eIDAS QTSP FAQEU eIDAS

What is a qualified trust service provider?

A QTSP is not just a supplier that sells digital certificates or signing software. Under eIDAS, the provider must offer one or more qualified trust services and have qualified status granted by the responsible supervisory body.

For procurement, product, security, and legal reviews, verify both the provider and the exact qualified service in the relevant trusted list before relying on qualified eIDAS status.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
8

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Use this FAQ to check whether a trust-service supplier is actually a qualified trust service provider for the eIDAS service you plan to use. The core evidence is the eIDAS qualified-status decision, the national trusted list entry, the service type and status, the conformity assessment record, and the operational evidence for the specific qualified service.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

When is a provider a QTSP under eIDAS?

A provider is a qualified trust service provider only when it provides one or more qualified trust services and the supervisory body has granted qualified status. The check must cover both levels: the legal entity and the exact service, such as a qualified certificate, qualified timestamp, qualified electronic registered delivery service, qualified validation service, qualified preservation service, qualified electronic attestation of attributes, qualified electronic archiving service, qualified electronic ledger, or qualified remote management of signature or seal creation devices.

Do not treat a marketing claim, ISO certificate, ETSI standard reference, reseller statement, or parent-company brand as proof of QTSP status. Under eIDAS, a provider intending to start a qualified trust service notifies the supervisory body and submits a conformity assessment report; the supervisory body grants qualified status when the provider and service meet the eIDAS requirements.

  • Identify the exact qualified trust service used by the workflow, not only the supplier name.
  • Confirm the Member State supervisory body that granted qualified status.
  • Check that qualified status applies to the current service, certificate policy, and relying-party use case.
  • Separate qualified status from adjacent claims such as advanced signatures, non-qualified certificates, hosting, remote signing software, or reseller support.
Citations
Question 2

How should a relying party verify QTSP status?

Start with the relevant trusted list, not with the contract. Each Member State establishes, maintains, and publishes a secured trusted list in a form suitable for automated processing, and the Commission makes trusted-list publication information available through a secure channel. The Commission eSignature building block also points users to the Trusted List Browser for searching qualified trust service providers in Europe.

For technical validation, ETSI TS 119 612 explains how trusted-list information can feed certificate path validation and trust-anchor management. A relying party should validate the trusted-list source, select entries under its trust policy, and check regularly for service status changes or new entries.

  • Use the Commission trusted-list access point or the national trusted list for the provider's Member State.
  • Record the provider legal name, service name, service type identifier, Member State, service digital identity, current status, and status start date shown in the trusted-list evidence.
  • Confirm that the status supports the specific outcome you need, such as a qualified certificate for electronic signature, qualified electronic timestamp, QWAC, or qualified validation service.
  • Keep a dated capture or machine-readable validation result because trusted-list service status can change.
  • If the workflow depends on long-lived evidence, define how often the trusted-list source and certificate status information are refreshed.
Citations
Question 3

What supervision and operating evidence matters?

QTSP status is supervised, not self-declared. eIDAS requires qualified trust service providers to be audited at their own expense at least every 24 months by a conformity assessment body, with the conformity assessment report submitted to the supervisory body within three working days of receipt. Supervisory bodies may also audit or require additional conformity assessment at any time.

The operating evidence should prove that the service still meets the qualified-service requirements after onboarding, certificate issuance, identity or attribute verification, revocation, incident handling, subcontracting, cloud hosting, termination planning, and service changes. Where qualified certificates are issued, eIDAS requires revocation status publication in a timely manner and in any event within 24 hours after receipt of the request.

  • Conformity assessment report scope, date, assessment body, and the qualified services covered.
  • Supervisory body grant or withdrawal evidence and any conditions, remediation requests, or change approvals.
  • Policies for identity verification, attribute verification, certificate issuance, revocation, status services, cryptographic controls, logging, staff competence, subcontractors, and termination.
  • Incident and disruption notifications where the event significantly affects the trust service or personal data maintained in the service.
  • Contract and architecture evidence showing the deployed product uses the listed qualified service, not a non-qualified variant or separate reseller service.
Citations
Recommended next step

Turn QTSP checks into repeatable evidence

Sorena can help turn QTSP, trusted-list, conformity assessment, and service-status checks into cited procurement, product, and assurance workflows.

Research workflow
Open Research Copilot for EU eIDAS Regulation

Ask source-linked questions about QTSP status, qualified trust services, trusted lists, supervision, and evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through eIDAS QTSP evidence

Review your QTSP supplier evidence, trusted-list validation, service scope, and operational controls with Sorena.

Explore next step
Primary sources

References and citations

ETSI TS 119 612 - Trusted Lists
etsi.org
Referenced sections
  • Explains trusted-list structure and how trusted-list information supports certificate path validation and trust-anchor management.
"checked regularly for changes to the service status"
European Commission Digital Building Blocks - eSignature
ec.europa.eu
Referenced sections
  • Commission eSignature hub references the eIDAS Dashboard and Trusted List Browser used to search qualified trust service providers in Europe.
"searching for qualified Trust Service Providers in Europe"
Regulation (EU) No 910/2014 (eIDAS), QTSP requirements
eur-lex.europa.eu
Referenced sections
  • Article 24 covers QTSP duties including identity checks, trustworthy systems, incident notification, records, termination planning, and certificate revocation status.
"publish the revocation status of the certificate"
Regulation (EU) No 910/2014 (eIDAS), trusted lists
eur-lex.europa.eu
Referenced sections
  • Article 22 establishes Member State trusted-list publication and Commission publication of trusted-list location information.
"establish, maintain and publish trusted lists"
Related guides

Explore more topics

eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services
Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes
Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks
Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties
Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties
Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
eIDAS electronic signatures: SES, AES, QES legal effect and evidence
A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
eIDAS penalties and fines for trust service providers
Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
eIDAS QES validation checks for relying parties
How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
eIDAS Qualified Trust Services: QTSP Selection
How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
eIDAS remote signature and cloud HSM controls for QTSPs
Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
eIDAS signature legal effect selector: SES, AES, AES-QC, or QES
Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer
Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
eIDAS trusted list validation: LOTL, QTSP status, and evidence
How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws
Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements
Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations
Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations
Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation
Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates
A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks
What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
EU eIDAS checklist for signatures, trust services, and wallets
Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation
FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
EU eIDAS QTSP authorization and supervision guide
How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence
Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence
Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence
How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
EUDI Wallet readiness for service providers under eIDAS
Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
EUDI Wallet Relying Parties under eIDAS
What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
EUDI Wallet Relying Party Onboarding Workflow under eIDAS
A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
EUDI Wallet Relying Party Registration Under eIDAS
What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
EUDI Wallet Technical Architecture Guide under eIDAS
Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence
Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
QWACs under eIDAS: website authentication certificates
A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs
A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
What is a QWAC under the EU eIDAS Regulation?
Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.