Artifact GuideEU

EU eIDAS Regulation QTSP Due Diligence Workflow

Use this workflow before relying on a qualified trust service provider for signatures, seals, timestamps, website authentication certificates, attestations, archiving, ledgers, or related qualified trust services.

The checks focus on trusted-list validation, exact qualified service scope, certificate and revocation evidence, published policies, supervision, audits, termination planning, incident posture, and records to retain.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

A QTSP is not selected only by brand name or by a marketing claim that it is eIDAS compliant. Under eIDAS, qualified status is tied to a provider, the qualified services it provides, supervisory decisions, trusted-list entries, and service-specific evidence. This workflow gives procurement, product, security, legal, and compliance teams a concrete review path before onboarding or continuing to rely on a QTSP.

Section 1

1. Confirm the provider and service in the EU trusted-list system

Start with the Member State trusted list and the Commission List Of Trusted Lists, not with a vendor certificate bundle or sales deck. eIDAS requires Member States to establish, maintain, and publish trusted lists that identify qualified trust service providers and the qualified trust services for which they are responsible.

Record the legal provider name, Member State, trusted-list location, scheme operator, service name, service type identifier, service digital identity, current service status, status start time, and relevant service history. If the service is not shown as qualified for the exact service you intend to rely on, treat the due diligence result as blocked until the provider or supervisory record explains the gap.

  • Verify that the provider is a qualified trust service provider, not only a trust service provider with a non-qualified service.
  • Match the listed service type to the planned use case, such as qualified certificates for electronic signatures, seals, website authentication, timestamps, electronic registered delivery, electronic attestations of attributes, archiving, or ledgers.
  • Check current status and historical status entries because trusted lists are designed to show whether a service is or was operating in compliance at a specific time.
  • Keep a machine-readable trusted-list extract or validation output, a human-readable screenshot if useful, and the date and time of the check.
  • Do not accept a generic EU trust mark, logo, or website claim unless it links back to the relevant trusted-list entry for the qualified service.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Articles 21, 22, and 23 support checking qualified status, national trusted lists, and the EU trust mark before relying on a QTSP.
ETSI TS 119 612 trusted lists
Defines trusted-list fields used for QTSP diligence, including TSP information, service type, current status, status start time, service digital identity, and history.
Section 2

2. Scope the qualified service and certificate evidence

A QTSP can provide more than one service, and only some services may be qualified. Scope the review to the exact certificate, timestamp, validation, preservation, registered delivery, attestation, archiving, ledger, or remote signing service that the product will consume.

For certificate-based services, review the certificate policy, certification practice statement, certificate profile, usage limits, revocation mechanism, validity information, and any qualified-certificate statements that indicate the applicable legal framework and certificate purpose. Qualified certificate diligence should distinguish electronic signature, electronic seal, and website authentication uses rather than treating all qualified certificates as interchangeable.

  • Collect the CP, CPS, terms and conditions, relying-party guidance, subscriber obligations, certificate type descriptions, and policy object identifiers that apply to the service.
  • For qualified certificates, verify that the certificate identity, issuer identity, qualified status, certificate purpose, key usage, extended key usage, QCStatements, and country/legal-framework indicators match the intended reliance model.
  • For QWACs, confirm that the certificate is a qualified certificate for website authentication and that the service scope in the trusted list covers that certificate service.
  • For revocation-sensitive workflows, test the published validity or revocation status mechanism and keep the result with the onboarding record.
  • For remote signing or managed devices, document whether the reviewed service includes management of a remote qualified electronic signature creation device or only certificate issuance.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Article 24 and the certificate annexes support checks for identity verification, qualified certificates, certificate databases, revocation status, and relying-party validity information.
ETSI EN 319 411-1 certificate policy requirements
Supports reviewing certificate policies, certification practice statements, relying-party obligations, revocation contacts, validation procedures, usage restrictions, and trusted-list links.
ETSI EN 319 412-5 qualified certificate statements
Supports checking QCStatements that declare EU qualified-certificate status, certificate purpose, legal framework, and related qualified-certificate attributes.
Section 3

3. Review supervision, audits, security controls, and change triggers

The operational diligence should connect provider claims to supervisory and conformity-assessment evidence. eIDAS requires qualified trust service providers to be audited by a conformity assessment body at least every 24 months and to submit the resulting conformity assessment report to the supervisory body within three working days of receipt.

The monitoring plan should also cover changes in the qualified service, planned cessation, security incidents, supply-chain dependencies, and termination arrangements. If the provider changes the service, loses qualified status for the provider or affected service, changes the trusted-list status, or announces cessation, reopen the review before further reliance.

  • Ask for evidence of the latest conformity assessment cycle, the scope of services assessed, the conformity assessment body, and whether any open remediation affects the service you rely on.
  • Confirm that the provider knows which supervisory body is responsible and can explain how supervisory decisions update the trusted list.
  • Check the provider's information security policy, risk assessment approval, incident response process, monitoring and logging, business continuity controls, and post-incident review process.
  • Review the termination plan because eIDAS and ETSI requirements expect continuity of information needed to verify trust-service correctness after cessation.
  • For outsourced or cloud-supported service components, retain the provider's supply-chain control summary, relevant service-level commitments, and assurance that the QTSP remains responsible for its service.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Article 20 supports review of periodic audits, supervisory-body audits, remediation, withdrawal of qualified status, and trusted-list updates.
ETSI EN 319 401 general policy requirements
Supports security and operational checks for risk assessment, practice statements, terms, incident management, evidence collection, termination, compliance, and supply chain.
ENISA guidelines on supervision of qualified trust services
Supports the supervision lens for qualified trust services and the relationship between supervisory authorities, QTSPs, and conformity assessment.
Section 4

4. Evidence to retain for QTSP selection and ongoing monitoring

Keep the record useful for a later customer question, audit, dispute, incident, or migration. The evidence should show why the provider and exact qualified service were acceptable at onboarding and what would trigger a new review.

