European Union Agency for Network and Information Security

eIDAS : One year after entry into forceENISA Studies on Standards for TSPsDr. Nikolouzou EvgeniaETSI Security Week 2017 | Sophia Antipolis | June 13, 2017

2ENISA Studies on Standards for TSPs | E. Nikolouzou

ENISA and eIDAS in a nutshell

Trust Services

Studies

Qualified Website

Authentication Certificates

Mapping of requirements

to existing standards

Guidelines for Trust Service Providers

Security Framework

Guidelines for TSPs based on

standards

Auditing Framework

Relying Parties

Initiation

Supervision

Termination

Incident

Reporting

Article 19 Expert Group

CIRAS – T

Reporting Tool

Trust Services Forum

3

• Security framework for TSPs

• Risk assessment for TSPs

• Mitigating the impact of security incidents in TSPs

• Auditing framework for TSPs

• Guidelines for TSPs based on standards

• Security Framework for TSPs

• Auditing framework for TSPs

• Initiation/Supervision/Termination of Trust Service Provision

ENISA Studies on Standards for TSPs | E. Nikolouzou

Series of Guidelines on Trust Services (1/2)

20

13

–2

01

42

01

6 -

20

17

4

Recommendations for TSPs based on standards• Produce guidelines fulfilling

requirements from articles of eIDASRegulation with no mandatory implementing acts

• Analysis of Requirements deriving from each article

Security Framework• Risk Assessment

• Mitigate impact of security

incidents

Auditing Framework• Audit methodology and

recommendations regarding TSPs documentation and organization

ENISA Studies on Standards for TSPs | E. Nikolouzou

Series of Guidelines on Trust Services (2/2)

5

• Procedural aspects for the initiation of a qualified trust service

- Guidelines for Supervisory Bodies

- Guidelines for TSPs

• Procedural aspects for the supervision of a qualified trust service

- Determining appropriate supervisory activities

- Life-cycle management of qualified status

- Dealing with non-compliance and withdrawing the qualified status

- Reporting of supervisory activities

- Collaboration of European Supervisory Authorities

• Procedural aspects for the termination of a qualified trust service

- Procedures and formats for the termination and supervision of the termination of a qualified trust service

Guidelines on the initiation / supervision / termination of Trust Services

ENISA Studies on Standards for TSPs | E. Nikolouzou

6ENISA Studies on Standards for TSPs | E. Nikolouzou

Overview of the QTSP/QTS life cycle management

7

How to validate QWACs and indicate /visualize that a web site isusing a QWAC

ENISA Studies on Standards for TSPs | E. Nikolouzou

Supporting QWACs verification through browser plugins

Native messaging Online validation

Extension requirements

[R1] Validation of QWACs + +

[R2] Facilitate user recognition of QWACs + +

[R3] Easy installation +/- +

[R4] Universal applicability +/- +

Development considerations

Ease/cost of development + +

Requires cooperation of browser vendors +/- +

Access to browser SSL/TLS information - -

Expected maintenance + +/-

Sensitivity to cyber attacks + -

Pre

limin

ary

Fin

din

gs

8ENISA Studies on Standards for TSPs | E. Nikolouzou

Survey: Preliminary results for SBs & CABs

Do you see standardization or regulatory gaps during auditing the QTSPs ?

Standards for qualified electronic delivery services, validation services, preservation services are missing

1. Need to clarify the accreditation process through implementing acts

2. Harmonized requirements for accreditation of CABs, for the conformity assessment report for and auditing rules under which conformity assessment will be carried out

3. Need for technical standards describing the certification scheme of the different trust services

4. Need for concrete implementing acts and definitions in the regulation

GAPs between SB over EU exist - specially in products qualification

Lack concerning regulation on eIDAS-compliant cryptographic algorithms

Different understanding about the standards

No standards for all the eIDAS services

No standard for accreditation of CABs nor eIDAS CARs

Discrepancies in the conformity assessments of Qualified TSPs and questions may arise regarding the quality of qualified trust services in the EU

11%

77%

12%

No Yes No Experience yet

9

Day: 29th June 2017

Place: Berlaymontbuilding, EC premises,

Brussels

Register: https://www.enisa.europa.eu/events/tsp-forum-2017

ENISA Studies on Standards for TSPs | E. Nikolouzou

ENISA Trust Services Forum 2017 3rd edition

PO Box 1309, 710 01 Heraklion, Greece

Tel: +30 28 14 40 9710

info@enisa.europa.eu

www.enisa.europa.eu

Thank you