New Obligations for Non-Qualified Trust Service Providers (TSPs)

Obserwatorium biz » articles

New Obligations for Non-Qualified Trust Service Providers (TSPs)

The European Commission has published an implementing regulation that, for the first time, introduces mandatory and detailed security requirements for non-qualified TSPs. This marks a significant shift for the entire trust services market.

The regulation refers to key sections of ETSI EN 319 401 V3.1.1, which cover, among others:

  • risk management
  • security policies and practices
  • clearly defined security roles and responsibilities (including “trusted roles”)
  • access control
  • asset classification
  • physical and environmental security

What does this mean in practice? 
 
Non-qualified Trust Service Providers — i.e. companies that offer trust services (such as electronic signatures, electronic seals, time-stamps or signature validation services) but do not hold the qualified status granted by the national supervisory authority – must now:

  • implement the requirements stemming from ETSI EN 319 401
  • assess compliance with their current service delivery policies
  • and prepare and implement new processes, procedures, and policies

This is another step towards raising the security standards across the entire trust services infrastructure.

As Obserwatorium.biz, we support organisations in the trust services and eID ecosystem in adapting to such regulatory requirements. If your organisation is affected, feel free to reach out: https://obserwatorium.biz/en/kontakt/  

 

Publication date: 02.12.2025