Selection ChecklistEU eIDAS

EU eIDAS qualified trust services and QTSP selection

Select a qualified trust service provider by matching the needed eIDAS service type, confirming that the provider and service have qualified status in the relevant trusted list, and retaining the evidence that supports relying-party use.

Use this page for procurement, product, security, legal, and relying-party teams evaluating qualified certificates, signatures, seals, timestamps, registered delivery, website authentication, attestations, archiving, or ledger services.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
12

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

A QTSP selection record should prove three things: the requested service is a qualified trust service under eIDAS, the named provider and service appear with qualified status in the applicable EU Member State trusted list, and the technical and contractual evidence is sufficient for relying parties to validate the service later. Treat marketing claims, certificates, and audit reports as supporting evidence, not substitutes for trusted-list status.

Section 1

Classify the qualified trust service before shortlisting providers

Start with the exact trust-service function, because eIDAS distinguishes the provider from the qualified service it provides. A provider may be qualified for one service and not for another, and a certificate-issuing service may need further qualification for electronic signatures, electronic seals, or website authentication.

The consolidated eIDAS definition of trust service covers certificate issuance and validation, signature or seal creation and validation, preservation, remote signature or seal creation-device management, electronic attestations of attributes, timestamps, registered delivery, electronic archiving, and electronic ledgers. Selection should therefore begin with a service-type statement, not a generic supplier category.

  • Name the output needed by the product or workflow: qualified certificate for electronic signature, qualified certificate for electronic seal, qualified certificate for website authentication, qualified timestamp, qualified registered delivery, qualified electronic attestation of attributes, qualified archiving, qualified ledger, preservation, validation, or remote QSCD management.
  • Identify whether the service uses PKI public-key technology and, for certificate services, whether it is for electronic signatures, electronic seals, website authentication, or another listed certificate purpose.
  • Separate qualified-service reliance from non-qualified trust services and nationally defined services; non-qualified or national entries may appear in trusted lists but must not be treated as eIDAS qualified status unless the trusted-list entry says so.
  • For QWAC procurement, check that the certificate is issued by a QTSP and meets the Annex IV profile for website authentication rather than relying only on ordinary TLS certificate issuance.
Sources for this answer
Regulation (EU) No 910/2014 (consolidated eIDAS text)
Defines trust services, qualified trust services, trust service providers, and qualified trust service providers.
ETSI TS 119 612 trusted lists
Specifies trusted-list service type identifiers, including qualified eIDAS service types and certificate-service qualifiers.
ETSI EN 319 412-5 QCStatements
Maps qualified certificate statements to eIDAS Annex I, Annex III, and Annex IV certificate requirements.
Section 2

Verify QTSP status in the EU trusted lists

Qualified status is not established by a sales deck or by a certificate chain alone. Under eIDAS, Member States maintain trusted lists with information on the qualified trust service providers they supervise and the qualified trust services those providers offer.

A relying team should validate the Member State trusted list through the Commission's List of Trusted Lists or a trusted-list browser, then record the service entry, service status, status start time, service digital identity, service supply points, and any service history that affects reliance.

  • Confirm that the provider name, country, and service entry match the legal entity and service being purchased.
  • Confirm that the current service status is granted or otherwise qualified for the exact service type; do not rely on a provider-level name match when the service entry is withdrawn, ceased, or for another service.
  • For certificate services, retain the trusted-list qualifier showing whether the certificate set is for electronic signatures, electronic seals, or website authentication.
  • Keep the trusted-list retrieval date, LOTL or trusted-list source, service digital identity, status history consulted, and validation tool or procedure used.
Sources for this answer
Regulation (EU) No 910/2014 Article 22
Requires Member States to establish, maintain, and publish trusted lists for their qualified trust service providers and services.
Commission Implementing Decision (EU) 2015/1505
Lays down technical specifications and formats for eIDAS trusted lists and explains their role in identifying qualified status.
ETSI trust service provider portal
Explains that EU trusted lists are used to determine the qualified status and status history of trust service providers and services.
Section 3

Review supervision, conformity, and operational controls

A QTSP selection pack should include evidence that the provider can remain qualified, not only that it was once listed. eIDAS requires periodic conformity assessment for QTSPs, gives supervisory bodies powers to audit or request conformity assessment, and links non-remedied failures to withdrawal of qualified status for the provider or affected service.

For provider due diligence, ask for current conformity-assessment evidence, the certificate policy and certification practice statement where certificates are involved, the PKI disclosure statement or terms and conditions, security and incident-notification process, termination plan, and certificate-status service design.

