16 Oct Obligations We Audit for All Trust Service Providers
The model that regulates the requirements and obligations of trust service providers is governed by the eIDAS Regulation, establishing certain obligations applicable to providers based on whether they offer qualified or non-qualified trust services.
Common Obligations We Audit for All Trust Service Providers
In our audits and advisory services, we must always consider some of the common audit points for all trust service providers, including:
Compliance with GDPR and the use of pseudonyms:
– Verify that the provider complies with the General Data Protection Regulation (GDPR) regarding the processing of personal data.
– Assess whether pseudonyms are used to protect the identity of users and how they are managed.
– Ensure that data breach notification obligations are met as established by the GDPR.
Accessibility of the service for persons with disabilities:
– Evaluate whether the provider complies with the accessibility requirements set out in Royal Legislative Decree 1/2013 of November 29th.
– Verify that the service is accessible to individuals with visual, auditory, or other types of disabilities and that web accessibility guidelines are followed.
Notification of incidents and security measures:
– Ensure that the provider has robust procedures for reporting security incidents in accordance with Article 19.1 of the eIDAS Regulation.
– Evaluate whether the technical standards outlined in ETSI EN 319 401, 411, and 421 are followed to ensure the security of electronic trust services.
Accurate and truthful disclosure as per Article 9.1.a) of the LSEC:
– Confirm that the provider publishes truthful and accurate information about its services, pricing, and policies.
– Ensure that transparency and clarity requirements are met in the information provided to users.
Non-storage of key copies except when acting on behalf of the certificate holder:
– Assess whether the provider complies with the prohibition on storing copies of user keys, except when operating on behalf of the certificate holder.
– Verify that proper procedures for cryptographic key management are followed, including secure key generation and maintaining confidentiality.
On the other hand, specific obligations of qualified trust service providers should be considered:
– Informing the supervisory authority in accordance with Article 24.2 of eIDAS about any changes in service provision:
– Verify that the provider complies with the requirement of Article 24.2 of eIDAS to inform the supervisory authority of any changes in the provision of electronic trust services.
– Evaluate the effectiveness of processes and procedures established for timely and accurate notification of service changes.
– Specific characteristics of personnel and subcontractors in accordance with Article 24.2 of the eIDAS Regulation, including training plans in accordance with standards such as ISO 27002, ETSI EN 391 401, and others like ETSI EN 319 411-1:
– Review the qualifications and competencies of the provider’s personnel and subcontractors, ensuring that they meet the required characteristics outlined in Article 24.2 of eIDAS.
– Assess the presence of training plans in line with relevant standards such as ISO 27002, ETSI EN 319 401, and others to ensure that personnel are adequately trained in information security and technology.
– Solvency requirements in accordance with Article 24.2 of the service provider:
– Verify that the provider complies with the solvency requirements outlined in Article 24.2 of eIDAS, which implies having the financial capacity and necessary resources to sustainably offer electronic trust services.
– Evaluate the financial policies and the provider’s capacity to fulfill its commitments.
– Clear and truthful information to potential service clients in accordance with Article 24.2 of eIDAS:
– Confirm that the provider provides clear and truthful information to potential clients of electronic trust services in accordance with Article 24.2 of eIDAS.
– Review the content of the information provided, including terms and conditions, pricing, service descriptions, and user requirements.
– Use of reliable systems, controls against counterfeiting and data theft according to Article 24.2 of eIDAS, Article 19.1 of eIDAS, and Article 24.2.g of eIDAS:
– Evaluate the use of reliable systems for the provision of electronic trust services, including technical and organizational security controls.
– Ensure that security measures against counterfeiting and data theft are implemented, in compliance with Article 19.1 and Article 24.2.g of eIDAS.
– Use of asymmetric or symmetric cryptography:
– Assess the type of cryptography used in the provision of electronic trust services and ensure it is suitable for maintaining data confidentiality and integrity.
– Verify that encryption systems comply with security standards.
– Information retention policies in accordance with Article 24.2 of eIDAS and Law 2/2015 of October 5th on the reform of the LEC:
– Examine information retention policies to ensure compliance with the requirements of Article 24.2 of eIDAS and Law 2/2015 on the reform of the LEC.
– Ensure that information is retained for the necessary duration and is securely deleted when no longer required.
– Notification of service cessation in accordance with Article 24.2.a of eIDAS, Article 24.2.i of eIDAS, and others:
– Evaluate the procedures and policies for notifying the cessation of services, in compliance with Article 24.2.a and Article 24.2.i of eIDAS, and other applicable regulations.
– Confirm that timely notification is provided to relevant parties, and established procedures are followed to ensure a smooth transition.
In conclusion, becoming a trust service provider, whether qualified or not, requires a legal and technical team to provide advice and conduct audits to meet the necessary requirements based on the type of service being offered. Count on our legal and technical team for this purpose, and feel free to contact us without any obligation. We will provide guidance and recommend the best way to achieve your goal.
proveedordeconfianza@luisvilanova.es