Article 19 of the eIDAS Regulation requires trust service providers to take appropriate – technological and organizational – security measures in order to prevent security incidents and to mitigate their impact. Similar provisions also exist in other fields of the EU legislation. The purpose of the norm, which applies to both – qualified and non-qualified – trust service providers, is to ensure a high security standard. The level of the security to be achieved should be proportionate to the degree of risk posed by the provided trust service. Thus, trust service providers should first conduct a risk assessment in order to identify the risks connected with their activity. By choosing appropriate security measures, the technological developments should be taken into account. One of the measures the trust service provider has to adopt to mitigate the impact of the incident is to notify stakeholders. A notification duty is also imposed upon the notified supervisory bodies, which have to give notice of the incident to the public, to the authorities in other Member States and to ENISA. The provision finally empowers the Commission to adopt implementing acts to further specify the legal requirements and define the details of the notification process. These acts haven’t been adopted yet. Anyway, some guidelines for the trust service providers can be found in the ENISA’s publications.
Article 19. Security requirements applicable to trust service providers
Pertot, T
2020-01-01
Abstract
Article 19 of the eIDAS Regulation requires trust service providers to take appropriate – technological and organizational – security measures in order to prevent security incidents and to mitigate their impact. Similar provisions also exist in other fields of the EU legislation. The purpose of the norm, which applies to both – qualified and non-qualified – trust service providers, is to ensure a high security standard. The level of the security to be achieved should be proportionate to the degree of risk posed by the provided trust service. Thus, trust service providers should first conduct a risk assessment in order to identify the risks connected with their activity. By choosing appropriate security measures, the technological developments should be taken into account. One of the measures the trust service provider has to adopt to mitigate the impact of the incident is to notify stakeholders. A notification duty is also imposed upon the notified supervisory bodies, which have to give notice of the incident to the public, to the authorities in other Member States and to ENISA. The provision finally empowers the Commission to adopt implementing acts to further specify the legal requirements and define the details of the notification process. These acts haven’t been adopted yet. Anyway, some guidelines for the trust service providers can be found in the ENISA’s publications.File | Dimensione | Formato | |
---|---|---|---|
Article 19. Security requirements applicable to trust service providers (1).pdf
non disponibili
Licenza:
Non pubblico
Dimensione
9.7 MB
Formato
Adobe PDF
|
9.7 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.