Trusted e-Service Providers

Qualified providers of trusted electronic services

El Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014, on electronic identification and trust services in electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS), provides for the following Categories of qualified servers:

Service for issuing qualified electronic certificates for electronic signatures
Service for issuing qualified electronic certificates of electronic seal
Qualified electronic certificate issuance service for website authentication
Service for the issuance of qualified electronic time stamps
Qualified service of certified electronic delivery
Qualified service for validation of qualified electronic signatures
Qualified service for validation of qualified electronic seals
Qualified Electronic Signature Retention Service
Qualified service for the conservation of qualified electronic seals

In accordance with Article 17 of the eIDAS Regulation, the supervisory body supervises qualified providers by Pre- and post-supervisory activities.

On May 20, 2024, the Law came into force Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024, amending Regulation (EU) No 910/2014 as regards the establishment of the European digital identity framework, with the aim of improving its effectiveness, extending its benefits to the private sector and promoting trusted digital identities for all Europeans. On the other hand, new trust services are defined and a series of implementing acts are foreseen in terms of technical requirements and supervision of trust services.

Notification of qualified electronic trust services

Trusted List of Qualified Trusted Electronic Service (TSL) Providers

La Law 6/2020, of 11 November, regulation of certain aspects of electronic trust services (LSC) establishes in its article 16.1 that the Ministry for Digital Transformation and Public Service establish, maintain and publish the trusted list containing information on qualified providers of trust services subject to said Law, together with the information related to the qualified trust services provided by them, as foreseen in Article 22 of Regulation (EU) 910/2014.

Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats for trusted lists in accordance with Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014, on electronic identification and trust services for electronic transactions in the internal market requires, in line with Article 22(1) of that Regulation, that each Member State should establish, maintain and publish trust lists containing information relating to qualified providers of electronic trust services together with information relating to qualified electronic trust services provided by them.

In accordance with the above, the Ministry for Digital Transformation and the Civil Service has drawn up a Trusted List of Trusted Electronic Service Providers (TSL) for providers who provide qualified and supervised trusted electronic services in Spain. The TSL is accessible at the following link:

La European Commission provides in the following link a tool to explore Trusted Service Lists (TSL) belonging to the different Member States and the list of trusted lists, “List of Trusted Lists” (LoTL):

In addition, article 17.2 of the LSC states that information relating to qualified trust service providers may be published on the Internet address of the Ministry for Digital Transformation and the Civil Service for dissemination and knowledge.

Information dissemination service for qualified providers provided for in Article 17.2 of the LSC

Unqualified providers of trusted electronic services

Unqualified electronic trust service providers according to Article 3(16) of the Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (eIDAS Regulation), They are not subject to prior supervisory activities.

The supervisory authority may, in accordance with Article 17 of the eIDAS Regulation, take measures through subsequent supervisory activities, where it receives information that such unqualified trust service providers, or the trust services provided by them, allegedly do not comply with the requirements laid down in the Regulation.

Information on unqualified trust services

Notification of security incidents

Article 19.2 of the eIDAS Regulation imposes on all qualified and unqualified trust service providers the obligation to notify the supervisory body of any breach of security or loss of integrity that has a significant impact on the trust service provided or on the corresponding personal data.

In this regard, Article 13 of the Law 6/2020, of 11 November, regulating certain aspects of electronic trust services, provides that qualified and unqualified providers of electronic trust services shall notify the Ministry of Economic Affairs and Digital Transformation of the security breaches or loss of integrity referred to in article 19.2 of Regulation (EU) 910/2014, without prejudice to its notification to the Spanish Data Protection Agency, to other relevant bodies or to the persons concerned.

It also states that service providers shall, within a maximum period of one month after the notification of the incident and, if it has taken place, after its resolution, expand the information provided in the initial notification in accordance with the guidelines and forms that may be established by the Ministry of Economic Affairs and Digital Transformation.

More detailed information on this can be found in the following note:

Notification of security incidents of trusted service providers

Administrative procedure

Providers who have ceased their activity

La Law 6/2020, of 11 November, regulating certain aspects of electronic trust services, establishes in its article 9.3.c) that the qualified provider who is going to cease his activity must inform the customers to whom he provides his services and the supervisory body at least two months before the effective cessation of the activity, by a means that accredits the effective delivery and reception whenever feasible. The termination plan of the service provider may include the transfer of customers, once the absence of opposition of the same has been proven, to another qualified provider, which may retain the information related to the services provided until then. It shall also inform the supervisory body of any other relevant circumstances that may prevent the continuation of its activity. In particular, he must inform, as soon as he becomes aware of it, of the opening of any insolvency proceedings against him.

Likewise, Article 9.3.a) establishes that the period of time during which they must retain the information relating to the services provided in accordance with Article 24.2.h) of Regulation (EU) 910/2014, will be 15 years from the expiry of the certificate or the completion of the service provided.

On the other hand and in relation to the provision of reliable qualified services, the Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC obliges qualified trust service providers to inform the supervisory body of their intention to cease the provision of their services (Article 24.2.a), as well as to have an updated termination plan to guarantee the continuity of the service (art. 24.2.i).

In addition, as indicated (art. 17.4.i) in the aforementioned Regulation this Ministry (in the exercise of its functions as a supervisory body) verifies the existence and correct application of the provisions relating to the cessation plans in the event of the trust service providers ceasing their activities.

List of ceased providers