ICT

The present document specifies general policy requirements relating to Trust Service Providers (TSPs) that are 
independent of the type of TSP. It defines policy requirements on the operation and management practices of TSPs. 
Other specifications refine and extend these requirements as applicable to particular forms of TSP. The present 
document does not specify how the requirements identified can be assessed by an independent party, including 
requirements for information to be made available to such independent assessors, or requirements on such assessors. 
The present document aims to support the requirements on NIS2 Directive [i.13] and addresses the general requirements 
for security management and cybersecurity of trust services (qualified and non-qualified). 
NOTE: See ETSI EN 319 403-1 [i.2] for details about requirements for conformity assessment bodies assessing 
Trust Service Providers. 

The present document specifies procedures for:
• the creation of AdES digital signatures (specified in ETSI EN 319 122-1 [i.2], ETSI EN 319 132-1 [i.4], ETSI
EN 319 142-1 [i.6] respectively);
• establishing whether an AdES digital signature is technically valid;
whenever the AdES digital signature is based on public key cryptography and supported by Public Key
Certificates (PKCs). To improve readability of the present document, AdES digital signatures are meant when the term
signature is being used.
NOTE 1: Regulation (EU) No 910/2014 [i.15] defines the terms electronic signature, advanced electronic signature,
electronic seals and advanced electronic seal. These signatures and seals are usually created using digital
signature technology. The present document aims at supporting the Regulation (EU) No 910/2014 [i.15]
for creation and validation of advanced electronic signatures and seals when they are implemented as
AdES digital signatures.
The present document introduces general principles, objects and functions relevant when creating or validating
signatures based on signature creation and validation constraints and defines general classes of signatures that allow for
verifiability over long periods.

The following aspects are considered to be out of scope:
•      generation and distribution of Signature Creation Data (keys, etc.), and the selection and 
use of cryptographic algorithms;

•      format, syntax or encoding of data objects involved, specifically format or encoding for 
documents to be signed or signatures created; and

•      the legal interpretation of any signature, especially the legal validity of a signature.
NOTE 2: The signature creation and validation procedures specified in the present document provide 
several options and possibilities. The selection of these options is driven by a signature creation 
policy, a signature augmentation policy or a signature validation policy respectively. Note that 
legal requirements can be provided through specific policies, e.g. in the context of qualified 
electronic signatures as defined in the Regulation (EU) 910/2014 [i.15].