  • Check whether the conformity assessment covers the provider and the specific qualified service, not only the provider's general security program.
  • Request the certificate policy, certification practice statement, and PKI disclosure statement for qualified certificate services, including clear statements about EU qualified certificates and any QSCD dependency.
  • Confirm that revocation and validity-status services support relying-party validation, including certificate database maintenance and automated per-certificate status information where qualified certificates are issued.
  • Check the termination plan and continuity arrangements, because eIDAS requires retained information to remain accessible even after QTSP activities cease.
Sources for this answer
Regulation (EU) No 910/2014 Articles 20, 21, and 24
Sets supervision, initiation, conformity assessment, trusted-list update, and QTSP operational requirements.
ETSI EN 319 411-1 certificate policy requirements
Specifies policy and security requirements for TSPs issuing public key certificates, including certificate lifecycle, CPS, CP, revocation, archival, and operational controls.
ETSI EN 319 411-2 EU qualified certificate requirements
Maps eIDAS Article 24 requirements to EU qualified certificate policy controls, including identity verification, terms, records, termination, certificate databases, and revocation status.
Section 4

Evidence to retain for relying-party and audit review

The retained evidence should let a later reviewer reconstruct why the service was treated as qualified at the time of use. This matters for signatures, seals, timestamps, registered delivery, QWACs, and attestations where the legal or evidential value depends on the qualified service and its validation context.

Keep evidence at the level of the transaction or certificate where reliance occurs, not only in procurement. A supplier file that proves selection is useful, but relying-party validation needs the certificate, signature or seal validation result, timestamp or delivery evidence, trusted-list status, revocation status, and policy references used at the relevant validation time.

  • Selection record: service need, selected eIDAS service type, provider legal name, Member State, trusted-list entry, service status, and status-history checks.
  • Policy record: CP, CPS, PKI disclosure statement or terms, applicable certificate-policy OIDs or QCStatements, permitted use limits, and QSCD or remote QSCD statements where relevant.
  • Validation record: certificate chain, signature or seal validation report, timestamp token or registered-delivery evidence, revocation status source, validation time, and the trusted-list or LOTL version used.
  • Supervision record: conformity assessment reference, audit or supervisory evidence supplied by the provider, incident-notification route, termination-plan evidence, and owner for monitoring trusted-list status changes.
  • Retention record: location, retention owner, retention period source, and fallback retrieval process if the QTSP ceases the service or transfers it.
Sources for this answer
Regulation (EU) No 910/2014 Article 24
Requires QTSPs to record and keep accessible relevant issued and received data for legal evidence and continuity purposes.
ETSI EN 319 412-5 QCStatements
Describes QCStatements for qualified certificates, including retention-period and PKI disclosure statement locations.
European Commission DSS documentation
Provides Commission eSignature resources, including trusted-list tooling and validation support used by relying parties.
Section 5

QTSP selection checklist

Use this checklist before approving a QTSP for production or relying-party use. Each item should produce a stored record that can be rechecked when the product changes, the service is renewed, or the trusted-list status changes.

Escalate selection if the service is cross-border, combines qualified and non-qualified services, uses remote signing or sealing, depends on a QWAC in browser-facing flows, or supports evidence that may need to survive certificate expiry.

Is a provider a QTSP just because it issues certificates?

No. Under eIDAS, a QTSP is a trust service provider that provides one or more qualified trust services and has been granted qualified status by the supervisory body. For selection, verify the exact provider and service in the applicable trusted list.

What is the most important evidence for EU eIDAS QTSP selection?

The core evidence is the trusted-list entry for the exact qualified service, supported by the service status, service digital identity, status history, certificate policy or CPS, PKI disclosure or terms, revocation and validation records, and conformity or supervision evidence.

  • Service type confirmed: the required eIDAS qualified service is named and matches the business process.
  • Trusted list verified: provider, Member State, service type, service digital identity, current status, and status history are recorded from the relevant trusted list or LOTL-backed tool.
  • Policy evidence reviewed: CP, CPS, PDS or terms, qualified certificate profile, QCStatements, permitted uses, limitations, and status-service endpoints are retained.
  • Supervision evidence reviewed: conformity assessment coverage, audit timing, supervisory status, termination plan, and incident route are documented.
  • Relying-party validation tested: signature, seal, timestamp, registered-delivery, QWAC, attestation, archiving, or ledger validation can be reproduced with retained trusted-list and revocation evidence.
  • Monitoring assigned: one owner monitors trusted-list and service-status changes, and one owner maintains retained evidence for certificates, transactions, and supplier due diligence.
Sources for this answer
Regulation (EU) No 910/2014 Articles 20-24
Supports the checklist items on qualified status, supervision, trusted lists, EU trust mark, and QTSP operational requirements.
ETSI TS 119 612 trusted lists
Supports the checklist items for service type identifiers, service digital identity, status values, and trusted-list history.
ETSI EN 319 411-2 EU qualified certificate requirements
Supports the certificate-service due-diligence items on qualified certificate policy controls and Article 24 mapping.
Recommended next step

Build a trusted-list-backed QTSP selection record

Sorena can help convert this checklist into provider due diligence, trusted-list validation, policy evidence, and retained relying-party records for EU eIDAS qualified trust service use.

Research workflow
Open Research Copilot for EU eIDAS

Ask source-linked questions about QTSP status, qualified service types, trusted lists, and certificate-policy evidence using the cited sources on this page.

Explore next step
Talk to Sorena
Review EU eIDAS QTSP selection evidence

Check whether a provider shortlist, trusted-list validation record, and retained evidence set supports the qualified trust service being used.

Explore next step
Primary sources

References and citations

Commission Implementing Decision (EU) 2015/1505
eur-lex.europa.eu
Referenced sections
  • Lays down technical specifications and formats for eIDAS trusted lists and explains their role in identifying qualified status.
"trusted lists are essential"
ETSI EN 319 411-1 certificate policy requirements
etsi.org
Referenced sections
  • Specifies policy and security requirements for TSPs issuing public key certificates, including certificate lifecycle, CPS, CP, revocation, archival, and operational controls.
"issuance, maintenance and life-cycle management of certificates"
ETSI EN 319 412-5 QCStatements
etsi.org
Referenced sections
  • Describes QCStatements for qualified certificates, including retention-period and PKI disclosure statement locations.
"retention period for material information"
ETSI trust service provider portal
portal.etsi.org
Referenced sections
  • Explains that EU trusted lists are used to determine the qualified status and status history of trust service providers and services.
"qualified only if it appears in the trusted lists"
ETSI TS 119 612 trusted lists
etsi.org
Referenced sections
  • Supports the checklist items for service type identifiers, service digital identity, status values, and trusted-list history.
"Service type identifier"
European Commission DSS documentation
ec.europa.eu
Referenced sections
  • Provides Commission eSignature resources, including trusted-list tooling and validation support used by relying parties.
"searching for qualified Trust Service Providers in Europe"
Regulation (EU) No 910/2014 Article 22
eur-lex.europa.eu
Referenced sections
  • Requires Member States to establish, maintain, and publish trusted lists for their qualified trust service providers and services.
"Each Member State shall establish, maintain and publish trusted lists"
Regulation (EU) No 910/2014 Article 24
eur-lex.europa.eu
Referenced sections
  • Requires QTSPs to record and keep accessible relevant issued and received data for legal evidence and continuity purposes.
"for the purpose of providing evidence in legal proceedings"
Regulation (EU) No 910/2014 Articles 20-24
eur-lex.europa.eu
Referenced sections
  • Supports the checklist items on qualified status, supervision, trusted lists, EU trust mark, and QTSP operational requirements.
"qualified status has been indicated in the trusted list"
Related guides

Explore more topics

eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services
Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes
Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks
Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties
Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties
Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
eIDAS electronic signatures: SES, AES, QES legal effect and evidence
A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
eIDAS penalties and fines for trust service providers
Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
eIDAS QES validation checks for relying parties
How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
eIDAS remote signature and cloud HSM controls for QTSPs
Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
eIDAS signature legal effect selector: SES, AES, AES-QC, or QES
Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer
Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
eIDAS trusted list validation: LOTL, QTSP status, and evidence
How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws
Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements
Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations
Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations
Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation
Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates
A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks
What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
EU eIDAS checklist for signatures, trust services, and wallets
Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation
FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
EU eIDAS QTSP authorization and supervision guide
How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence
Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence
Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence
How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
EUDI Wallet readiness for service providers under eIDAS
Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
EUDI Wallet Relying Parties under eIDAS
What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
EUDI Wallet Relying Party Onboarding Workflow under eIDAS
A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
EUDI Wallet Relying Party Registration Under eIDAS
What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
EUDI Wallet Technical Architecture Guide under eIDAS
Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence
Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
QWACs under eIDAS: website authentication certificates
A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs
A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
What is a qualified trust service provider under eIDAS?
How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
What is a QWAC under the EU eIDAS Regulation?
Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.