WorkflowEU

eIDAS trust service role scoping workflow

Use this workflow to classify whether an organization is acting as a trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, general relying party, or customer of a QTSP.

The workflow starts with the service actually provided, checks whether qualified status is claimed or listed, and separates organizations that rely on a trust service from those that provide one.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

eIDAS role scoping is easy to get wrong because the same product journey can include several actors: a QTSP issuing a qualified certificate, a software product validating a signature, a business relying on the result, and a customer buying the service. This workflow classifies the role from observable evidence instead of job titles or vendor labels.

Section 1

Start with what the organization does in the transaction

Classify the role by the activity performed for another party. Under eIDAS, a trust service includes services such as issuing or validating certificates, creating or validating electronic signatures or seals, preserving signatures or seals, managing remote signature or seal creation devices, issuing or validating electronic attestations of attributes, timestamping, registered delivery, electronic archiving, and electronic ledgers.

A relying party is different: it relies on electronic identification, an EUDI Wallet, another electronic identification means, or a trust service. A relying party may be a bank, platform, employer, public body, marketplace, or internal business unit that consumes identity, attestation, certificate, signature, seal, or validation results.

  • Classify as a trust service provider when the organization provides one or more trust services as a service, whether qualified or non-qualified.
  • Classify as a general relying party when the organization consumes an eID, wallet presentation, certificate, signature, seal, attestation, timestamp, delivery proof, or validation result to make a business or legal decision.
  • Classify as a QTSP customer when the organization contracts with a qualified trust service provider but does not itself provide the qualified trust service to others.
  • Escalate mixed cases: a platform can be a relying party for customer onboarding and also a trust service provider if it separately offers validation, timestamping, certificate, seal, preservation, or registered delivery services to customers.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Defines relying party and the original eIDAS trust-service framework for electronic identification and trust services.
Regulation (EU) 2024/1183 establishing the European Digital Identity Framework
Updates eIDAS for EUDI Wallets and expands the list of trust-service activities used in this role classification.
Section 2

Decide whether the organization is a TSP or QTSP

A trust service provider is the actor that provides one or more trust services. A qualified trust service provider is narrower: it provides one or more qualified trust services and has been granted qualified status by the supervisory body.

Do not treat marketing language, a procurement checklist, or use of a QTSP supplier as proof of qualified status. eIDAS ties qualified status to supervisory verification and trusted-list indication. A provider may begin providing the qualified trust service only after qualified status is indicated in the trusted lists.

  • TSP evidence: service description, customer terms, APIs, certificates, validation outputs, timestamping outputs, registered delivery proofs, preservation records, attestation issuance, or other trust-service outputs provided to another party.
  • QTSP evidence: supervisory-body grant of qualified status, the specific qualified service listed in the relevant trusted list, and website use of the EU trust mark with a link to the relevant trusted list when the mark is used.
  • Not enough for QTSP status: using a QTSP as a vendor, reselling a QTSP-backed workflow without providing the qualified trust service, or validating a document only for internal reliance.
  • Reopen the classification when the organization adds a new trust-service feature, changes from internal validation to customer-facing validation, claims qualified status, changes QTSP supplier, or changes the listed service type.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Defines trust service provider and qualified trust service provider, and sets the qualified-status and trusted-list mechanics.
ETSI - Certification Authorities and other Trust Service Providers
Explains that EU trusted lists identify qualified trust service providers and their qualified trust services, and that users rely on trusted-list status for qualified-service legal effect.
Section 3

Separate validation service, validation software, and relying-party validation

Signature or seal validation is not one role. The organization may provide a qualified validation service, provide non-qualified validation software or API services, or only validate a signature or seal for its own reliance.

For qualified electronic signatures, eIDAS validation checks include whether the supporting certificate was qualified and issued by a QTSP, whether it was valid at signing time, whether signature validation data corresponds to the relying-party data, whether the signatory data and any pseudonym indication are correctly provided, whether the signature was created by a qualified creation device, and whether signed-data integrity is intact.

  • Classify as a qualified validation service provider only when the validation service is provided by a QTSP and returns validation results in the manner required for qualified validation services.
  • Classify as a non-qualified trust service provider when the organization offers validation of signatures, seals, certificates, timestamps, attestations, or delivery evidence as a service but does not hold qualified status for that service.
  • Classify as a relying party when the organization only checks a signature, seal, certificate, attestation, or validation report to decide whether to accept a transaction.
  • Keep evidence of the validation policy, the certificate path and trust-list checks used, the validation result delivered to the relying party, and the reason the activity is internal reliance or customer-facing service provision.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Sets requirements for validating qualified electronic signatures and for qualified validation services.
ETSI TS 119 612 trusted lists
Describes how trusted-list information can be used as trust-anchor input in certificate path and signature validation.
Section 4

Classify EUDI Wallet relying-party activity separately

A wallet relying party is an organization that intends to rely on EUDI Wallets to provide public or private services by digital interaction. eIDAS Article 5b requires that relying party to register in the Member State where it is established and provide registration information, contact details, and the intended wallet use including the data it will request from users.

This role is separate from QTSP status. A wallet relying party requests or verifies wallet-presented data; it is not automatically a QTSP, a wallet provider, a PID provider, or an attestation provider.

