EU Trusted Lists of Certification Service Providers
On 16 October 2009 the European Commission adopted a Decision setting out measures facilitating the use of procedures by electronic means through the ‘points of single contact’ under the Services Directive. One of the measures adopted by the Decision consisted in the obligation for Member States to establish and publish by 28. 12.2009 their Trusted List of supervised/accredited certification service providers issuing qualified certificates to the public. The objective of this obligation is to enhance cross-border use of electronic signatures by increasing trust in electronic signatures originating from other Member States. The Decision was updated several times since 16.10.2009, the last amendment was made on 28.7.2010. The consolidated version is available here for information.
The EU Trusted Lists benefits above all to the verification of advanced e-signatures supported by qualified certificates in the meaning of the e-signature directive (1999/93/EC) as far as they have to include at least certification service providers issuing qualified certificates. Member States can however include in their Trusted Lists also other certification service providers.
In order to validate advanced e-signatures supported by qualified certificates, a receiving party would first need to check their trustworthiness. This means that the receiving party has to be able to verify whether the signature is an advanced electronic signature supported by a qualified certificate issued by a supervised certification service provider as required by Article 3.3 of the e-signatures directive. The receiving party may also need to verify whether the signature is supported by a secure signature creation device.
Although the information necessary to verify these signatures should in principle be retrievable from the signature itself and from the content of the qualified certificate supporting it, this process can be rather difficult due to the differences in the use of existing standards and practices. The publicly available Trusted Lists makes it much easier for signature recipients to verify the e-signatures by complementing the data that can be retrieved from the e-signature and the qualified certificate and by providing also information on the supervised/ accredited status of Member States' certification service providers and their services.
Member States had to establish and publish their Trusted List by 28.12.2009 at least in a “human readable” form but were free to produce also a "machine processable" form which allowed for automated information retrieval. The Trusted Lists had to be made available by all Member States, including those who have no certification service providers issuing qualified certificates; the fact that a national Trusted List is empty will then indicate the absence of certification service providers issuing qualified certificates.
In order to allow access to the trusted lists of all Member States in an easy manner, the European Commission has published a central list with links to national "trusted lists". This central list has been created by the Directorate General for Informatics under the IDABC-programme in close collaboration with Directorates-General Internal Market and Services and Information Society and Media.
In accordance with the ETSI TS 102 231 standard, the compiled list (the European Commission list of the locations where the Trusted Lists are published as notified by Member States) is available on a secure web-site in two formats:
Please see the important note on the central list policy and the related legal notice. The above lists relate to article 1 paragraph 4 of Commission Decision 2010/425/EU of 28 July 2010 amending Decision 2009/767/EC when the amendment entered into force on 1.12.2010.
The authenticity and integrity of the machine processable version of the compiled list is ensured through an electronic signature supported by a digital certificate. The certificate can be authenticated through one of the digests published on page 8 of the Official Journal of the European Union C 374 of 22.12.2011.
The authenticity and integrity of the human readable version of the compiled list is ensured through an TLS/SSL secured conection supported by a digital certificate. The certificate was published on page 15 of the Official Journal of the European Union C 57 of 09.03.2010.
The authenticity and integrity of the compiled list should be verified by relying parties prior to any use.