Harmonizing Conformity Assessments of Qualified Trust Service Providers: A Proposal for Strengthening Cross-Border Trust within the EU

» Apply now PDF Show all positions

Abstract

The research conducted within this PhD position focuses on developing a coherent approach among EU Member States in conducting eIDAS conformity assessments. It explores the regulatory framework, identifies challenges and similarities, with the goal to provide guidance for implementing entities and to propose changes to improve the consistency of assessments across the EU.

Research field: Information and communication technology
Supervisor: Eric Jackson
Availability: This position is available.
Offered by: School of Information Technologies
Department of Software Science
Application deadline:Applications are accepted between June 01, 2025 00:00 and June 30, 2025 23:59 (Europe/Zurich)

Description

The eIDAS regulation[1] sets the requirements for qualified trust service providers. The purpose of this research is to determine the extent of similarities and differences in how conformity assessment bodies assess qualified trust services, the practical impact on the entities being assessed, and the resulting impact on the trust between Member States, with the latter being the very foundation of the regulation. This is an especially timely topic as the amended version of the eIDAS regulation, commonly referred to as eIDAS 2.0, brought about a number of new qualified trust services and requires all Member States to provide at least one European Digital Identity Wallet to their citizens and residents by end of 2026 (qualified trust services are also needed for the Digital Identity Wallet and with the addition of trust services, the need for regular conformity assessments will increase).

The primary goal is to use the analysis of the similarities and differences in assessment of qualified trust service providers within the EU, and other comparative entities outside the EU, to provide usable suggestions on how to improve the existing framework for eIDAS conformity assessments and to harmonize practices across Member States, contributing to the Digital Single Market. A secondary objective is to produce usable guidance documents and mappings of requirements for entities in implementing roles (i.e. qualified trust service providers, registration authorities, ICT providers for trust services, etc.).

Research questions:

  1. Mapping of the status quo, through a literature review:
    1. What is the current regulatory framework and related common practices for qualified trust services?
    2. What are the qualifications and prerequisites to become an auditor for an eIDAS conformity assessment body?
    3. What are the challenges for conformity assessment bodies in the current practice and what new challenges arise from the changes to the eIDAS regulation?
  2. What are the similarities and differences in conformity assessments of trust services across different conformity assessment bodies in the EU and comparative ones outside the EU?
  3. What is the impact on the implementing entities and trust between Member States in how the conformity assessments of qualified trust services are performed (or are perceived to be performed)?
  4. How to further harmonize the implementation and assessment of requirements for qualified trust services across the EU, for more efficient implementation and improved trust among Member States?

Responsibilities and tasks:

  1. Map the existing and currently developing regulatory framework in the EU and selected other legal systems for qualified trust services. Determine the parts of the regulatory framework which are mandatory (i.e. direct requirements from regulations) and which parts are optional (e.g. non-harmonized EU standards), as well as what choices different qualified trust service providers have made in different Member States.
  2. Focus on a specific qualified trust service and map the requirements for that service, creating usable guidance documents for those in implementing roles (e.g.  qualified trust service providers, registration authorities, identity proofing service providers or ICT providers).
  3. For the chosen qualified trust service, determine how conformity assessment bodies across the EU differ in their assessments of the requirements set for the qualified trust service provider and the qualified trust service being assessed.
  4. Determine the shortcomings in the existing regulatory framework where there is a lack of a common implementation and interpretation of the requirements.
  5. Develop proposals and actionable recommendations for the European Digital Identity Cooperation Group, Supervisory Bodies and National Accreditation Bodies to harmonize assessments across the EU.

Applicants should fulfil the following requirements:

  • a master’s degree (preferably in law and/or IT)
  • Interest and experience in DIM regulative matters (specifically the eIDAS regulation), trust services, EU conformity assessments or other IT audits, working knowledge of the eIDAS regulation and its implementation
  • excellent command of English
  • willingness to help raise eIDAS competence at TalTech and in Estonia via courses, schoolings, materials and/or teaching (preferably both in English and in Estonian)
  • Supervision of thesis on the BA and MA levels
  • capacity to conduct research both independently as well as part of an international interdisciplinary team
  • contribute to measures facilitating DIM in practice

The candidate should submit a research plan for the topic, including the overall research and data collection strategy. The candidate can expand on the listed questions and tasks, and propose theoretical lenses to be used.

[1] Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and Regulation (EU) No 2024/1183 of the European Parliament and of the Council of 11 April 2024, amending Regulation No 910/2014 as regards to establishing the European Digital Identity Framework.