified electronic trust services may include the following services (applicable Article of the eIDAS Regulation in parentheses):

• certificate, validation service or preservation service for electronic signatures (Articles 28, 33 and 34)
• certificate, validation service or preservation service for electronic seals (Articles 38 and 40)
• electronic time stamp (Article 42)
• electronic registered delivery service (Article 44)
• certificate for website authentication (Article 45)

Non-qualified trust services include such above-listed services or other services referred to in the eIDAS Regulation that have not been notified to Traficom and entered on the trusted list.

Electronic signature

An electronic signature verifies the data content of an electronic document and the identity of the signatory.

The eIDAS Regulation defines three levels of electronic signatures:

• electronic signature
• advanced electronic signature
• qualified electronic signature.

An advanced electronic signature enables the unique identification of the signatory and is linked to other electronic data, such as an email, so that any subsequent changes in the data can be detected.  If an electronic document is changed later, the earlier signature no longer matches the content of the amended document.

Electronic seal

An electronic seal is otherwise similar to an electronic signature, but it is created by a legal person. The eIDAS Regulation defines three levels of electronic seals.

Electronic seals enable the creation of automated system signatures that verify the integrity and origin of a signed document, code, application or other binary file. In system signatures, seals are always created by a legal person.

Certificate for electronic signature

A certificate for electronic signature means an electronic attestation that links electronic signature validation data to a natural person signing a document and confirms at least the name or pseudonym of that person.

Qualified certificates for electronic signatures must contain certain information listed in Annex I to the eIDAS Regulation. This information includes the following:

• an indication that the certificate is qualified
• details of the provider issuing the certificate (must be a qualified trust service provider)
• details of the beginning and end of the certificate’s period of validity
• the services that can be used to enquire about the validity of the certificate
• the name or pseudonym of the signatory
• details of the signatory’s public key (in the eIDAS Regulation: “electronic signature validation data that corresponds to the electronic signature creation data”)
• if the private key related to the signatory’s public key is located in a qualified electronic signature creation device (QSCD), an appropriate indication of this, at least in a form suitable for automated processing.

In Finland, qualified certificates for electronic signatures are provided by the the Digital and Population Data Services Agency. These qualified certificates are included, for example, in personal identity cards issued by the police and in organisation cards used by the different organisations. The chip used in these cards is also a QSCD that complies with the eIDAS Regulation. In addition to the signature certificate, the cards always include an identification certificate for strong electronic identification.

Certificate for electronic seal

A certificate for electronic seal means an electronic attestation that links electronic seal validation data to a legal person and confirms the name of that person.

Qualified certificates for electronic seals must contain the same information as certificates for electronic signatures. The required details are listed in Annex III to the eIDAS Regulation.

Validation of electronic signatures or electronic seals

Validation means verifying and confirming that an electronic signature or a seal is valid.  Parties relying on a signature or seal can validate the signature or seal themselves or use a validation service.

Validation is a service that complements electronic signatures and seals, verifying the authenticity of an electronic signature or seal. It involves verifying all the elements of an electronic signature or seal.

Validation confirms, for example, that a certificate for an electronic signature or seal is valid, the signature validation data corresponds to the validation data provided to the relying party (i.e. correct public key) and the integrity of the signed data has not been compromised (i.e. the data has not been changed).

More detailed provisions on the validation of qualified electronic signatures and seals are laid down in Article 32 of the eIDAS Regulation and provisions on requirements for providers of qualified validation services in Articles 24 and 33.   

Preservation of electronic signatures or electronic seals

A preservation service guarantees the reliability of an electronic signature or seal for a long time. The service provider re-certifies the original signature or seal when the previous certificate expires. 

Electronic time stamp

An electronic time stamp is a time stamp linked to an electronic signature that verifies the time and date of the signature, or at least the time before which the signature has been made, if the time stamp is issued afterwards.

Electronic registered delivery service

With an electronic registered delivery service, data can be transmitted securely between third parties. Both the sender and the recipient are reliably identified, and the unaltered nature of the data is ensured.

Certificate for website authentication

Website authentication services provide a means by which a visitor to a website can be assured that the site is genuine and legitimate. The services build trust and confidence in online services, as users can trust a website that has been authenticated. 

Trusted list on qualified trust service providers

Traficom maintains a public register of qualified trust service providers. This register is called a trusted list.

