eIDAS, an EU regulation (EU 910/2014) on electronic identification and trust services for electronic transactions in the EU, introduced the concept of a Qualified Trust Service Provider (TSP): in case of dispute about the authenticity of the trust service, the disputer needs to prove that the trust service is not authentic.
The law of 21 July 2016 implemented the eIDAS regulation in Belgium. Contrary to eIDAS, the Belgian law also included e-Archiving services in the list of trust services. A qualified e-Archiving TSP will thus be on a Belgian list of Qualified TSP’s (not yet on an EU list).
The Royal Decree of 29 March 2019 determined the reference numbers for standards concerning the qualified e-Archiving services. Based on this Royal Decree, the FPS Economy (the supervisory authority) published on 21 March 2021 the BE e-Archiving Certification Scheme; KPMG Certification was closely involved in the development of this scheme.
This scheme includes both Long-Term Preservation of Information services (e-Archiving services) and digitization of non-digital born information services (scanning services).
In addition, KPMG has created a KPMG e-Archiving Certification Scheme, which is to a large extent based on the BE e-Archiving Certification Scheme but is focusing on the long-term preservation of both:
- digital signatures, stamps and seals; and
- noncomplex documents (e.g. PDF's) using digital signature techniques.
This thus normally includes accounting documents, invoices, employee contracts and notarial deeds and excludes medical documents and insurance documents (unless the related documents are non-complex). Contrary to the Scheme of the FPS Economy, the KPMG Scheme does not cover scanning services.
Market and business drivers
The need for this type of certificate can result from the following:
- You are a third party service provider of e-archiving and/or scanning services and want to become a qualified TSP.
- You are an organization that was traditionally handling large quantities of paper, and is now in the process of implementing digitized processes in order to transition away from the paper archives and want to become a qualified TSP.
- There is an increased trend of working from home and thus the need for trusted digitization.
How we can help
KPMG Certification can perform the certification audit on your system, providing e-Archiving and/or scanning services based on the BE e-Archiving Certification Scheme and:
- Provide an Audit Report to the FPS Economy, in order to be added to the BE List of Qualified TSPs for e-Archiving services;
- Provide you with a certificate attesting to be compliant with the BE e-Archiving Certification Scheme.
KPMG approach to e-Archiving certification
During the application review the scope of certification (“e-Archiving profiles”) and the boundaries of the service to be certified are defined.
During the stage 1 audit a document review is performed to analyze and evaluate the design of the service provisioning system and related organizational & operational controls. The objective is to identify areas of concern that could be classified as a nonconformity during the stage 2 audit and to determine the readiness for a stage 2 audit.
During the stage 2 audit a “reality check” is performed to determine whether the service provisioning system and related organization & operational controls, of which the design was evaluated during the stage 1 audit, have effectively been implemented by the service provider. If during this stage audit non-conformities are identified, these will be communicated to the service provider and a subsequent evaluation will be performed of the corrective actions taken by the service provider.
Based on the stage 2 audit an assessment report is prepared, including a statement on conformity of the service provisioning system and a recommendation on certification. This Assessment Report will be the basis for the certification decision and will also be provided to the FPS Economy, based on which a decision to put the TSP on the Belgian list of qualified TSP for e-Archiving services will be taken.
A certification decision is taken based on an independent review of the audit file and the Assessment Report.
A surveillance audit is performed within a year after the certification decision. The objective is to confirm continuous compliance with the criteria in the e-Archiving certification scheme and identify & evaluate any modification or change to the service. The audit includes sample-based case analysis and inspection or records, registrations and loggings.
Within two years, after the certification decision, a full recertification audit is performed.
Combining e-Archiving and ISO 27001 certification
A significant number of the requirements in the BE e-Archiving Certification Scheme refer to ETSI EN 319 401 (General Policy Requirements for TSPs) requirements, which are to a large extent based on the ISO 27001 Annex A requirements.
KPMG offers an integrated assurance approach that provides you both an e-Archiving and an ISO 27001 certificate.