--- title: "EU eIDAS QTSP authorization and supervision guide" canonical_url: "https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-authorization-and-supervision" source_url: "https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-authorization-and-supervision" author: "Sorena AI" description: "How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "eIDAS QTSP authorization" - "qualified trust service provider" - "eIDAS supervision" - "conformity assessment report" - "trusted lists" - "EU eIDAS Regulation" - "eIDAS" - "QTSP" - "conformity assessment" - "trust services" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU eIDAS QTSP authorization and supervision guide How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence. *Artifact Guide* *EU* ## EU eIDAS QTSP Authorization and Supervision A qualified trust service provider is not qualified by branding, contract language, or a certificate policy alone. Under eIDAS, qualified status is granted by the supervisory body and becomes usable after it is indicated in the Member State trusted list. Use this page to organize initiation, recurring conformity assessment, supervisory change notifications, trusted-list checks, incident reporting, and evidence for qualified trust services. This guide explains the eIDAS lifecycle for qualified trust service provider status. It focuses on the practical records a provider, relying party, auditor, or procurement reviewer should check: the intended qualified trust service, the conformity assessment report, the supervisory body's grant or withdrawal decision, the trusted-list entry, change and cessation notifications, security breach handling, and service-specific evidence. ## What makes a trust service provider a QTSP under eIDAS? eIDAS defines a qualified trust service provider as a trust service provider that provides one or more qualified trust services and has been granted qualified status by the supervisory body. That status is service-specific: a provider may be qualified for one trust service and not for another. For a new qualified trust service, the provider must notify the supervisory body and submit a conformity assessment report from a conformity assessment body. The provider may begin providing the qualified service only after the qualified status is indicated in the trusted list. - Identify the exact qualified trust service, such as qualified certificates, qualified time stamps, qualified registered delivery, validation, preservation, attestations of attributes, or remote qualified signature or seal creation device management. - Keep the conformity assessment report that supports the initiation notification. - Record the supervisory body's grant of qualified status for both the provider and the specific service. - Verify the public trusted-list entry before describing the service externally as qualified. Sources for this answer: - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Defines qualified trust services, QTSPs, conformity assessment bodies, initiation of qualified trust services, and when a provider may begin providing a qualified service. - [ENISA - Guidelines on supervision of qualified trust services](https://www.enisa.europa.eu/publications/tsp-supervision?ref=sorena.io) - ENISA describes Article 20 supervision guidance for qualified trust services and identifies supervisory authorities, providers, and stakeholders as the intended audience. ## Authorization and supervision records to keep together The useful operating record is not a single approval email. It should connect the qualified service, the conformity assessment scope, the supervisory body decision, the trusted-list status, and the operational controls that keep the service inside the approved scope. eIDAS requires QTSPs to be audited at their own expense at least every 24 months by a conformity assessment body, and to submit the resulting conformity assessment report to the supervisory body within three working days of receipt. The supervisory body may also audit a QTSP or request a conformity assessment at any time. - Service register: provider name, Member State, supervisory body, qualified service type, service digital identity, customer-facing service name, and launch status. - Assessment file: conformity assessment body, accreditation status, assessment scope, report date, report receipt date, and submission evidence to the supervisory body. - Supervision file: supervisory body questions, remedies required, deadlines set by the supervisory body, closure evidence, and any decision to grant or withdraw status. - Trusted-list file: current trusted-list status, service history, LOTL or national trusted-list retrieval evidence, and validation-tool output used by relying parties. - Change file: notifications for planned changes, intended cessation, termination plan evidence, and supervisory responses. Sources for this answer: - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Article 20 establishes periodic conformity assessment, supervisory access to audits, ad hoc audits, remedies, and withdrawal of qualified status. - [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Provides baseline TSP policy requirements covering practice statements, terms and conditions, information security policy, asset controls, access control, cryptographic controls, operations, incident management, business continuity, and evidence collection. ## Trusted lists are the public status check Trusted lists are the public mechanism that lets relying parties check whether a provider and service have qualified status and see status history. eIDAS requires Member States to establish, maintain, and publish trusted lists for the QTSPs they are responsible for and the qualified services those QTSPs provide. The European Commission publishes a central List Of Trusted Lists so systems can locate Member State trusted lists. ETSI explains that trusted lists have constitutive effect for EU qualified trust services: the legal effect associated with a qualified trust service depends on the service being listed as qualified. - Do not rely only on a supplier statement that it is a QTSP; check the trusted list for the specific provider and service. - Store evidence of the trusted-list status used for onboarding, renewal, incident investigation, and signature or certificate validation. - For machine checks, record the LOTL or national trusted-list source, status value, service type, service digital identity, retrieval time, and validation result. - Treat status changes such as withdrawal as operational triggers for customer notices, relying-party validation rules, procurement blocks, and service continuity review. Sources for this answer: - [ETSI - Certification Authorities and other Trust Service Providers](https://portal.etsi.org/TB-SiteMap/ESI/Trust-Service-Providers?ref=sorena.io) - Explains