TSL implementation of the Trusted List (External link) [xml, 49 KB] 
A Human readable form of the TSL implementations of the trusted list (External link)[pdf, 310 KB]

SHA-256 hash of the Trusted List XML (External link) [sha2, 64 B]

The present list is the trusted list including information related to the qualified trust service providers which are supervised by Finnish Transport and Communications Agency (Traficom), together with information related to the qualified trust services provided by them, in accordance with the relevant provisions laid down in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.

The cross-border use of electronic signatures has been facilitated through Commission Decision 2009/767/EC of 16 October 2009 which has set the obligation for Member States to establish, maintain and publish trusted lists with information related to certification service providers issuing qualified certificates to the public in accordance with Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures and which are supervised/accredited by the Member States. The present trusted list is the continuation of the trusted list established with Decision 2009/767/EC.

Supervision of trust services

The National Cyber Security Centre Finland (NCSC-FI) at the Finnish Transport and Communications Agency Traficom monitors and supervises compliance with the eIDAS Regulation and the . We also issue regulations specifying the provisions of the Act. We oversee that the provision of trust services is reliable and secure.

• Traficom checks that notified services meet the applicable requirements and enters the services on the trusted list.
• Traficom is the appellate authority in matters concerning trust services
• Non-qualified service providers are only supervised based on disturbance notifications submitted by service providers and complaints on the services.
• Traficom is not competent to settle any contractual disputes.

Trust service providers are subject to the following obligations:

• Notification obligation: Qualified trust service providers based in Finland must submit a written notification before commencing operations.
• Audit obligation: Qualified trust service providers must attach to their commencement notification a conformity assessment report issued by a conformity assessment body. An updated report must be submitted at least every two years. 
• Provision prohibition: If a qualified trust service does not meet the requirements laid down by law, Traficom will cancel its status as a qualified service. 
• Obligation to notify changes: Qualified trust service providers must notify any changes to the information they have provided in their commencement notification. Traficom must also be notified of the termination of operations or the transfer of operations to another service provider.
• Obligation to notify disturbances: Service providers must notify Traficom of any significant threats and disturbances concerning the information security and functioning of the service as well as of any corrective action taken. This obligation also applies to non-qualified trust services.
• Supervision fees: The commencement notification is subject to a registration fee. Operators entered on the trusted list must pay an annual supervision fee. Provisions on the fees are laid down in section 47 of the Act on Strong Electronic Identification and Electronic Trust Services.

Notification forms and fees

For more information on the content of the notifications, please see the Guideline 214/2016 O on electronic identification and trust service notifications.

Other supervisory authorities

The Ministry of Transport and Communications is responsible for the general guidance and development of electronic trust services. The Ministry of Finance is responsible for guiding the provision of electronic services by the public administration.

Different authorities guide and supervise the information security, reliability and personal data protection of trust services and effective competition in the field. The Data Protection Ombudsman supervises compliance with the personal data provisions of the Act on Strong Electronic Identification and Electronic Trust Services and eIDAS Regulation. The Finnish Competition and Consumer Authority ensures the effectiveness of the market and competition and guarantees consumer protection. If necessary, Traficom and the Data Protection Ombudsman collaborate with the Financial Supervisory Authority and the Finnish Competition and Consumer Authority when performing supervisory tasks.

The Finnish Accreditation Service FINAS is responsible for the accreditation of conformity assessment bodies for qualified trust services. Traficom must also approve the assessment bodies.

eIDAS working group

Traficom has an eIDAS working group that is open to all interested parties. The working group enables operators to follow and exchange information on the regulation and development of electronic trust services and electronic identification.

Information on domestic and EU-wide matters in the field of identification and trust services is mainly exchanged electronically via a mailing list maintained by Traficom. If necessary, the working group my establish sub-groups to discuss matters in a certain area. Traficom aims to organise events for the group each year. Invitations are send via the mailing list.

Conformity assessment bodies of trust services

Qualified trust service providers must have a conformity assessment carried out on their operations and services before beginning their operations. The assessment must be repeated every two years. The conformity assessment must be carried out by a conformity assessment body accredited in accordance with Regulation (EC) 765/2008. The body must be accredited precisely for the assessment of services under the eIDAS Regulation.

The assessment may be performed by an assessment body accredited in any EU country.

More information:

• Up-to-date information on assessment bodies is provided by the accreditation units of EU countries.
• European Commission’s unofficial list of conformity assessment bodies (CABs) accredited against the requirements of the eIDAS Regulation (External link)

In Finland, conformity assessment bodies are accredited by FINAS, the national accreditation body (NAB) in accordance with Regulation (EC) 765/2008. The body must also apply for qualification by Traficom. At present, there are no accredited assessment bodies carrying out eIDAS assessments in Finland.

