Article 19 of the eIDAS Regulation requires trust service providers to take appropriate – technological and organizational – security measures in order to prevent security incidents and to mitigate their impact. Similar provisions also exist in other fields of the EU legislation. The purpose of the norm, which applies to both – qualified and non-qualified – trust service providers, is to ensure a high security standard. The level of the security to be achieved should be proportionate to the degree of risk posed by the provided trust service. Thus, trust service providers should first conduct a risk assessment in order to identify the risks connected with their activity. By choosing appropriate security measures, the technological developments should be taken into account. One of the measures the trust service provider has to adopt to mitigate the impact of the incident is to notify stakeholders. A notification duty is also imposed upon the notified supervisory bodies, which have to give notice of the incident to the public, to the authorities in other Member States and to ENISA. The provision finally empowers the Commission to adopt implementing acts to further specify the legal requirements and define the details of the notification process. These acts haven’t been adopted yet. Anyway, some guidelines for the trust service providers can be found in the ENISA’s publications.

Article 19. Security requirements applicable to trust service providers

PERTOT T
2020-01-01

Abstract

Article 19 of the eIDAS Regulation requires trust service providers to take appropriate – technological and organizational – security measures in order to prevent security incidents and to mitigate their impact. Similar provisions also exist in other fields of the EU legislation. The purpose of the norm, which applies to both – qualified and non-qualified – trust service providers, is to ensure a high security standard. The level of the security to be achieved should be proportionate to the degree of risk posed by the provided trust service. Thus, trust service providers should first conduct a risk assessment in order to identify the risks connected with their activity. By choosing appropriate security measures, the technological developments should be taken into account. One of the measures the trust service provider has to adopt to mitigate the impact of the incident is to notify stakeholders. A notification duty is also imposed upon the notified supervisory bodies, which have to give notice of the incident to the public, to the authorities in other Member States and to ENISA. The provision finally empowers the Commission to adopt implementing acts to further specify the legal requirements and define the details of the notification process. These acts haven’t been adopted yet. Anyway, some guidelines for the trust service providers can be found in the ENISA’s publications.
978-3-406-74297-2
File in questo prodotto:
File Dimensione Formato  
Article 19. Security requirements applicable to trust service providers.pdf

Accesso chiuso

Descrizione: capitolo con frontespizio e indice del libro
Tipologia: Documento in Versione Editoriale
Licenza: Copyright Editore
Dimensione 9.7 MB
Formato Adobe PDF
9.7 MB Adobe PDF   Visualizza/Apri   Richiedi una copia

I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.

Utilizza questo identificativo per citare o creare un link a questo documento: https://hdl.handle.net/11368/3028725
Citazioni
  • ???jsp.display-item.citation.pmc??? ND
  • Scopus ND
  • ???jsp.display-item.citation.isi??? ND
social impact