Guidance towards ETSI certification

If you want knowledge and experience to obtain and maintain your ETSI certification.

How do you become a QTSP?
To become a Qualified Trust Service Provider and be able to offer qualified trust services, you will need an ETSI certification. The supervisory authority stipulates that one of the requirements for admission to the European list of qualified trust service providers (TSL) is that you can submit a so-called Conformity Assessment Report (CAR). One of the accredited Conformity Assessment Bodies (CAB) draws this certification report and follows an intensive external audit process.

QTSP step-by-step plan

In short, a certification process consists of the following steps and elements:

First, you must comply with the applicable ETapplicable version of ETSI EN 319 401 and the applicable ETSI standards that apply to the chosen trust service ( and).
In addition to the ETSI standards, you must comply with ISO-27001 standards and, depending on the chosen trust service(s), CEN/TS (Trustworthy Systems) standards.
A certification process is divided into several parts:
- First of all, assessing whether you comply with the ETSI standards consists of two parts: Phase 1 and Phase 2. Phase 1 is a shortened audit that tests whether you are ready for the entire audit in phase 2.
- In addition, apart from the audit on ETSI standards by the CAB, you will have to have completed a separate ISO-27001 certification and TWS audit.
- If the CAB ultimately issues a positive conformity assessment through a CAR, you will undergo another assessment process with the supervisor before being placed on the TSL.
The certification remains valid for two years, with a surveillance (= follow-up) audit carried out every intermediate year. After two years, you will undergo a recertification audit. Of course, the ISO certification and TWS audit must not lose their validity.

Need guidance to become or remain a QTSP?

In short, you must prepare well to become and remain a QTSP. Our people have the experience in planning, completing and obtaining the aforementioned certifications. Please contact us to see how we can help your organisation further.SI standards. The standards you must comply with depend on the eIDAS trust service(s) you choose, but they always relate to the then--

Dick van Bladel.pngDick van Bladel, House of Trust

Dick van Bladel

"Being ETSI compliant is not something you just do. It is your license to operate."

Based on my technical background over the past 25 years, I have carried out many Risk & Compliance processes, including ETSI and ISO certifications, audits and assessments. The first years were under the flag of IBM and PwC, and later as an independent consultant.

Together with the House of Trust team, I help trust service providers obtain and maintain the correct certification.

Send Dick a message

We are happy to help you with the issues below

Zero measurement

Before you start obtaining an ISO or ETSI certification, it is wise to first make a baseline measurement of where your organization currently stands. This way you know exactly what still needs to be done.

2nd Opinion

Do you think you are ready for certification? Or do you need clarification about what infrastructure has been built? Then it would be good to ask us for a second opinion. This way, you avoid disappointment and costs before starting the certification.

Quality Assurance

Based on our Quality Assurance framework, we examine independently of your (project) organisation to what extent the trust services, processes or projects meet the applicable standards.

ISO 27001 certification

Do you want to become or remain ISO 27001 certified and need help? We provide the proper knowledge and support to ensure your organisation is ISO 27001 certified.

ETSI certification

To become a QTSP, you need an ETSI certification. Depending on the trust service(s), we will help you comply with the correct ETSI standards and receive an ETSI certification from the external conformity assessment body (CAB).

Trustworthy Systems

Part of an ETSI certification is meeting Trustworthy System standards. We know how to best meet these standards and can help you with this. In addition, we can help you obtain a necessary statement stating to what extent your systems meet these standards.

Business continuity

There is no service without availability. With or without an ISO22301 label, we can help you achieve the desired level of availability and make the necessary preparations to help you recover in a timely manner in the event of a disaster.

NIS2

As soon as this new European directive is converted into the Cybersecurity Act, many critical Dutch companies (including TSPs) will have additional obligations.

We are happy to help you understand what this new guideline means for your organisation.

Guidance towards ETSI certification

​​

QTSP step-by-step plan

In short, a certification process consists of the following steps and elements:

First, you must comply with the applicable ETapplicable version of ETSI EN 319 401 and the applicable ETSI standards that apply to the chosen trust service ( and).

In addition to the ETSI standards, you must comply with ISO-27001 standards and, depending on the chosen trust service(s), CEN/TS (Trustworthy Systems) standards.

A certification process is divided into several parts:

First of all, assessing whether you comply with the ETSI standards consists of two parts: Phase 1 and Phase 2. Phase 1 is a shortened audit that tests whether you are ready for the entire audit in phase 2.​

In addition, apart from the audit on ETSI standards by the CAB, you will have to have completed a separate ISO-27001 certification and TWS audit.

If the CAB ultimately issues a positive conformity assessment through a CAR, you will undergo another assessment process with the supervisor before being placed on the TSL.

The certification remains valid for two years, with a surveillance (= follow-up) audit carried out every intermediate year. After two years, you will undergo a recertification audit. Of course, the ISO certification and TWS audit must not lose their validity.

​​