2019_4586 Requirement on the use of a Qualified Certificate for Electronic Seals (QSealC) for integrity and authenticity

Question ID: 2019_4586
Legal act: Directive 2015/2366/EU (PSD2)
Topic: Other topics
Article: 98
COM Delegated or Implementing Acts/RTS/ITS/GLs/Recommendations: Regulation (EU) 2018/389 - RTS on strong customer authentication and secure communication
Article/Paragraph: 34 (1)
Name of institution / submitter: European Telecommunications Standards Institute
Country of incorporation / residence: France
Type of submitter: Other
Subject matter: Requirement on the use of a Qualified Certificate for Electronic Seals (QSealC) for integrity and authenticity
Question: Please clarify whether in the EBA’s Opinion on the use of eIDAS under the RTS on SCA and CSC, under Paragraph 11, Qualified Electronic Seals employing a Qualified Seal creation Device are required to provide integrity and authenticity through the reference to Article 35(2) of Regulation (EU) No 910/2014?
Background on the question: The Opinion of the European Banking Authority on the use of eIDAS certificates under the RTS on SCA and CSC item 11 describes using of QSealC as required by RTS Article 34(1) for integrity and authenticity of signed / sealed data. This goes on to reference Article 35(2) of Regulation (EU) No 910/2014 (eIDAS). Article 35(2) of Regulation (EU) No 910/2014 relates to a "Qualified Electronic Seal". Under eIDAS Artcile 3(27) a "Qualified Electronic Seal" includes additional requirements beyond the use of a QSealC in particular use of special device for security of the signing key called in eIDAS a "Qualified Signature/Seal Creation Device". Use of such a device would be a significant additional burden on Payment Service Providers.
Submission date: 28/02/2019
Final publishing date: 14/06/2019
Final answer: Article 34(1) of the Commission Delegated Regulation (EU) 2018/389 specifies that ‘for the purpose of identification, as referred to in Article 30(1)(a), payment service providers shall rely on qualified certificates for electronic seals (QSealCs) as referred to in Article 3(30) of Regulation (EU) No 910/2014 or for website authentication (QWACs) as referred to in Article 3(39) of that Regulation.’
Paragraph 11 of the Opinion of the European Banking Authority (EBA) on the use of eIDAS certificates under the RTS on strong customer authentication and secure communication, describes some of the specificities of QSealCs, namely that they (i) ensure the integrity and correctness of the origin (authenticity) of the signed data and (ii) provide strong evidence of the signed data.
The reference in the EBA’s Opinion to Article 35(2) of Regulation (EU) No 910/2014 shows that the specificities of the QSealCs cited in paragraph 11 of the Opinion were in line with the applicable legislation.
Further, this reference is in line with the objective of PSD2 of technological neutrality and did not infer that Qualified Electronic Seals employing a Qualified Seal creation Device are required for the purpose of Article 34(1) of the Delegated Regulation.
Status: Final Q&A
Answer prepared by: Answer prepared by the EBA.

Disclaimer

The Q&A refers to the provisions in force on the day of their publication. The EBA does not systematically review published Q&As following the amendment of legislative acts. Users of the Q&A tool should therefore check the date of publication of the Q&A and whether the provisions referred to in the answer remain the same.

Organisation and governance

Legal and policy framework

Careers

Supervisory convergence

Direct supervision and oversight

Information for consumers

Ad hoc activities

Risk analysis

Reporting frameworks

Data

Publications

Media centre

Disclaimer