Trusted Third Party Audit in #eIdAS compliance

Law 34/2002, of July 11, 2002, on information society services and electronic commerce (LSSI-CE) includes the figure of the Trusted Third Party in its article 25, for a specific function, that of document custody:

  1. The parties may agree that a third party shall record the declarations of intent that make up the electronic contracts and shall record the date and time at which such communications have taken place. The intervention of such third parties may not alter or replace the functions that correspond to the persons empowered by law to give public faith.
  2. The third party must file on computer support the declarations that have taken place by telematic means between the parties for the stipulated period of time which, in no case, will be less than five years.

Following the publication of the European Regulation No. 910/2014 (#eIdAS) of direct application in Spain, as in the rest of the EU member countries, the figure of the “Trusted Third Party” receives the name of PSEC, Trusted Electronic Service Provider, although the range of services it can offer is wide, being one, effectively the filing or preservation of electronic documents, in its article 34, relating to the conservation of qualified electronic signatures (and 40, in relation to electronic seals):

  1. A qualified qualified qualified electronic signature preservation service may only be provided by a qualified trust service provider that uses procedures and technologies capable of extending the reliability of the qualified electronic signature data beyond the technological validity period.
  2. The Commission may, by means of implementing acts, establish reference numbers of standards for the qualified qualified service for the preservation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the mechanisms of the qualified qualified electronic signature preservation service comply with those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Since only qualified electronic signature and qualified electronic seal preservation services (understood to apply to electronic documents) are qualified under the standard, other electronic document preservation services will be treated as “unqualified”.

In this context, there are three levels of services:

  1. Unqualified trusted electronic services not registered in the PSEC register of the SETSI.
  2. Non-qualified trusted electronic services, registered in the PSEC register of the SETSI.
  3. Qualified Trusted Electronic Services, registered in the PSEC register of the SETSI.

For the third case, before the Trusted Electronic Services Provider (PSEC) starts providing qualified trust services, it must submit to the supervisory body (in Spain, the SETSI, Secretaría de Estado de Telecomunicaciones y para la Sociedad de la Información) an application for approval to start activity (technically, a Notification of Qualified Trusted Electronic Services) together with a conformity assessment report issued by an assessment body accredited by the accreditation body (in Spain, ENAC, Entidad Nacional de Acreditación).

Within the Qualified electronic trust services are the services of issuance of qualified certificates of natural persons that correspond to the qualified certificate certification services regulated until 1 July 2016 by Law 59/2003, of 19 December, on electronic signatures (LFE), a law that transposed Directive 1999/93/EC.

Certification service providers issuing qualified certificates in accordance with Directive 1999/93/EC have until 1 July 2017 to submit a conformity assessment report to the supervisory body.