DoxyChain Confirms Level of Security and Joins Trusted Service Providers

DoxyChain joined a selected group of organizations and was granted a status of trusted service providers by National Bank of Poland.

In the interview below we explore the topic of trusted service providers and learn what are the advantages of the DoxyChain being on the list.

The interview is conducted with Marcin Lorenc, lawyer and co-founder of DoxyChain.

What does it mean to be a trusted service provider?

Let's start with explaining what trust services are. Trust services are electronic services that include, among other things, the issuance of qualified electronic signatures, electronic seals and electronic time stamps and the corresponding certificates. Such services also include, among other things, website authentication or the recording of recorded electronic deliveries. The purpose of trust services is to enable secure electronic transactions that can take place between companies, individuals and public administrations.

Entities that offer the above-mentioned services are called qualified trust service providers. These are companies that have passed an eIDAS compliance assessment audit and have been entered in the register of trust service providers. Such companies include the Eurocert Certification Centre, which must comply with the relevant legal requirements.

What is eIDAS? Why it is important to pass a eIDAS compliance assessment audit?

The eIDAS Regulation is otherwise known as Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. This is the most recent piece of legislation that regulates all issues related to electronic transactions and identification and trust services within the European Union.

With the adoption of the eIDAS Regulation in 2016, a uniform nomenclature of trust services, among other things, was introduced in all EU countries. It also came with specific guidelines for the supervision of providers of these services. The aim of such legislation is to ensure the safe use of new technologies in distance contracting and to increase trust in such services among EU citizens.

What changes has the eIDAS Regulation introduced compared to before 2016?

In practice, since 1 July 2016, public administrations of EU countries have been obliged to accept documents certified with an electronic signature or electronic seal from all Member States. In addition, thanks to this piece of legislation, evidence from electronic transactions can be recognised by the courts.

What measures did Poland take to adapt to eIDAS Regulation?

The Act on Trust Services and Electronic Identification adapted Polish law to the conditions resulting from the eIDAS Regulation. As a consequence, the legal act of 2001 concerning the use of electronic signatures lost its validity. Thanks to the new act, all provisions in the field of electronic transactions that were in force in Poland before 5 September 2016 and did not comply with eIDAS have been eliminated.

In practice, this means, among other things, that according to the current law, a qualified electronic signature that operates on the basis of a certificate issued in another country is accepted by the Polish public administration.

Are there any other standards that are important for trusted service provider?

Organizations who provide trust services also refer to the standards set by the European Telecommunications Standards Institute, or ETSI for short. The institute’s primary task is to prepare guidelines for the telecommunications industry, which compile the technical requirements for the provision of trust services.

Which authorities supervise the work of qualified trust service providers in Poland?

The security of operations of trust service providers in Poland is supervised by the Chancellery of the Prime Minister and the National Certification Centre, abbreviated to NCCert.

Chancellery of the Prime Minister

The Chancellery is responsible for activities related to the digitisation of the Polish public administration. It also acts as an intermediary in the process of obtaining entry into the register of qualified trust service providers. The KPRM also imposes an obligation on them to carry out an audit of their activities, which is organized at least once every 24 months. If a provider wants to introduce new services into its portfolio, this state body verifies their reliability and obliges the company to prepare strictly defined audit documentation.

In the past, this function was performed by the Ministry of Digitalization. It should be pointed out that as of May 2, 2023, the Ministry of Digitization has again been separated as a separate ministry, and competencies in this area can be transferred directly to the ministry.

National Certification Centre (NCCert)

The National Certification Centre is an IT system belonging to the National Bank of Poland. It was established to carry out tasks related to trust services, which include:

• creation and issuance to qualified trust providers of appropriate certificates that versify advanced electronic signatures and electronic seals,
• publication of issued certificates,
• publication of the list of revoked certificates,
• creation of electronic seal data for qualified certificates.

Why is obtaining the status of trusted services provider important? And what are the benefits for the DoxyChain customers?

Very few companies are included in this list, in additional to DoxyChain, the list of trusted services includes Asseco Data Systems S.A., Orange Polska S.A., Krajowa Izba Rozliczeniowa S.A., EuroCert Sp. z o.o, Polska Wytwórnia Papierów Wartościowych S.A., the Ministry of Finance, Poczta Polska S.A. Therefore, as you can see, the group is very narrow and the benefit is that the person using DoxyChain’s services knows that the services have been vetted by a public body and are subject to scrutiny and therefore the services must be provided with the utmost attention to security.

Where can we see if the companies is on the list issued by National Bank of Poland?

Everyone can check the register online to see if the company is a trusted service provider. The register is an important tool for ensuring the security and quality of trust services in Poland. It allows users to verify the legitimacy and trustworthiness of trust service providers and their certificates. As a result, the use of electronic signature or other trust services becomes more secure and effective.

It is worth noting that the register of trust services in Poland complies with the requirements of the European Union, which ensures full confidence in certificates issued by Polish certification authorities and trust service providers.

Was the process of obtaining the registration difficult?

Obtaining an entry in the list of trust services can be difficult and requires meeting certain prerequisites. The NBP must be certain that it includes entities that meet certain security and quality standards for the services they provide. To obtain an entry on this list, a company must undergo a verification process and prove that it meets certain criteria. These requirements include, among other things, the possession of the relevant certificates and attestations confirming the security and quality of the services, as well as compliance with the relevant data protection standards and regulations. Entities applying for inclusion in the NBP’s list of trust services must also undergo an audit by an independent auditor. This audit aims to confirm that the company does indeed meet the requirements set by the NBP. In summary, obtaining an entry in the list can be difficult and requires meeting certain security and quality standards. However, for companies that meet these requirements, inclusion on the list can be an important distinction and contribute to customer confidence.

What are other compliancies that DoxyChain has?

DoxyChain is still ISO 270001 certified. DoxyChain’s ISO 27001 certification means that the company meets the requirements of the international standard for information security management. ISO 27001 specifies the requirements for an information security management system (ISMS), which aims to provide an appropriate level of security for information handled by an organisation. As part of the ISMS, an organisation must demonstrate that it has implemented and maintains appropriate procedures, controls and technology to protect the confidentiality, integrity and availability of information. Having ISO 27001 certification can bring many benefits to DoxyChain, including:

• Increased customer confidence - having the certification demonstrates that the company follows information security best practices and can adequately protect customer data.
• Increased competitiveness - having ISO 27001 certification can set you apart from your competitors, especially in the IT and service industries where information security is key.
• Improve internal processes - the implementation of ISO 27001 requires certain procedures and controls to be in place, which can help to streamline internal processes and make operations more efficient.

What are the next steps for DoxyChain from legal perspective?

DoxyChain has many plans from a legal perspective, however, all plans are correlated with product development. The product that is being developed must also be in compliance with current regulations in Poland and throughout the European Union. Our plans are ambitious, but we must implement them in small steps in parallel with the development of the product.

Make sure to go through the intro into the legal aspects of digital certificates.

‍