ETSI - TS 102 573
Electronic Signatures and Infrastructures (ESI); Policy requirements for trust service providers signing and/or storing data objects
|Publication Date:||1 April 2012|
The present document specifies policy requirements applicable to Trusted Service Providers (TSP) that electronically sign and/or store data objects on behalf of their customers. These policy requirements may also be complied with by persons that store data objects on their own. The present document aims to address regulatory requirements to produce and reliably keep, even indefinitely, electronic data objects, where applicable also signed. The practices identified in the present document are independent of the type of data object being preserved, although peculiar requirements for fiscally relevant ones are also specified.
The present document is directed at policies involving the use of the Advanced Electronic Signatures or Qualified Electronic Signatures. The primary aim of the application of signatures is to assure the integrity and the authenticity of origin of data objects in communication and storage. However, signatures may also be used, where required, to provide content commitment (i.e. non-repudiation).
The present document addresses solely the Advanced Electronic Signature based solutions. It is recognized that other suitable measures, not employing Advanced Electronic Signatures, and hence that are outside the scope of the present document, may be applied to assure the authenticity and integrity of digital data objects. It should be noted that the reliability of such alternative measures generally depend on the trustworthiness of the organization, on the exhaustiveness of the adopted practices and procedures and may require independent assessment of the technical and organizational measures applied. Advanced Electronic Signatures may be used to augment existing measures to provide even higher security, or to reduce the need for other controls. This fits particularly art. 233 of EU VAT Directive 2006/112/EC  as amended by 2010/45/EU.
The present document may be used by competent independent bodies as the basis for confirming that an organization is trustworthy in issuing and storing signed electronic data object on behalf of other persons or on its own behalf.
The present document does not specify how the requirements identified may be assessed by an independent party, including requirements for data object to be made available to such independent assessors, or requirements on such assessors.
Within the present document the key words "should" indicates that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications need to be understood and carefully weighed before choosing a different course.
Guidance on implementing a trustworthy Data object Preservation System can be found in TS 101 533-1 [i.3]. Guidance on assessing Data object Preservation Systems can be found in TR 101 533-2 [i.4].