EIDAS + QTSPs

The PSD2 RTS on strong customer authentication and Common and secure communication require that Qualified eIDAS certificates are used for identification of TPPs and ASPSPs.

Qualified certificates are issued by Qualified Trusted Service Providers (QTSPs) as described in the eIDAS regulation, and further described within various ETSI standards.

ETSI are also working on specific standards to support the PSD2 compliant eIDAS certificates.

Data required in PSD2 eIDAS certificates according to the RTS

The Certificate Issuing Process: standards and data sources

ETSI eIDAS PSD2 Standard

At its plenary meeting of the 10th October, the European Telecommunications Standards Institute (ETSI) agreed to create a set of standards for PSD2 eIDAS certificates, in accordance with the EBA RTS.

The new European Telecommunications Standards Institute (ETSI) PSD2 standards that OBE requested (as part of ERPB role):

  1. Official confirmation of the ETSI New Work Item for PSD2 Certificates is here
  2. Timeline for delivery of the new PSD2 Certificates standards document are here
  3. Details of the background discussions we had with ETSI for the ratification of PSD2 standards request is here
  4. The draft standard ETSI TS 119 495 for publication is here

The EC QTSP List

The limits of an eIDAS certificate

The process of revocations (and its link to NCA’s) is accurately described on page 44 of the ERPB report which has a clear position.

The industry will use:

  • The eIDAS certificate for Identification.
  • The NCA registers for Authorisation.

Open Banking Europe provides such a directory to make this easier. Click here to explore the Directory.

Considering that the NCA is not obliged to inform the QTSP, and the QTSP is not obliged to check the NCA register, it is clear that although we can trust the certificates for Identification, in the case that an NCA has withdrawn a license and the certificate has not yet been revoked, there is a period when the roles in the certificate will not be accurate. In the case that anybody wishes to check the up to date role of an ASPSP, then they must look at the Home NCA of that entity.

As there will be 31 NCA’s, this raises the need for a machine readable, standardised repository of TPP
details, as published by NCAs (Recommendation #7).

The directory should provide a real-time accessible, machine readable and standardised repository of the details of all authorised and revoked TPPs as published by NCAs. These details should include regulatory information such as passporting information, and could also include operational information such as contact details.