  • Wallet relying-party evidence: service journey uses an EUDI Wallet, the organization requests wallet data from users, and the requested attributes are tied to the stated use case.
  • Registration evidence: Member State of establishment, official name or registration number, contact details, intended wallet use, and data requested from users.
  • Operational evidence: user-facing identification of the relying party, authentication and validation procedures for PID or EAA data, and controls preventing requests for data beyond the registered purpose.
  • Privacy and risk evidence: how the organization limits requested attributes, handles pseudonyms where identification is not legally required, and discards unique attestation elements when no longer needed for the relying-party purpose.
Sources for this answer
Regulation (EU) 2024/1183 establishing the European Digital Identity Framework
Introduces EUDI Wallet relying-party registration requirements in Article 5b.
European Commission - Wallet for service providers
Explains service-provider wallet use, registration information, wallet data requests, and operational obligations for requesting data from wallet users.
European Commission - EUDI Wallet Architecture and Reference Framework
Describes EUDI Wallet ecosystem roles, relying-party registration certificates, attribute-request checks, and privacy risks such as relying-party linkability.
Section 5

Use this output record before assigning obligations

The workflow output should be a role-scoping record that separates each transaction role before assigning controls, contracts, or regulatory owners. One legal entity can have more than one row if it performs different activities in different products or countries.

Keep the record specific enough that a reviewer can see why the organization is a provider, qualified provider, relying party, wallet relying party, validator, or QTSP customer without reading internal project history.

  • Activity: the exact service, API, workflow, or transaction step being classified.
  • Counterparty: user, customer, relying party, QTSP, wallet provider, attestation provider, PID provider, supervisory body, or internal business unit.
  • Role finding: TSP, QTSP, qualified validation service provider, non-qualified validation provider, general relying party, wallet relying party, or QTSP customer.
  • Evidence: trusted-list entry, supervisory status, contract with QTSP, validation report, wallet registration information, service terms, user journey, certificate or attestation type, and validation policy.
  • Boundary note: why adjacent roles do not apply, such as using a QTSP supplier without providing the qualified service, or validating internally without offering validation as a service.
  • Reassessment trigger: new customer-facing trust-service feature, qualified-status claim, trusted-list status change, wallet data request change, new country of establishment, or supplier change affecting the trust-service chain.
Sources for this answer
Regulation (EU) No 910/2014 (eIDAS)
Supports the role distinctions between relying party, trust service provider, qualified trust service provider, trusted-list status, and validation services.
Regulation (EU) 2024/1183 establishing the European Digital Identity Framework
Supports EUDI Wallet role scoping, including relying-party registration and wallet-related trust-service extensions.
ETSI - Certification Authorities and other Trust Service Providers
Supports the evidence requirement to check trusted lists and service status rather than relying only on provider claims.
Recommended next step

Turn the role finding into an evidence-backed eIDAS work record

Sorena can help turn this role-scoping workflow into a sourced record that separates provider, QTSP, validator, relying-party, wallet relying-party, and QTSP-customer obligations for a specific product or supplier chain.

Research workflow
Open Research Copilot for eIDAS

Ask sourced questions about trust-service roles, QTSP status, trusted lists, EUDI Wallet relying-party registration, and signature-validation evidence.

Explore next step
Talk to Sorena
Talk through implementation

Review a product, vendor, or wallet journey and classify the eIDAS roles before assigning controls or customer commitments.

Explore next step
Primary sources

References and citations

ETSI TS 119 612 trusted lists
etsi.org
Referenced sections
  • Describes how trusted-list information can be used as trust-anchor input in certificate path and signature validation.
"Trusted Lists"
European Commission - Wallet for service providers
ec.europa.eu
Referenced sections
  • Explains service-provider wallet use, registration information, wallet data requests, and operational obligations for requesting data from wallet users.
"request data from an EU Digital Identity Wallet"
Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • Supports the role distinctions between relying party, trust service provider, qualified trust service provider, trusted-list status, and validation services.
"trust service provider"
Related guides

Explore more topics

eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services
Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes
Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks
Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties
Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties
Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
eIDAS electronic signatures: SES, AES, QES legal effect and evidence
A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
eIDAS penalties and fines for trust service providers
Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
eIDAS QES validation checks for relying parties
How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
eIDAS Qualified Trust Services: QTSP Selection
How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
eIDAS remote signature and cloud HSM controls for QTSPs
Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
eIDAS signature legal effect selector: SES, AES, AES-QC, or QES
Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
eIDAS trusted list validation: LOTL, QTSP status, and evidence
How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws
Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements
Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations
Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations
Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation
Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates
A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks
What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
EU eIDAS checklist for signatures, trust services, and wallets
Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation
FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
EU eIDAS QTSP authorization and supervision guide
How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence
Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence
Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence
How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
EUDI Wallet readiness for service providers under eIDAS
Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
EUDI Wallet Relying Parties under eIDAS
What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
EUDI Wallet Relying Party Onboarding Workflow under eIDAS
A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
EUDI Wallet Relying Party Registration Under eIDAS
What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
EUDI Wallet Technical Architecture Guide under eIDAS
Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence
Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
QWACs under eIDAS: website authentication certificates
A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs
A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
What is a qualified trust service provider under eIDAS?
How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
What is a QWAC under the EU eIDAS Regulation?
Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.