A new ETSI standard for the JADES signature

By #eIdAS, Electronic Signatures, JSON SignaturesNo Comments

ETSI has just unveiled ETSI TS 119 182-1, a specification for JSON Web Electronic Signatures or Seals supported by PKI and public key certificates which authenticates the origin of transactions ensuring that are bound to their originator and access to sensitive resources can be controlled.

This standard is a major achievement for interoperability of digital signatures for a range of applications in today’s digital economy including the banking and financial world where so far, some 4,000 banks were using various private signing procedures for their APIs to secure their online transactions.

Called JAdES, ETSI TS 119 182-1 comes in support of secure communications fulfilling the requirements of the European Union eIDAS Regulation (No 910/2014) for advanced electronic signatures and seals and regulatory requirements for services such as open banking.

This JAdES digital signature specification is based on JSON Web Signature and contains the features already defined in the related ETSI standards for AdES (advanced electronic signature/seal) applied to other data formats including XML, PDF and binary. The standard was developed with contributions from a number of stakeholders including representatives from the banking sector who, through Open Banking Europe, have brought their operational requirements to align European APIs onto one security model.

Nick Pope, Vice-Chair of the ETSI technical committee on Electronic Signatures and Infrastructures (ESI) comments: “The ETSI JAdES standard builds on ETSI’s decades of experience in defining standards for applying digital signatures to a variety of document formats to provide evidence of their authenticity supported by European Regulations. Working with Open Banking Europe, ETSI has developed a solution which matches the requirements of Open Banking APIs whilst assuring the authenticity of financial transactions.”

ETSI TS 119 182-1 can be used for any transaction between an individual and a company, between two companies, between an individual and a governmental body, etc. applicable to any electronic communications. The technical features of the specification can therefore be applied to the use of PKI based digital signature technology and in both regulated and general commercial environments.

“As PSD2 and open banking move towards Open Finance standard, APIs are essential not just in Europe but globally. Open Banking Europe is proud to be part of the ETSI ongoing standardization work and bring its operational requirements to solve practical problems,” adds John Broxis, Managing Director, Open Banking Europe.

Electronic commerce has emerged as a frequent way of doing business between companies across local, wide area and global networks. Trust in this way of doing business is essential for the success and continued development of electronic commerce. It is therefore important that companies using this electronic means of doing business have suitable security controls and mechanisms in place to protect their transactions and to ensure trust and confidence with their business partners. In this respect digital signatures are an important security component that can be used to protect information, provide trust in electronic business and prevent tampering.

With this new standard ETSI meets the general requirements of the international community to provide trust and confidence in electronic transactions.

Spanish Official Gazette authorizes video identification to get Qualified Certificates

By #eIdAS, Conformity Assessment Body, Conformity Assessment Body (CAB), Video onboardingNo Comments

The Official Gazette of April 1, 2020 includes Royal Decree-Law 11/2020, of March 31, by which complementary urgent measures are taken in the social and economic field to deal with COVID-19.

Its eleventh additional provision includes “Provisional measures for the issuance of qualified electronic certificates”.

The text of this provision is as follows:

While the state of alarm last, as was decreed by Royal Decree 463/2020, of March 14, the issuance of qualified electronic certificates will be allowed in accordance with the provisions of article 24.1.d) of Regulation (EU) 910/2014, of July 23, regarding electronic identification and trust services for electronic transactions in the internal market. To this end, the supervisory body will accept those methods of identification by videoconference based on the procedures authorized by the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses (SEPBLAC) or recognized for the issuance of qualified certificates by another Member State of the European Union. The equivalence in the security level will be certified by a conformity assessment body. The certificates thus issued will be revoked by the service provider at the end of the state of alarm, and their use will be limited exclusively to the relations between the holder and the public administrations.

TCAB, Trust Conformity Assessment Body has already carried out audits of this type for entities that provide video identification services. The first one was to Electronic Identification, S.L.

Contact us by calling +34 913 88 07 89 or by email at info at

New ETSI OIDs for signature validation services policies

By #eIdAS, eIDAS, Electronic Signatures, OID, Qualified electronic signatures Validation, Servicios de Confianza Digital, Trust Electronic Services, Trust Service ProvidersNo Comments

New Draft ETSI TS 119 441 proposes new OIDs for Signature Validation Service Policy:

  • itu-t(0) identified-organization(4) etsi(0) VAL SERVICE-policies(9441) policy-identifiers(1) main (1)
  • itu-t(0) identified – organization(4) etsi(0) VAL SERVICE – policies( 9441) policy – identifiers(1) qualified (2)
That is
  • OID as the main policy OID for Validation Services, and
  • OID as the policy OID for Validation Services that identifies qualified validation services as defined in articles Articles 32 and 33 of the Regulation UE 910/2014 (EIDAS)

Article 32

Requirements for the validation of qualified electronic signatures

1.   The process for the validation of a qualified electronic signature shall confirm the validity of a qualified electronic signature provided that:


the certificate that supports the signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I;


the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing;


the signature validation data corresponds to the data provided to the relying party;


the unique set of data representing the signatory in the certificate is correctly provided to the relying party;


the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;


the electronic signature was created by a qualified electronic signature creation device;


the integrity of the signed data has not been compromised;


the requirements provided for in Article 26 were met at the time of signing.