Accreditation criteria

The European accreditation co-operation body EA (European Co-operation for Accreditation) has prepared the document EA Certification Committee Reference Paper; ETSI / EA Recommendations regarding; Preparation for Audit under EU Regulation (EU) No 910/2014 Article 20.1. It defines how, in the accreditation of conformity assessment bodies (CAB), the move from the earlier practice to the practice defined in the eIDAS Regulation should take place, which requirements the assessment bodies are expected to meet in the accreditation, and in which matters they are expected to be competent. The document is based on ETSI standards.

The Commission has not issued an implementing act to specify the conformity assessment body standards under Article 20(4) of the eIDAS Regulation. Therefore, the standards listed in the EA document form the basis for the accreditation and qualification of conformity assessment bodies.

Requirements concerning conformity assessment bodies have been defined in the following standard:

• ETSI EN 319 403 V2.2.2 (2015-08) Electronic Signatures and Infrastructures (ESI); Trust Service Provider Conformity Assessment - Requirements for conformity assessment bodies assessing Trust Service Providers. 
• The standard is based on standard ISO/IEC 17065 that defines general requirements for assessment bodies.
• Standard EN 319 403 complements the requirements of the ISO/IEC standard, particularly with regard to requirements concerning trust service providers and their services.

Under the Act on Strong Electronic Identification and Electronic Trust Services, conformity assessment bodies must be competent to assess service providers and their services. Traficom has issued more detailed competence requirements in Regulation 72 by referring to ETSI standards.

When FINAS makes a decision on the assessment body accreditation criteria referred to in the Act on Verifying the Competence of Conformity Assessment Services (920/2005), it may also take into account other requirements concerning the assessment of independence and competence in addition to the standards referred to in Regulation 72.

Qualification of assessment bodies

To be qualified, Traficom requires assessment bodies to be accredited by FINAS and submit a declaration on how the guidelines in section 33, subsection 1, paragraph 4 of the Act on Strong Electronic Identification and Electronic Trust Services have been followed.

Legislation and other documents about trust services

Below you will find all legislation, regulations and other documents concerning electronic identification and trust services, including supervision decisions, recommendations, explanatory memoranda, guidelines and publications.

Legislation – trust services

• REGULATION (EU) No 910/2014 (External link) OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (“eIDAS Regulation”)
  • Commission Implementing Decision (EU) 2015/1505 (External link) laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
  • Commission Implementing Decision (EU) 2015/1506 (External link) laying down specifications relating to formats of advanced electronic signatures and advanced seals to be recognised by public sector bodies pursuant to Articles 27(5) and 37(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.
  • Commission Implementing Decision (EU) 2016/650 (External link) laying down standards for the security assessment of qualified signature and seal creation devices pursuant to Articles 30(3) and 39(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market

Guidelines and recommendations

eIDAS and standards

• Enisa: Assessment of Standards related to eIDAS (External link)

Draft guidelines (2017)

• Guidelines on the initiation of Trust Services [DRAFT v.0.99, 07/04/2017] (External link)
• Guidelines on the supervision of Trust Services [DRAFT v.0.99, 07/04/2017] (External link) 
• Guidelines on the implementation of specific eIDAS articles [DRAFT v.0.99, 07/04/2017] (External link)
• Guidelines on the auditing framework of TSPs [DRAFT v.0.99, 07/04/2017] (External link)
• Guidelines on the appropriate security level at TSPs [DRAFT v.0.99, 07/04/2017] (External link)

Technical guidelines for trust service providers (2017)

• Security guidelines on the appropriate use of qualified electronic seals (2017) (External link)
• Security guidelines on the appropriate use of qualified website authentication certificates (2017) (External link)
• Security guidelines on the appropriate use of qualified electronic registered delivery services (2017) (External link)
• Security guidelines on the appropriate use of qualified electronic signatures (2017) (External link) 
• Security guidelines on the appropriate use of qualified electronic time stamps (2017) (External link) 
• Technical guideline for Incident Reporting - Article 19 incident reporting framework for eIDAS Article 19 (2017) (External link)
• Auditing Framework for TSPs (2015) (External link)

Guidelines for trust service providers (2013)

• Part 1: Security framework (External link)
• Part 2: Risk assessment (External link)
• Part 3: Mitigating the impact of security incidents (External link)