Post-Brexit Support for the eIDAS Regulation
Up until the end of the transition period, the UK maintained a trusted list in accordance with Article 22 of the eIDAS Regulation. This trusted list contains information on both current and historical qualified trust service providers (QTSPs) supervised by the UK supervisory body, as well as information on the trust services that those QTSPs provide.
The European Commission publishes, in accordance with Article 22(4), a ‘list of trusted lists’ (LOTL) with, among others, pointers (links/URLs) to all Member States’ trusted lists, as it was also the case for the UK trusted list until the end of the transition period. Using the LOTL and the Member States’ trusted lists, the recipient of an electronic signature (a ‘relying party’) can validate whether or not the electronic signature is a qualified electronic signature.
In the past, two trust service providers (TSPs) were qualified for the issuance of qualified certificates (QCs) for electronic signatures: Exostar UK Limited from 1 July 2016 to 5 May 2018, and Royal Bank of Scotland Plc (RBS) from 11 February 2002 to 1 July 2017. During the period these TSPs were qualified they could issue qualified certificates for electronic signatures.
Potentially qualified certificates for electronic signatures were issued by Exostar and RBS in the period during which those two TSPs were qualified, and that a number of qualified electronic signatures (QESigs) based on those qualified certificates were created during the same period.
In order for any such created UK QESigs to continue to be considered as qualified electronic signatures after the end of the transition period, the corresponding historical information of the qualified status of UK TSPs (i.e. the UK TL) should continue to be available in accordance with Commission Implementing Decision (EU) 2015/1505 on trusted list formats, and in particular with ETSI TS 119 612 v2.1.1 Clause 5.3.15. In particular, the last version of the UK TL as at 31 December 2020, show all Qualified TSP services' status as "expired" (in fact this was already the case as the status of all qualified trust services were set to “withdrawn” as the services had not been renewed), but also, no 'next update date' is specified (implying that it reflects the content of the last UK TL published before leaving the scheme on 31 December 2020). This final EU-UK TSL is signed with one of the signing certificates notified to the European Commission according to Article 4(1) of the Commission Implementing Decision (EU) 2015/1505.
This TL, the last TL issued by the UK under eIDAS, will remain unchanged. It will be published by the European Commission and referenced in the EU LOTL for the sake of the availability of the historical information of the qualified status of UK TSPs.
Format of Trusted List (TL)
Article 22(5) of the eIDAS Regulation required the Commission to specify the information to be included in the TL and to define the technical specifications and formats for TL. This was effected by Commission Implementing Decision (EU) 2015/1505 of 8 September 2015.
As of 31st December 2020, the last version of the TSL is at sequence number 25 and with a TSL Identifier value of “UKTSL31December2020”. Update from number 22 to number 23 was in order implement the changes required above, i.e. to update Identifier, change the distribution point and remove the 'next update date'. Unfortunately there were some parsing issues with removing the 'next update date', which were partially resolved in number 24 and then fully resolved in number 25. There were no changes to any TSP or their services.
* According to ETSI TS 119 612 V2.1.1 clause 6.1 (TL publication) it is recommended to publish, as a companion file, a .sha2 digest file that shall be computed as the SHA-256 hash value of the binary representation of the trusted list XML file. The above file is the lower case text transformation of the HEX encoded binary value of the relevant SHA-256 hash.