2.   The system used for validating the qualified electronic signature shall provide to the relying party the correct result of the validation process and shall allow the relying party to detect any security relevant issues.

3.   The Commission may, by means of implementing acts, establish reference numbers of standards for the validation of qualified electronic signatures. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation of qualified electronic signatures meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 33

Qualified validation service for qualified electronic signatures

1.   A qualified validation service for qualified electronic signatures may only be provided by a qualified trust service provider who:


provides validation in compliance with Article 32(1); and


allows relying parties to receive the result of the validation process in an automated manner, which is reliable, efficient and bears the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service.

2.   The Commission may, by means of implementing acts, establish reference numbers of standards for qualified validation service referred to in paragraph 1. Compliance with the requirements laid down in paragraph 1 shall be presumed where the validation service for a qualified electronic signature meets those standards. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Degree of EIDAS implementation within the European Union

By #eIdASNo Comments

Regulation (EU) No. 910/2014 of the European Parliament and of the Council of July 23, 2014, on electronic identification and trust services in electronic transactions in the internal market (eIDAS), which entered into force on the 1st of July 2016, has experienced an uneven implementation in the different countries of the European Union.

We analyze below the degree of implementation of the eIDAS Regulation in the main countries of the EU:


  • France:

There is not a national law yet but there are different procedures and requirements based on ETSI regulations.

Supervisory Body: ANSSI (Agence nationale de la sécurité des systèmes d’information).



  • Germany:

There is not a national law yet either, but there are different procedures and requirements based on ETSI regulations.

Supervisory Body: BSI (Federal Office for Information Security).



  • Belgium:

The current national law is applied, without connection with the ETSI or CEN regulations.

The Conformity Assessment Bodies are accredited according to ISO / IEC 17065 + ETSI EN 319 403.

Supervisory Body: Service Publique fédéral Economie, PME, Moyennes Classes and Energie.



  • Spain:

Current National Law 39/2015 applies. There are no specific procedures for Trust Service Providers.

Supervisory Body: Ministry of Energy, Tourism and Digital Agenda (MINETUR).



  • Italy:

There is no national law yet, but this country has a national accreditation system, based on EN 319 403, administered by ACCREDIA (2 CAB accredited – VERITAS and CSQA).

Supervisory Body: Agenzia per l’Italia Digitale.



  • Netherlands

There is no national law yet, but they have national procedures for notifications of non-compliance and accreditation of the CAB.

Supervisory Body: Authority for Consumers and Markets and Agentschap Telecom.

Links: and


  • United Kingdom:

The national law for the eIDAS application defines the applicable procedures for each type of trust service in the UK.

Supervisory body: The Information Commissioner.



Please, click here to view the full chart.

EIDAS celebrates its first anniversary

By #eIdASNo Comments

eIDAS first anniversary deserves a brief review on how this Regulation has changed in many aspects the outlook of the trust services in the European Union.

We analyze the main keys of eIDAS first anniversary:


  • The main novelty of this new Regulation is the harmonization of the requirements for the mutual recognition of electronic identification at EU level. Therefore, it repeals the previous Directive 1999/93/EC and the respective national laws.


  • The Regulation has created the “EU trust mark”, which clearly distinguishes qualified trust services from other trusted services.


  • The Regulation has also introduced the concept of Qualified Trust Services Providers and Electronic Trust Services.

In particular, it has created the following qualified services (those that meet the requirements applicable in Regulation (EU) No 910/2014): electronic signatures and electronic stamps. Electronic signatures are intended for individuals and electronic stamps to legal entities. In addition, it regulates other trusted services such as electronic time stamps, electronic documents, electronic delivery services and website authentication.

Qualified Trusted Service Providers obtain this status through a Conformity Assessment Report and a Supervisory Body must audit them at least every 24 months.


  • It specifies new levels of electronic identification, low and substantial. They improve identification mechanisms, such as handwritten signatures on mobile devices or cloud signature solutions.


  • The Regulation has introduced the concept of Electronic Signature in three different levels:

Electronic Signature: The definition  remains the same under eIDAS. The electronic signature has legal effects and is admissible as evidence in legal proceedings.

Advanced Electronic Signature: It allows the unique identification and authentication of the signer of a document and allows checking the integrity of the signed document. The issuance of a digital certificate by a Certification Authority (CA) allows the authentication.