For ongoing monitoring, separate static onboarding evidence from time-sensitive status evidence. Trusted-list status, service scope, revocation availability, incident posture, and material provider changes can change after the initial selection.

  • Provider and service identity: legal name, country, supervisory body, trusted-list entry, service type identifier, service name, service digital identity, current status, status start time, and relevant history.
  • Certificate evidence: sample certificates, chain-validation result, policy identifiers, CP/CPS links, QCStatements review, key-usage review, QWAC or signature/seal purpose review, and revocation or validity-status test result.
  • Policy evidence: terms and conditions, relying-party obligations, subscriber obligations, permitted uses, usage limits, revocation request route, incident contact, and support or escalation terms.
  • Assurance evidence: conformity assessment scope, audit date or cycle evidence when available, remediation notes that affect the relied-on service, security and continuity summaries, supply-chain assurance, and termination-plan confirmation.
  • Monitoring triggers: trusted-list status change, certificate-policy change, service-scope change, supervisory notice, provider incident, revocation/OCSP/CRL availability failure, planned cessation, material outsourcing change, or product use-case change.
Sources for this answer
ETSI TS 119 612 trusted lists
Supports retaining trusted-list status and history evidence because the list is used to determine service status at the time of reliance.
ETSI EN 319 411-1 certificate policy requirements
Supports retaining certificate policy, CPS, relying-party status-checking obligations, revocation route, audit, and trusted-list link evidence.
ETSI EN 319 401 general policy requirements
Supports retaining operational assurance evidence for risk assessment, incident handling, collection of evidence, termination planning, compliance, and supplier controls.
Recommended next step

Build a QTSP onboarding and monitoring record

Sorena can help structure the trusted-list checks, certificate evidence, policy review, supervision questions, and monitoring triggers into a reusable QTSP diligence record.

Research workflow
Open Research Copilot for EU eIDAS Regulation

Ask source-linked questions about QTSP status, qualified services, trusted lists, certificates, revocation evidence, and supervision using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through EU eIDAS QTSP due diligence

Review your provider shortlist, trusted-list evidence, certificate scope, policy gaps, and monitoring triggers with Sorena.

Explore next step
Primary sources

References and citations

ENISA guidelines on supervision of qualified trust services
enisa.europa.eu
Referenced sections
  • Supports the supervision lens for qualified trust services and the relationship between supervisory authorities, QTSPs, and conformity assessment.
"guidelines on supervision of qualified trust service providers pursuant to Art.20"
ETSI EN 319 401 general policy requirements
etsi.org
Referenced sections
  • Supports retaining operational assurance evidence for risk assessment, incident handling, collection of evidence, termination planning, compliance, and supplier controls.
"Collection of evidence"
ETSI EN 319 411-1 certificate policy requirements
etsi.org
Referenced sections
  • Supports retaining certificate policy, CPS, relying-party status-checking obligations, revocation route, audit, and trusted-list link evidence.
"Information on how to validate the certificate"
ETSI EN 319 412-5 qualified certificate statements
etsi.org
Referenced sections
  • Supports checking QCStatements that declare EU qualified-certificate status, certificate purpose, legal framework, and related qualified-certificate attributes.
"The qcStatements certificate extension can contain any statement by the certificate issuer"
ETSI TS 119 612 trusted lists
etsi.org
Referenced sections
  • Supports retaining trusted-list status and history evidence because the list is used to determine service status at the time of reliance.
"at a given time in the past"
Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • Article 20 supports review of periodic audits, supervisory-body audits, remediation, withdrawal of qualified status, and trusted-list updates.
"audited at their own expense at least every 24 months"
Related guides

Explore more topics

eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services
Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes
Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks
Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties
Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties
Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
eIDAS electronic signatures: SES, AES, QES legal effect and evidence
A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
eIDAS penalties and fines for trust service providers
Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
eIDAS QES validation checks for relying parties
How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
eIDAS Qualified Trust Services: QTSP Selection
How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
eIDAS remote signature and cloud HSM controls for QTSPs
Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
eIDAS signature legal effect selector: SES, AES, AES-QC, or QES
Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer
Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
eIDAS trusted list validation: LOTL, QTSP status, and evidence
How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws
Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements
Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations
Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations
Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation
Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates
A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks
What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
EU eIDAS checklist for signatures, trust services, and wallets
Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation
FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
EU eIDAS QTSP authorization and supervision guide
How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence
Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence
How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
EUDI Wallet readiness for service providers under eIDAS
Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
EUDI Wallet Relying Parties under eIDAS
What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
EUDI Wallet Relying Party Onboarding Workflow under eIDAS
A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
EUDI Wallet Relying Party Registration Under eIDAS
What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
EUDI Wallet Technical Architecture Guide under eIDAS
Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence
Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
QWACs under eIDAS: website authentication certificates
A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs
A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
What is a qualified trust service provider under eIDAS?
How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
What is a QWAC under the EU eIDAS Regulation?
Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.