Qualified Certification Service Providers
General information about trusted lists under Regulation (EU) No 910/2014
Trusted lists are essential elements in building trust among electronic market operators by allowing users to determine the qualified status and the status history of trust service providers and their services.
The trusted lists of Member States include, as a minimum, information specified in Articles 1 and 2 of Commission Implementing Decision (EU) 2015/1505.
Member States may include in the trusted lists information on non-qualified trust service providers, together with information related to the non-qualified trust services provided by them. It shall be clearly indicated that they are not qualified according to Regulation (EU) No 910/2014.
Member States may include in the trusted lists information on nationally defined trust services of other types than those defined under Article 3(16) of Regulation (EU) No 910/2014. It shall be clearly indicated that they are not qualified according to Regulation (EU) No 910/2014.
Trusted list of Italy
The present list is the trusted list including information related to the qualified trust service providers which are supervised by Italy, together with information related to the qualified trusted services provided by them, in accordance with the relevant provisions laid down in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC.
The cross-border use of electronic signatures has been facilitated through Commission Decision 2009/767/EC of 16 October 2009 which has set the obligation for Member States to establish, maintain and publish trusted lists with information related to certification service providers issuing qualified certificates to the public in accordance with Directive 1999/93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures and which are supervised/accredited by the Member States. The present trusted list is the continuation of the trusted list established with Decision 2009/767/EC.
The Ministry of Interior is an exception; it is the only not qualified service provider into the list. It provides (by law) only an Identity verification service that allows citizens to use the national identity card to authenticate themselves over the network. As not qualified trust service provider, the Ministry of Interior is not subject to ex ante supervision by this Agency, but only to ex post supervision: AgID will take action when informed that Ministry of Interior or the trust service it provides allegedly do not meet the requirements laid down in the eIDAS Regulation.
Other Identity verification services (not qualified services) refer to the “National Service Card”. This card, always usable by the citizens to authenticate themselves over the network, may be issued, by law, only by qualified trust service providers that have been already authorized to issue qualified electronic signature certificates. These QTSPs made this activity on behalf of a public administrations.
As QTSPs these subjects are subject to supervision ex ante and ex post to verify that the IdV service provided by it comply with the requirements laid down in eIDAS Regulation and in national law.
The Agenzia per l’Italia Digitale (AgID) is the Italian supervisory body, notified to the Commission in compliance with article 17 of eIDAS Regulation.
AgID supervise qualified trust service providers established in Italy through ex ante and ex post supervisory activities.
AgID is also the national body responsible for establishing, maintaining and publishing national trusted lists.
At now, trust service providers, without qualified status, intend to start providing qualified trust services, they shall submit to AgID a notification of their intention together with a conformity assessment report issued by an accredited conformity assessment body (CAB), and the following documentation:
a) certified copy of incorporation of the company;
b) a copy of the statute issued by the relevant Chamber of Commerce;
c) certificate of registration in the commercial;
d) statement of the body responsible for monitoring, attesting to the amount of the paid up share capital, and the amount and composition of shareholders' equity;
e) balance sheet, prepared and approved by the administrative;
f) report of the inspection or accounting body on the balance sheet referred in point e);
g) list of names of the legal representatives;
h) copy of the insurance policy;
i) copy of the last financial statements and related certification;
l) statement by the president of the company, attesting the composition shareholders, as known, with an indication, however, of the participants in direct or indirect, in the share capital by more than 5%;
m) copy of the operating manual (CPS);
n) copy of the security plan;
o) a description of the organizational structure;
p) statement by the president of the company of availability to allow access of persons in charge of AgID at facilities dedicated to certification tasks, in order to be able to verify the permanence of the technical and organizational requirements documented at the time of submission of the application;
q) a written undertaking to inform the AgID each kind of secure signature creation device they intend to provide, with the certification;
r) statement of commitment to inform AgID of any to the documents provided to obtain the authorization to operate (eIDAS art. 21). That changes cannot become operative without AgID approval;
s) a technical declaration containing several information: signature generation algorithms, hash algorithms used, length of the keys, description of the key generation system, characteristics of the certificates generation system, information contained into the certificates and their format, management and access to the revocation information and certificate suspension/revocation services, how the uniqueness of the public key is satisfied, backup procedures, procedures for keeping the audit trail, description of the electronic time stamps system.
Since July 1th 2016, to above documentation must be added the conformity assessment report (CAR) as stated in article 21 of eIDAS Regulation.
AgID analyse the notification, the CAR and the required documentation and, to verify whether the trust service provider and the trust services provided by it comply with the requirements laid down in eIDAS Regulation and in national law. If AgID concludes positively with regards to such a compliance, it will grant the qualified status to the notified trust service provider and the notified trust services it provides. Analysing the conformity assessment report (CAR), AgID check eventually reported non-compliance and evaluate them. This means that, even if the CAB may declare that a non-compliance is not significant enough to be impediment to the qualification of the service, AgID may decide not to grant the qualification.
Qualified trust service providers established in Italy may begin to provide the qualified trust service after the qualified status has been indicated in the trusted list of Italy.
Actual law (CAD article 37) does not require to provide a termination plan, but stated that in front of a termination, that:
1. A qualified trust service provider which intends to cease activity must, at least sixty days before the date of cessation, give notice to the AgID and immediately inform the holders of certificates issued by it, specifying that all certificates which have not expired at the time of cessation shall be revoked.
2. The qualified trust service provider cited in paragraph 1 shall simultaneously communicate the acquisition of documents by another qualified trust service provider. Indication of a replacement qualified trust service provider shall not require revocation of all certificates which have not expired at the time of cessation. The qualified trust service provider cited in paragraph 1 must indicate the new holder of the certificates register and related documentation.
Since July 1th 2016, the termination plan is required by Art.17.4(i) and Art.24.2 of eIDAS Regulation. Its existence is verified by CAB and reported into the CAR.
Supervision is made by AgID remotely and on-site to check if the subject is operating in compliance with the law (national and of the Union) and in compliance with everything has been declared into the above documentation. Nothing (procedure, processes, sites, buildings…) may be changed if not approved ex ante by AgID.
Conformity assessment body (CAB) means a body defined in point 13 of Article 2 of Regulation (EC) No 765/2008, which is accredited in accordance with that Regulation as competent to carry out conformity assessment of a qualified trust service provider and the qualified trust services it provides against Regulation (EU) 910/2014. National accreditation body (NAB) in Italy is Accredia. Accredia, for CAB accreditation, applies UNI CEI EN ISO/IEC 17065:2012 and ETSI EN 319 403. For the training of audit teams several experts are involved, in addition to staff by the supervisory body.
Accredited CABs (on July 2016, in Italy, Bureau Veritas Italia and CSQA Certificazioni) are charged to verify that the TSP and the service provided complies eIDAS Regulation. To do their activity they have chosen to use European standard and the checklists available by ETSI (ETSI EN: 319401, 319411, 319412,319421, 319422), as applicable.
The CAR must be clearly and explicitly confirm that the assessed QTSP and the assessed qualified trust service it provides fulfil the requirements laid down in the eIDAS Regulation.
You can download the Trusted List as the machine processable version (xml-file) here.
The following Qualified Certification Service Providers issue certificates to citizens living abroad: