Am I a trust service provider under NIS 2?
Trust service providers sit in NIS 2 Annex I sector 8. Qualified TSPs are bound regardless of size under Article 2(2)(b). Non-qualified TSPs follow the standard Article 2(1) size test. eIDAS sits in parallel and governs the trust service itself.
The short version
A trust service provider is anyone who provides one or more trust services as defined in Article 3(16) eIDAS Regulation (EU) 910/2014: electronic signatures, electronic seals, electronic time stamps, electronic registered delivery, website authentication certificates, or the preservation of any of these. Annex I sector 8 of NIS 2 names trust service providers explicitly as part of Digital Infrastructure.
Article 2(2)(b) NIS 2 then pulls a lever that does not apply to most other sectors. Qualified trust service providers, as defined in Article 3(17) eIDAS, are in scope regardless of size. A two-person qualified TSP that issues qualified certificates for electronic signatures is bound the same way as a 500-person CA. The medium-enterprise threshold from Article 2(1) does not gate them.
Non-qualified TSPs follow the regular size test: at least 50 staff, or above 10 million euros annual turnover or balance sheet, puts them in scope. Below that they sit outside NIS 2, though eIDAS Article 19 still binds them with a security baseline. Two regimes run in parallel either way: eIDAS for the trust service itself, NIS 2 for the cross-organisational cyber duties (Article 20 management training, §32 BSIG significant-incident reporting, Article 21 risk-management measures).
NIS 2 Directive (2022/2555), Annex I sector 8 (Digital Infrastructure)
Anbieter von Vertrauensdiensten; Anbieter von Diensten der Domänennamenauflösung (DNS), ausgenommen Betreiber von Root-Nameservern; Registrierungsstellen für Domänennamen der obersten Stufe (TLD); Anbieter von Cloud-Computing-Diensten; Anbieter von Rechenzentrumsdiensten; Anbieter von Content Delivery Networks; Anbieter öffentlicher elektronischer Kommunikationsnetze; Anbieter öffentlich zugänglicher elektronischer Kommunikationsdienste.
Verbatim from OJ L 333/146. Sector 8 is Digital Infrastructure. Trust service providers are the first listed sub-category. The sector list does not split qualified from non-qualified; that split is made by Article 2(2)(b) and by eIDAS.
Article 2(2)(b) NIS 2 + Article 3(16) and 3(17) eIDAS
Article 2(2)(b) NIS 2: This Directive also applies to entities of a type referred to in Annex I or II, regardless of their size, where the entity is a qualified trust service provider. Article 3(16) eIDAS: 'trust service' means an electronic service normally provided for remuneration which consists of: (a) the creation, verification, and validation of electronic signatures, electronic seals or electronic time stamps, electronic registered delivery services and certificates related to those services, or (b) the creation, verification and validation of certificates for website authentication, or (c) the preservation of electronic signatures, seals or certificates related to those services. Article 3(17): 'qualified trust service' means a trust service that meets the applicable requirements laid down in this Regulation.
Two definitions stacked. Article 3(16) eIDAS tells you what counts as a trust service. Article 3(17) tells you when one is qualified (meets the eIDAS Annex requirements and is listed on the national trusted list). Article 2(2)(b) NIS 2 then says: if you are qualified, you are in NIS 2 regardless of headcount or turnover.
§28 BSIG + Vertrauensdienstegesetz (Germany)
§28 BSIG transposes the Annex I scope into German law and explicitly captures qualified trust service providers as 'besonders wichtige Einrichtungen' regardless of size. The Vertrauensdienstegesetz (VDG) is the national accompanying law to the eIDAS Regulation; it designates the Bundesnetzagentur as the supervisory body for trust services and operates the German trusted list.
The eIDAS Regulation applies directly without German transposition. The VDG only adds the supervisory machinery. NIS 2 sits separately on top of both: §28 BSIG places qualified TSPs in the highest tier (besonders wichtige Einrichtung), regardless of size, with the BSI as the cyber regulator.
Do you provide a trust service?
Match your offering against Article 3(16) eIDAS. The closed list is: electronic signatures, electronic seals, electronic time stamps, electronic registered delivery services, website authentication certificates, and the preservation of any of these. The service is normally provided for remuneration. If your offering does not fit any of these categories, you are not a TSP under eIDAS, no matter how much cryptography you ship.
Are you the provider or only a user?
