The name “Electronic Trust Service Providers”, created under the recently existing EU Regulation No. 910/2014, renders the previous designations obsolete:
- “Trusted Third Party” (name created in Law 34/2002, of July 11, LSSI-CE)
- “Certification Service Provider” (name created by Law 59/2003, of 19 December, by transposition of Directive 1999/93/EC)
New classification of Electronic Trust Service Providers
The new e-TSPs are classified in three levels:
- Qualified Electronic Trust Services, registered in the SETSI registry for TSPs (there cannot be qualified electronic services that are not registered).
- Not qualified Electronic Trust Services, services, registered in the SETSI TSPs registry.
- Not qualified Electronic Trust Services and not registered in the SETSI TSPs registry
Qualified Electronic Trust Service Providers are supervised by the Supervisory Bodies. In Spain, the Supervisory Body is the Ministry of Telecommunications and Information Society (SETSI), that belongs to the Ministry of Industry, Energy and Tourism (Minetur).
Qualified Electronic Trust Service Providers must be audited, at least every 24 months, by a Conformity Assessment Body. The purpose of the audit is to confirm that both the Electronic Trust Service Providers and the Electronic Trust Services fulfill the the requirements of Regulation (EU) 910/2014.
Qualified Trust Service Providers must submit the corresponding Conformity Assessment Report to the supervisory body within three working days upon receipt.
The Registered Electronic Trust Service Providers are a special category in terms of supervision of the services by the SETSI, since they provide either services that do not have the status of qualified service, or services that do not fit in the Trust Service definition according to Regulation (EU) 910/2014.
Due to the condition of Notified services to SETSI (and therefore included in the Trust Service Providers Registry), its information is published on the Ministry of Industry, Energy and Tourism website, although the Ministry of Industry, Energy and Tourism does not check the alignment of the services to the applicable legislation on trust services prior to publication.
Registered Providers can receive warnings and information requests from SETSI, if the latter receives any kind of complaint from the involved trust services users.
Some services, such as Certified Digitization, are not usually notified to SETSI, so they could be considered as Non-Registered, and therefore, outside the scope of action of the Supervisory Body.