Becoming a Qualified Trust Service Provider (QTSP) requires much more than technical implementation: that’s the main message Steffen Schwalm, Principal Consultant at msg security advisors highlights.
Becoming QTSP is a complex process – and for good reason. Over the last fifteen years, Steffen has helped organizations navigate digital identity and trust services. In this interview, he shares insights into when pursuing QTSP certification makes sense for your business, which technological options are available, and which uncertainties organizations need to consider in their strategic planning.
On March 20th, 2025, Steffen will dive deeper into these topics during our webinar “Preparing for eIDAS 2.0: Is your technology ready for QTSP certification?” His practical advice reveals that success requires a careful balance of business strategy, organizational structure, and technological choices.
Should you become a QTSP?
The path to becoming a QTSP starts with a fundamental question: is certification really the best solution for your business needs? Organizations should carefully evaluate their options, Steffen notes. Sometimes, using an existing trust service might be more efficient than becoming a QTSP. In other cases, an organization might be better positioned to act as an authoritative source: providing verified data that QTSPs can use for their attestations.
“The first step is always strategy,” Steffen says. “Where do you want to go? Is certification really what you need? Is becoming a trust service provider actually necessary for your goals?”
For organizations that do choose to become a QTSP, there are significant organizational and resource requirements. The certification process demands substantial investment, both initially and for ongoing maintenance. Organizations often underestimate the effort required for recertification every two years. Moreover, QTSP operations must be completely separated from other business activities, both in terms of technical infrastructure and governance, due to the full liability that QTSPs bear for their services.
The journey to becoming a QTSP often starts at the middle management or technology team level, while top management remains uninformed or underestimates the effort involved. This disconnect can lead to governance issues and inadequate resource allocation, Steffen adds.
Finding a balance between security and adoption
Once an organization has decided to become a QTSP, it is faced with many decisions to make. The technical infrastructure for QTSPs presents several strategic choices, each with its own trade-offs between security, accessibility, and market reach. From classical PKI to Ledger, from identification procedures to secure authentication and key management, the technical conditions are quite challenging – especially for issuing certificates or attestation of attributes. This extends to necessary documentation, policies, governance, and organizational procedures.
One special challenge is the integration of EUDI Wallet including Person Identification Data (PID) for natural entities. Currently, most countries are adopting the Hardware Security Module (HSM) approach for key management of the PID for natural entities, primarily because it offers the widest device compatibility while maintaining robust security standards.
While secure elements might provide enhanced security features for PID, they currently limit adoption by requiring high-end mobile phones. Ubiqu’s remote secure element offers organizations a way to implement high-security standards without device dependencies, but it needs broader adoption. This creates a strategic challenge: balancing security requirements with the need for broad accessibility. Alternative solutions are at hand but not yet fully developed, explains Steffen.
Looking ahead, Steffen believes we’ll see more diverse technical approaches: “In five to eight years, I expect we’ll see multiple approaches coexisting – secure elements, HSM, eSIM, and secure enclave solutions. HSM contains one advantage: As key management for certificates done in HSM, the component can be reused if QTSP is also PID Issuer at same time. However, before the decentralized approaches become viable, we need to make these solutions more accessible. They must be compatible with a broader range of mobile phones, not just high-end devices.”
Steffen also emphasizes that organizations shouldn’t wait to implement new business models: “Beside this we need to keep in mind that (qualified) attestations, the trust service which promises widest adoption and acceptance, can be issued in any wallet or system – so no need to wait for EUDI Wallet but to design and implement new business models now.”
For a detailed comparison of wallet secure cryptographic device options, read this article previously published.
Industry-specific challenges require tailored approaches
The healthcare sector exemplifies how industry-specific regulations can complicate QTSP implementation. While sectors like banking benefit from harmonized EU regulations such as AML and MiCA, healthcare remains heavily fragmented. Each member state maintains its own systems for e-prescriptions, doctor certifications, medical records, and health insurance. This fragmentation means that QTSPs targeting the healthcare sector must navigate complex compliance requirements that vary significantly by country. This will change in the context of eIDAS 2.0, but this process needs time.
As Steffen explains: “Currently, in Germany you must be a certified provider by Gematik to operate in the public healthcare system. Every doctor and pharmacist need to be part of this infrastructure, using specific signature cards and certificates that verify their professional status. It’s currently not possible for a provider from another country to issue signatures within our telematic infrastructure. This will change with eIDAS 2.0 so that Gematik becomes more orchestrator of the ecosystem instead of approving authority.”
The telecommunications sector faces a different set of challenges, primarily centered around technical architecture decisions. The industry’s push toward eSIM technology represents an attempt to reduce dependence on non-European hardware manufacturers. However, while eSIM offers promising security features and greater autonomy, current solutions lack the scalability needed for widespread adoption. This illustrates how industry-specific strategic goals can influence technical implementation choices for QTSPs.
Beyond these sectors, other highly regulated industries like aerospace, banking, and government services each present their own unique challenges. The key to success lies in understanding not just the general QTSP requirements, but also the specific regulatory landscape and technical needs of the target industry.
Emerging challenges in the eIDAS 2.0 landscape
While eIDAS 2.0 regulation has been published, Steffen highlights a critical challenge for organizations pursuing QTSP certification: the standards underpinning the regulation are still under development. The standards for attestation of attributes are under review, and even once published, their interpretation may not be immediately clear.
This evolution of standards creates several practical challenges for QTSPs. Under Article 24, QTSPs are required to accept EUDI Wallets for identification – yet these wallets won’t be widely available until 2027. Organizations must therefore plan their implementation strategy while key components of the ecosystem are still taking shape. Means that organizations need to look for alternative identification procedures as they are explicitly possible within eIDAS.
Another significant challenge Steffen emphasizes is the complexity of accessing and verifying authentic sources. QTSPs need to connect with various authoritative sources, from member state registries to university databases, to issue attestations. Yet without standardized methods for accessing and verifying these sources, organizations must make implementation decisions today that may need revision as standards evolve.
While these uncertainties pose challenges, they also create opportunities for forward-thinking organizations. Success in this evolving landscape requires a strategic approach that balances immediate business needs with the flexibility to adapt as standards mature. Understanding the changing nature of the QTSP landscape is crucial to help organizations make better decisions during their implementation – and beyond.
Ready to navigate the QTSP certification journey?
Understanding the complexities of QTSP certification is crucial for organizations looking to thrive in the digital identity landscape. To learn more about preparing your organization for QTSP certification and eIDAS 2.0 compliance, join Steffen Schwalm in an upcoming webinar on March 20th, 2025 at 13:00 CET.
The session will dive deeper into technical requirements, strategic considerations, and practical steps for organizations in regulated industries. Whether you’re a trust service provider looking to become qualified, or an organization evaluating your digital identity strategy, this webinar will provide valuable insights for navigating the path ahead.
Register now to ensure your organization is prepared for the evolving requirements of digital trust services in Europe.
