The Inner Circle

ENISA Security Framework for Trust Service Providers & Security Framework for Qualified Trust Providers

  • 1.  ENISA Security Framework for Trust Service Providers & Security Framework for Qualified Trust Providers

    Posted Mar 11, 2021 03:54:00 AM
    Hi All,

    ENISA has just issued the following:

    ENISA Security Framework for Trust Service Providers

    This document proposes a security framework to achieve compliance with Article 19 of the eIDAS Regulation. As illustrated below, this security framework includes specific guidelines for TSP on 1) Risk management related to the security of the eIDAS trust services and based on ISO/IEC 27005 general approach; 2) Security incident management by using the appropriate measures to efficiently detect, measure the impact, respond, report, and recover from security incidents as part of the eIDAS Regulation; 3) Security measures recommended to TSPs from "technical" standards and best practices to treat the risks and contribute to the security incident management. The level of security of these measures is to be selected by the TSP to be commensurate to the degree of risk bound to the context of the TSP (determined during the "context establishment").


    ENISA Security Framework for Qualified Trust Providers
    This document proposes a security framework to achieve compliance with Article 19 of the eIDAS Regulation, to which both non-QTSP and QTSP are subject. Nevertheless, Article 19.1 states that the security measures "shall ensure that the level of security is commensurate to the degree of risk". to achieve compliance with Article 19 (valid for both, QTSPs and non-QTSPs), this series of documents recommend that the level of security implemented by non-QTSP, expected to follow 'best practices' when operating with due diligence, is equivalent to the one of QTSP. For this reason, the security practices applied by QTSPs are also relevant to – and can also be followed by – non-QTSPs.

    ------------------------------
    Michael Roza CPA, CISA, CIA, MBA, Exec MBA
    ------------------------------