that EU Member State trusted lists include supervised QTSPs and their qualified trust services, and that users rely on trusted lists to determine qualified status and status history. - [ETSI TS 119 612 trusted lists](https://www.etsi.org/deliver/etsi_ts/119600_119699/119612/02.03.01_60/ts_119612v020301p.pdf?ref=sorena.io) - Specifies trusted-list structure, status values, service digital identity information, LOTL location concepts, and the status meaning for granted or withdrawn qualified status. ## Security, incident, and change obligations that affect qualified status QTSP authorization is not finished after the initial trusted-list entry. eIDAS Article 24 requires a QTSP to inform the supervisory body before changes to qualified trust services or intended cessation, maintain appropriate risk-management measures, use trustworthy systems, keep relevant issued and received information accessible, and maintain an up-to-date termination plan. For security breaches or disruptions that have a significant impact on the trust service or personal data maintained in it, eIDAS requires notification to the supervisory body, affected identifiable individuals, other relevant competent bodies where applicable, and, if the supervisory body determines that disclosure is in the public interest, the public. The notification must be made without undue delay and in any event within 24 hours after the provider becomes aware of the breach or disruption. - Maintain incident procedures that identify when a trust-service event is significant for eIDAS notification. - Keep logs, event classification, containment, eradication, recovery, notification, and post-incident review evidence. - Tie change management to the approved qualified service scope, including infrastructure, cryptographic controls, service access points, subcontractors, termination plans, and certificate or status services. - When a failure affects eIDAS, NIS2, or personal data protection requirements, record which authority channel was used and why. Sources for this answer: - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Article 24 covers QTSP operational duties, change and cessation notifications, risk measures, incident notifications, records, certificate status information, and termination planning. - [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Provides operational requirements for TSP monitoring, logging, incident response, reporting procedures, event assessment, post-incident review, and evidence collection. - [ENISA - Security framework for Trust Service Providers](https://www.enisa.europa.eu/publications/tsp-security?ref=sorena.io) - ENISA provides security-framework guidance for trust service providers, including technical guidelines for risk and incident-related controls. ## Evidence checklist for procurement, audit, and relying-party review A relying party, auditor, or procurement reviewer should be able to determine whether a claimed qualified service is actually qualified, current, and within scope. The strongest evidence combines legal status, technical validation, supervisory history, and operating controls. Keep evidence at the service level. A provider-wide certificate, a marketing page, or a generic ISO certificate does not prove that a particular eIDAS trust service currently has qualified status. - Current trusted-list entry for the provider and service, including service type, status, status history, and service digital identity. - Conformity assessment report and submission evidence for initiation, recurring 24-month assessment, or ad hoc supervisory assessment. - Supervisory body decision evidence for grant, remedy, continuation, withdrawal, or delay in verification. - Practice statement, terms and conditions, service scope, limitation-of-use language, and public trust-mark usage records. - Security and continuity evidence: risk measures, incident logs, notification records, business continuity links, termination plan, revocation or validity-status service records, and post-incident reviews. - Change evidence: notifications sent before material qualified-service changes, cessation notices, supervisory questions, approval conditions, and implementation records. Sources for this answer: - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the checklist items for initiation, periodic conformity assessment, trusted-list indication, change notifications, incident obligations, and withdrawal of qualified status. - [ETSI TS 119 612 trusted lists](https://www.etsi.org/deliver/etsi_ts/119600_119699/119612/02.03.01_60/ts_119612v020301p.pdf?ref=sorena.io) - Supports trusted-list evidence fields such as status values, service digital identity, status history, and LOTL-based discovery. *Recommended next step* *Placement: before sources* ## Review qualified status, trusted-list proof, and supervision evidence Sorena can help structure QTSP evidence around the specific qualified service, trusted-list status, conformity assessment report, supervisory record, change notices, incident handling, and continuity evidence. - [Open Research Copilot for EU eIDAS](/solutions/research-copilot.md): Ask source-linked questions about QTSP status, trusted lists, conformity assessment, supervision, and incident evidence using the cited sources on this page. - [Talk through implementation](/contact.md): Review your qualified trust service evidence file, trusted-list validation records, and supervisory workflow with Sorena. ## Primary sources - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Primary legal source for QTSP definitions, initiation of qualified trust services, supervision, trusted lists, QTSP operating obligations, incident notification, and withdrawal of qualified status. - Quote: "qualified trust service provider" - [ENISA - Guidelines on supervision of qualified trust services](https://www.enisa.europa.eu/publications/tsp-supervision?ref=sorena.io) - ENISA guidance source for Article 20 supervision of qualified trust services. - Quote: "supervision of qualified trust services" - [ENISA - Security framework for Trust Service Providers](https://www.enisa.europa.eu/publications/tsp-security?ref=sorena.io) - ENISA guidance source for technical security expectations relevant to trust service providers. - Quote: "Security framework for Trust Service Providers" - [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Baseline ETSI policy requirements for trust service providers, including management, operations, incident handling, reporting, continuity, and evidence collection. - Quote: "General Policy Requirements for Trust Service Providers" - [ETSI TS 119 612 trusted lists](https://www.etsi.org/deliver/etsi_ts/119600_119699/119612/02.03.01_60/ts_119612v020301p.pdf?ref=sorena.io) - Technical specification for trusted-list structure, status values, service identity, and LOTL discovery