Breakout afternoon sessions (29 November) - Give us your input!

Are OpenPEPPOL service providers also electronic registered delivery (ERD) trust service providers (TSP) according to the eIDAS Regulation?
Even if theoretically an OpenPEPPOL service provider can apply for qualification in my opinion it will not be the case in practice as, to have a QERDS, all the OpenPEPPOL nodes would need to be qualified ERD TSP. In fact article 44 reads: "In the event of the data being transferred between two or more qualified trust service providers, the requirements in points (a) to (f) [i.e.the qualified ERD TSP requirements] shall apply to all the qualified trust service providers"

But also if Peppol service providers are not qualified, there are legal implications if OpenPEPPOL service provider should be considered an ERD TSP.

Article 13 is about the (Q)TSP liability and article 19 defines the basic requirements applicable to both TSPs and QTSP,

This means that each OpenPEPPOL service provider are under "ex post" supervision and shall (in short):

• take appropriate technical and organizational measures to manage the risks posed to the security of the trust services they provide
• notify the supervisory body [...] of any breach of security or loss of integrity
• notify the natural or legal person of the breach of security or loss of integrity without undue delay

In addition to that the OpenPEPPOL network relies on some trust services like issuing of electronic certificates and time stamps. Also these trust services are not qualified in the current implementation but using qualified TSP for these supporting services seems not very much difficult to implement.

Both the topics above deserve in my opinion to be discussed.

Best regards,

Andrea Caccia