obOpen Banking Lab
GlossarySTETBlogContact
Security

eIDAS TSP

eIDAS Trust Service Provider

Qualified trusted third party that issues the QWAC and QSealC certificates every TPP needs to identify itself to European banks.

See also:TPPASPSPNCAACPR

Definition

An eIDAS TSP (Trust Service Provider) is a qualified trusted third party within the meaning of the eIDAS regulation.

For DSP2, its role is very concrete: it is the one that issues the QWAC and QSealC certificates that every TPP (AISP, PISP, CBPII) needs to identify itself to banks and sign its requests.

Why an eIDAS certificate for DSP2

When a TPP calls a bank's API, the ASPSP has to verify two things within a few milliseconds:

  1. Who are you? The QWAC (Qualified Website Authentication Certificate) authenticates the TPP via mTLS, at the transport layer.
  2. Are you licensed for this role? The certificate contains the licence number issued by the NCA and the list of roles (PSP_AS, PSP_PI, PSP_AI, PSP_IC).

For signed requests (payments in particular), the QSealC (Qualified electronic Seal Certificate) adds a qualified signature at the application layer (HTTP signature) — the only way, in the event of a dispute, to prove who sent what.

What an eIDAS TSP does

  • Verifies the TPP's licence with the NCA (EBA register, REGAFI, BaFin).
  • Issues the QWAC and the QSealC, with the embedded PSD2 roles.
  • Renews the certificates (typical validity of 1 to 2 years).
  • Revokes them in case of licence withdrawal or compromise.
  • Publishes its certificates in a CRL / OCSP that can be queried in real time.

What an eIDAS TSP does not do

  • It does not grant a DSP2 licence: that is the NCA; the TSP merely acknowledges the licence.
  • It does not validate an API call: it is the ASPSP that checks the certificate on every request.
  • It does not operate everywhere without accreditation: it must appear on each State's Trusted List.
  • It is not free: from a few hundred to a few thousand euros per year per certificate.

In the PSD2 ecosystem

The TSP is the trust link between the NCA (which certifies the TPP's legal identity) and the ASPSP (which has to recognise it technically on every call). Without valid QWAC and QSealC certificates, no call to a bank goes through.

Concrete examples

  • Qualified TSPs in France: Certigna (DhiMyOtis), Certinomis (Docaposte / La Poste), ChamberSign — all on the French Trusted List published by the ANSSI.
  • Qualified TSPs in Europe: D-Trust (Bundesdruckerei, DE), Buypass (NO), InfoCert (IT), Trustpro (IE) — more than 200 qualified TSPs across the EEA.
  • Cost and lead times: 2 to 4 weeks for the first issuance, a few days for renewals; prices from €300 to €2,000/year per certificate.
  • Choosing your TSP: reputation with the banks (some prefer local TSPs), re-issuance lead times, support for automated rotations, an issuance API (useful for scaling a multi-TPP platform).
  • Trusted Lists: to verify that a TSP is qualified, consult the EU LOTL (List of Trusted Lists) maintained by the Commission — every serious bank uses it to validate the certificate chain.

See also: STET handbook

Sources

Back to glossary