eidas Workshop Return on Experience from Conformity Assessment Bodies - EY June 13, 2016 Contacts: Arvid Vermote

Transcription

1 eidas Workshop Return on Experience from Conformity Assessment Bodies - EY June 13, 2016 Contacts: Arvid Vermote arvid.vermote@be.ey.com

2 EY eidas Certification scheme Scheme EY CertifyPoint B.V. is currently in the process of becoming an accredited CAB through the Dutch RVA (Raad Voor Accreditatie) against the requirements of ISO17065 and ETSI EN for the certification of QTSP and QTS they provide in the areas of IT security and security technology with the requirements defined in Regulation (EU) No 910/2014. Scope of qualified trust services The provision of qualified certificate for electronic signature The provision of qualified certificate for electronic seal The provision of qualified certificate for website authentication Qualified validation service for qualified electronic signatures Qualified validation service for qualified electronic seals Qualified preservation service for qualified electronic signatures Qualified preservation service for qualified electronic seals Qualified electronic time stamp service Qualified electronic registered delivery service The certification scheme specifies our approach to conformity assessment of qualified trust service providers and its qualified trust services against the requirements of the eidas regulation. It defines each step of the conformity assessment process and the regulatory requirements against which the trust services in scope will be assessed. Confidential All Rights Reserved 2

3 Scope of an eidas conformity assessment Compliance requirements The trust service provider should comply with the general requirements applicable to qualified trust service providers: Data processing and protection (Art.5) Provisions on liabilities (Art. 13) Accessibility for person with disabilities (Art. 15) Security requirements applicable to trust service providers (Art. 19) Supervision of qualified trust service providers (Art. 20) EU trust mark for qualified trust services (Art. 23) Requirements for qualified trust service providers (Art. 24) Qualified certificates for electronic signatures and seals The following articles of the regulation apply: Requirements for qualified certificates for electronic signatures (Art. 28) Requirements for qualified certificates for electronic seals (Art. 38) Based on the regulatory requirements, the following domains will be covered during the conformity assessment. Qualified trust provider Qualified trust service Qualified esig or eseal Seal creation device Asset management Business continuity Compliance management Logging and archiving Qualified signature and seal creation devices The following articles of the regulation apply: Requirements for qualified electronic signature creation devices (Art. 29) Requirements for qualified electronic seal creation devices (Art. 39) Access control Internal organization Physical security Personnel security Incident management Information security Environmental security Operations security Network security Policies Plans Procedures Disaster recovery Security awareness Cryptographic controls Profiles Confidential All Rights Reserved 3

4 Profile Policy Scope of an eidas conformity assessment The assessment will be based on the normative requirements defined in the Regulation (EU) No 910/2014 (the eidas regulation). The regulation does not require compliance with any specific standard. However, supporting standards can potentially provide controls that allow for specific elements of the normative requirements to be verified or tested, thereby assisting the audit team in assessing the conformity with a requirement. The following table indicates standards and reference material that is relevant to specific trust services (qualified certificates for electronic signatures and seals). Policy requirements applicable to qualified trust service providers and qualified trust services ETSI EN ETSI EN ETSI EN General Policy Requirements for Trust Service Providers Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates Profile requirements applicable to qualified trust service providers and qualified trust services ETSI EN ETSI EN ETSI EN ETSI EN Part 1: Overview and common data structures Part 2: Certificate profile for certificates issued to natural persons Part 3: Certificate profile for certificates issued to legal persons Part 5: QCStatements Confidential All Rights Reserved 4

5 Accreditation timeline Submission of accreditation package Feedback on EY eidas certification scheme Accreditation complete November 2016 December 2016 January March May? (July)? (August) Initial meetings & formal intent of accreditation Clarifications on application Resolution of identified scheme gaps Office assessment Confirmation of scheme assessment complete Confidential All Rights Reserved 5

6 Improvement areas Guidance and promotion towards potential trust service providers: business case & implementation of eidas trust services Supervisory bodies: expectations on conformity assessment report structure, content and level of detail Supervision: clear stipulation of surveillance audit triggers and requirements Standards: additional supporting standards on Qualified electronic registered delivery services Qualified preservation service for qualified electronic signatures Qualified preservation service for qualified electronic seals Confidential All Rights Reserved 6