Qualified Electronic Signature: They are the electronic equivalent of handwritten signatures. Qualified certificates are their foundation. These are the only signatures that ensure the mutual recognition of their validity by all EU Member States.


  • Recognition of electronic signatures as evidence at trial within the EU.

Article 25 of eIDAS reflects this concept.It provides that legal effects and admissibility as evidence in court proceedings are not denied to an electronic signature by the fact of being an electronic signature or because it does not meet the requirements. In fact, a qualified electronic signature has a legal effect equivalent to that of a handwritten signature.


  • The regulation recognizes admissibility as evidence in a trial and its legal effect for electronic signatures.


  • The Regulation creates the EU Trusted Lists. They reflect the Qualified Electronic Trust Services Providers and the services they offer. The TSPs and its services will be qualified if they appear on these lists.


  • Regulation of Qualified signature creation devices. They must meet the requirements listed in Annex II of Regulation (EU) 910/2014. The European Commission shall establish, publish and maintain a list of qualified electronic signature/stamp devices with the information provided by the Member States.


  • Acceptance of remote identification for electronic signatures. Therefore, the on-site identification is no longer needed. To ensure the safety of the process,you can use other identification means. These can be prior on-site identification, qualified electronic seals or qualified electronic signature certificates.


  • The Regulation establishes thatConformity Assessment Bodies must audit TSPs every 24 months.
    The purpose of the audit is to confirm that both Qualified TSPs and the electronic trust services they provide meet the requirements of eIDAS.


Main benefits of the introduction of eIDAS

The introduction of the eIDAS Regulation was a necessity at EU level. Prior to its entry into force the identity documents of citizens from one Member State were not valid in other EU Member States.

Therefore, eIDAS facilitates the provision of cross-border services and allows companies to operate outside their borders. Ultimately, it benefits citizens, businesses and Public Administration.

The main services where citizens can benefit from eIDAS  are the following: paying taxes, public tenders, signing online contracts, economic transactions through electronic banking and online health services, among others.


Source: European Commission


Some keys to Regulation No 910/2014 (EIDAS)

By #eIdASNo Comments

We analyze the main keys to Regulation 910 2014 (eIDAS):

I.- Use of cross-border identification and signature systems in eIDAS

The transposition of Directive 1999/93 was uneven and it has never seemed clear enough that electronic signature and identification certificates issued by Certification Service Providers in one Member State had to be accepted by the rest of the Member States.

Since July 1st 2016, the direct application of EU Regulation 910/2014 definitely clarifies this concept.

II.-CSPs (Certification Services Providers) will be called ETSPs (Electronic Trust Services Providers) in eIDAS

From now on, they are Trust Services Providers (TSPs). And they can issue qualified certificates (equivalent to recognized certificates of Law 59/2003) or non-qualified certificates.

The issuance of natural person certificates is an specific type of trust service and, among them, there are qualified certificates (in the aforementioned law they were called “recognized”). In order to issue this kind of certificates, the Conformity Assessment Body (in Spain, Entidad Nacional de Acreditación (ENAC)) shall submit a notification of its intention together with a Conformity Assessment Report to the Supervisory Body (in Spain, the State Secretariat for Telecommunications and Information Society).

If it has the possibility of issuing qualified certificates, it will be placed in a trusted list (which each Member State publishes with information of all qualified providers of Trust Services) and may use the trust tag “EU” to indicate the services it provides.

It should be noted that the control mechanisms on all service providers are increased (whether they issue qualified certificates or not), which will be audited every 24 months to confirm that they comply with the provisions of the Regulation.

III.- Liability of Service Providers

They remain liable for the damages caused deliberately or negligently to any person due to any breach of the obligations established in the Regulation. However, the limitations on the liability of Article 23 of Law 59/2003 no longer exist, being the burden of proof (i) of the person claiming the damage, when the Provider issues non-qualified certificates, or (ii) a service provider issuing qualified certificates, who must prove that the damages occurred without intention or negligence on his part.

IV.- Legal Person Certificates

The Regulation does not foresee the issuance of electronic signature certificates in favor of legal persons or entities without legal personality. This type of entities only have electronic stamps, which allow to prove the authenticity of the origin and the integrity of the sealed document.

V.- New regulated services

Apart from the electronic signature (defined in Law 59/2003, in 3 types, electronic signature, advanced and qualified), the Regulation also regulates the electronic seal (there are also 3 kinds), electronic timestamp, certified electronic delivery service, electronic document and website authentication. Recital 55 of the Regulation also opens the possibility of generating qualified electronic signatures such as the mobile signature or the cloud signature, which can greatly boost the market for electronic signatures.


Click here to read Regulation 910/2014 (eIDAS).