QTSP certification – Distinguishing Remote Signing Services from a Trusted Service Provider under the EU eIDAS Regulations. QTSP certification is one of the most important certifications under the European Union’s eIDAS Regulation on electronic identification and trust services. It lays the foundation for legalizing electronic contracts, documents and certificates signed between Vietnamese individuals and organizations and their EU partners. Remote signing services provided by a QTSP offer numerous advantages.
QTSP certification
Regulation 910/2014 of the European Union (also known as the eIDAS Regulation) is the most comprehensive legal framework for electronic signatures, electronic seals, electronic timestamps, electronic delivery, and website authentication. Accordingly, eIDAS recognizes the legal validity of trusted services and electronic documents, enabling the cross-border use of trusted services, electronic signatures, electronic seals, and electronic timestamps among all EU member states. European individuals, organizations, and authorities cannot refuse the evidentiary value of evidence solely because it is in electronic form. To build trust among organizations and individuals in the European common market, the eIDAS Regulation mandates the Qualified Trust Service Provider (QTSP) certification as the highest standard for security, reliability, and confidentiality in electronic transactions. Currently, only Qualified Electronic Signatures (QES) for individuals and Qualified Electronic Seals (QSeal) for organizations, provided by QTSPs, are recognized throughout the EU with the same legal effect as handwritten signatures or organizational seals, without requiring any further evaluation or explanation.
To become a Qualified Trust Service Provider (QTSP), organizations must undergo rigorous audits and assessments by the national Supervisory Body (SB) from the preparation phase to post-assessment monitoring and service maintenance. Full compliance with all eIDAS requirements is mandatory before providing services. To maintain trust, QTSPs are required to undergo compliance assessments by EU Conformity Assessment Bodies (CABs) at least every two years.
The distinctiveness of Remote Signing services from a QTSP under EU eIDAS regulations – TrustCA Qualified Remote Signing
In July 2021, SAVIS officially became the first Vietnamese QTSP providing remote signing, electronic seal, and HSM-based digital signature services, in compliance with EU eIDAS regulations. This means that all 27 EU countries fully recognize the remote signing and electronic seal services provided by SAVIS. Operating under the SCAL2 security authentication mechanism, the system ensures that only the signer can activate the private key securely stored on the HSM device, providing sole control over the key. It fully complies with the SAM Module requirements and holds a CC EAL4+ certificate with EN 419 241-2. Compared to Vietnamese regulations such as Decree 130/2018/ND-CP and Circular 16/2019/TT-BTTTT, SAVIS is fully capable of providing remote signing services, meeting all mandatory technical standards for electronic authentication and digital signature services. Furthermore, SAVIS surpasses these standards by adhering to the highest levels of the eIDAS Regulation and ISO/IEC 27001 in terms of management, operation, and system security. In 2024, SAVIS GROUP established SAVYINT with the mission of globalization. Therefore, digital signature services of SAVIS and SAVYINT are widely accepted not only in Vietnam but also in the EU for cross-border trade.
For providers of electronic payment and transaction services, such as financial institutions and banks, the presence of a Vietnamese QTSP will address a major bottleneck in the digital finance ecosystem. It will facilitate market expansion and international integration by ensuring a unified and interoperable secure electronic identification and authentication process. This will create a synchronized electronic transaction market based on a common technical standard, reducing congestion and transaction disruptions caused by disputes between parties.
- Electronic documents and certificates will be widely accepted in the market without the need for complex explanations.
- Easy integration into the global digital economy, participating in payment networks and sharing global information.
- Ensures consistency in the structure and format of digital certificates, electronic signatures, and digital signatures, allowing for easy long-term or permanent storage without the need for processing, re-signing, or worrying about the obsolescence of signature technology.
Rapid adoption and full utilization of electronic authentication and digital signature services from a QTSP will enable organizations to modernize and fully digitize their electronic transactions, boost e-commerce, and build digital banking and open banking systems. This will attract new customers and markets, driving revenue and profit growth.
Additionally, the shift to remote signing will provide an advanced digital signature solution, allowing users to sign documents anytime, anywhere, on any device with superior security and reliability, without the need to worry about storing key storage devices or finding suitable connection ports.
Comparing SAVYINT digital signature service and other public digital signature services in Vietnam
| Criteria | SAVYINT – Qualified Remote Signing &TrustCA Timestamp | Other Public Digital Signature Service Providers |
| Ensuring the security, reliability, and non-repudiation of digital signatures in electronic transactions | Applying Advanced Electronic Signatures (AdES) with non-repudiation electronic timestamps to create reliable evidence of the timestamp of the formation of electronic transactions/documents. Supporting Longterm Validation (LTV) technology, which allows for the verification of the validity of digital signatures after 10, 20, or even indefinitely, without relying on the certificate’s lifecycle or service provider. | Applying Basic Signatures without timestamps, there is no reliable evidence of the date and time of the formation of the electronic document/ transaction. The signing time can be modified, forged, disputed, repudiated, or subject to legal disputes without any protective evidence. |
| Digital signatures fully comply with the technical specifications in Circular 06/2015/TT-BTTTT, requiring a key length of 2048 bits or more and the RSA algorithm with the SHA-256 hash function. | Digital signatures that do not comply with the technical specifications stipulated in Circular 06/2015/TT-BTTTT, such as having a key length less than 2048 bits or using the compromised SHA-1 hash algorithm, pose a risk of undetectable forgery. Such digital signatures are no longer secure for electronic transactions. | |
| Ensuring document authenticity for 10, 20 years or even permanently, depending on specific regulations or the purpose of storing signed electronic documents | Applying Advanced Electronic Signatures (AdES) and Qualified Electronic Signatures (QES) with electronic timestamps and Longterm Validation (LTV) technology to create reliable and verifiable evidence of the signature’s validity at the time of signing. The validity of the digital signature is independent of the validity of the individual or legal entity’s certificate, and can be independently verified for 10, 20 years, or even permanently. Therefore, users benefit from the highest level of security: no dependence on service providers, no need to maintain certificates, and no need to re-sign electronic documents. | Applying Basic Signatures, which depend on the certificate’s lifecycle. Once the certificate expires, the signed document cannot be verified (more than 3 years for certificates issued by public CAs in Vietnam). |
| Ensuring a secure and legally compliant certificate issuance process, with no room for certificate repudiation | Fully complying with Decree 130/2018/ND-CP regarding the certificate issuance process, including the user’s confirmation on the certificate application. Eliminating the risk of signature repudiation or audits and lawsuits from parties involved in electronic transactions | Applying 24-hour online certificates without handwritten applications, exposing parties to the risk of illegal certificate revocation or repudiation. After 24 hours, the certificate expires, rendering the digital signature unverifiable and the signed document invalid. |
| Remote Signing system has been independently assessed by specialized agencies against European standards as required by Circular 16/2019/TT-BTTTT | Fully implementing security policy standards for operation, exploitation, and management of trusted digital signature systems, along with certificates and technical certifications for system components. SAVIS, SAVYINT have been certified by the European Conformity Assessment Body, Tayllorcox, for meeting the standards for providing Qualified Remote Signing services. The service license will be issued next month. | Many organizations have not yet obtained QTSP certification and a license to provide remote signing services from the Ministry of Information and Communications, as required by Circular 16/2019/TT-BTTTT |