used to validate qualified status. - Quote: "Trusted Lists" - [ETSI - Certification Authorities and other Trust Service Providers](https://portal.etsi.org/TB-SiteMap/ESI/Trust-Service-Providers?ref=sorena.io) - Explains the public role of trusted lists, conformity assessment bodies, and the Commission List Of Trusted Lists for EU trust services. - Quote: "Trusted Lists and Other Nationally Maintained Information" ## Related Topic Guides - [eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services](/artifacts/eu/electronic-identification-and-trust-services-regulation/deadlines-and-compliance-calendar.md): Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence. - [eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas2-vs-eidas.md): Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision. - [eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks](/artifacts/eu/electronic-identification-and-trust-services-regulation/certificates-and-authentication.md): Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence. - [eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/checklist-and-evidence.md): Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls. - [eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/compliance.md): Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records. - [eIDAS electronic signatures: SES, AES, QES legal effect and evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/electronic-signatures-and-legal-effect.md): A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records. - [eIDAS penalties and fines for trust service providers](/artifacts/eu/electronic-identification-and-trust-services-regulation/penalties-and-fines.md): Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence. - [eIDAS QES validation checks for relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/qes-validation.md): How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records. - [eIDAS Qualified Trust Services: QTSP Selection](/artifacts/eu/electronic-identification-and-trust-services-regulation/qualified-trust-services-and-qtsp-selection.md): How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records. - [eIDAS remote signature and cloud HSM controls for QTSPs](/artifacts/eu/electronic-identification-and-trust-services-regulation/remote-signature-and-cloud-hsm-controls.md): Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks. - [eIDAS signature legal effect selector: SES, AES, AES-QC, or QES](/artifacts/eu/electronic-identification-and-trust-services-regulation/signature-legal-effect-selector-workflow.md): Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition. - [eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer](/artifacts/eu/electronic-identification-and-trust-services-regulation/trust-service-role-scoping-workflow.md): Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP. - [eIDAS trusted list validation: LOTL, QTSP status, and evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/trust-list-validation.md): How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports. - [eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-esign-and-ueta.md): Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps. - [eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-etsi-en-319-401.md): Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls. - [eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-gdpr-identity-data.md): Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights. - [eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-nis2-trust-services.md): Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers. - [Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation](/artifacts/eu/electronic-identification-and-trust-services-regulation/electronic-attestations-of-attributes.md): Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect. - [EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates](/artifacts/eu/electronic-identification-and-trust-services-regulation/applicability-test.md): A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence. - [EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/attribute-attestations.md): What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify. - [EU eIDAS checklist for signatures, trust services, and wallets](/artifacts/eu/electronic-identification-and-trust-services-regulation/checklist.md): Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records. - [EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq.md): FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence. - [EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-due-diligence-workflow.md): Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence. - [EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/requirements.md): Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties. - [EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/trusted-lists.md): How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties. - [EUDI Wallet readiness for service providers under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-readiness.md): Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence. - [EUDI Wallet Relying Parties under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/eudi-wallet-relying-party.md): What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence. - [EUDI Wallet Relying Party Onboarding Workflow under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/wallet-onboarding-workflow.md): A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties. - [EUDI Wallet Relying Party Registration Under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-relying-party-registration.md): What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps. - [EUDI Wallet Technical Architecture Guide under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-technical-architecture-guide.md): Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls. - [QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qes-vs-ades.md): Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence. - [QWACs under eIDAS: website authentication certificates](/artifacts/eu/electronic-identification-and-trust-services-regulation/qwacs.md): A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks. - [What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs](/artifacts/eu/electronic-identification-and-trust-services-regulation/what-eidas-covers.md): A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations. - [What is a qualified trust service provider under eIDAS?](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qualified-trust-service-provider.md): How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records. - [What is a QWAC under the EU eIDAS Regulation?](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qwac.md): Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-authorization-and-supervision