A TSP issues or operates the trust service for others. A company that signs its own invoices with an external qualified signature service is a user of that service, not a TSP. A consultancy that helps a client deploy signature workflows is a user too. Provider status hangs on whether you create, validate, deliver or preserve the trust service itself, for someone else, for money.
Qualified or non-qualified?
Check the national trusted list (in Germany: the Bundesnetzagentur trusted list under the VDG). If you are listed there as a qualified provider, Article 2(2)(b) NIS 2 binds you regardless of size. If you are not listed, you are non-qualified and the standard Article 2(1) size test applies: medium enterprise or larger. Two- and three-person qualified TSPs are common in this sector, and they are all in scope.
Qualified means regardless of size
Article 2(2)(b) NIS 2 is one of seven regardless-of-size overrides in the directive. Trust services made the list because the harm from a compromised qualified certificate is structural: every signature, seal or time stamp issued under it loses legal effect. The size of the provider has no bearing on the size of the damage downstream. A two-person CA can break an entire member state's signature chain. That is why the size test is switched off.
Qualified TSPs run two parallel regimes
eIDAS Article 19 binds the security of the trust service itself, with audits every 24 months under Article 24 for qualified TSPs. NIS 2 adds the cross-organisational cyber duties: Article 20 management training, Article 21 risk-management measures, Article 23 significant-incident reporting. Article 4 NIS 2 does not switch NIS 2 off here. Both regimes apply in full. The eIDAS supervisory body and the NIS 2 competent authority can be different (in Germany: Bundesnetzagentur for eIDAS, BSI for NIS 2).
BSI / §28 BSIG (NIS 2 side)
The BSI is the NIS 2 competent authority. It runs the §33 BSIG registration portal, receives §32 BSIG significant-incident notifications, and supervises the §30 BSIG risk-management measures. Qualified TSPs land in the 'besonders wichtige Einrichtung' tier through §28 BSIG, which means tighter supervision and the same incident reporting timelines as KRITIS operators.
Bundesnetzagentur (eIDAS side)
The Bundesnetzagentur is the supervisory body for trust services under the Vertrauensdienstegesetz. It operates the German trusted list, accredits qualified status, receives the conformity assessment reports under Article 20 eIDAS, and handles the 24-month audit cycle under Article 24. Where an incident is both a §32 BSIG significant incident and an eIDAS Article 19(2) breach, you report both, to both authorities.
ENISA Technical Implementation Guidance + EUDI Wallet work
ENISA publishes the technical guidance for trust services under Article 19 eIDAS and writes the cybersecurity baseline that feeds into national supervisor expectations. The same body is now writing the trust-service work package for the European Digital Identity Wallet, which extends the qualified TSP perimeter from 2026 onwards.
National transposition laws
eIDAS is a Regulation, so the trust service rules are uniform across the EU. NIS 2 is a Directive, so each member state transposes it: NL through the Cyberbeveiligingswet, AT through the NISG, FR through Ordonnance 2024-1093. Annex I sector 8 and the Article 2(2)(b) regardless-of-size rule are identical across all of them. The competent authority for the NIS 2 side differs country by country.
Non-qualified trust services are outside NIS 2.
Wrong. Non-qualified TSPs are still in Annex I sector 8. They do not get the Article 2(2)(b) regardless-of-size lift, so the standard Article 2(1) test decides. A 60-staff non-qualified time stamp provider is fully in NIS 2 as an important entity. Only the qualification status changes whether the size test applies, not whether the sector applies.
eIDAS already covers cybersecurity, so NIS 2 does not add anything.
eIDAS Article 19 sets the security baseline for the trust service. NIS 2 Articles 20, 21 and 23 add cross-organisational duties: management body training, the full risk-management catalogue from cryptography to supply chain, and significant-incident reporting under §32 BSIG with a 24-hour early warning. Article 4 NIS 2 lex specialis does not switch NIS 2 off for trust services. Two parallel regimes, neither replaces the other.
We are too small for NIS 2.
If you are a qualified TSP, size is the wrong question. Article 2(2)(b) puts you in regardless of headcount, turnover or balance sheet. A two-person qualified certificate authority is in the same NIS 2 tier as a multinational CA. The reason is downstream: every signature issued under a compromised qualified certificate loses its legal effect, regardless of who issued it.
Typical case: a 12-person qualified TSP issuing qualified certificates for electronic signatures, with a 24-month eIDAS conformity assessment cycle and a national trusted list entry through the Bundesnetzagentur. NIS 2 scope is automatic through Article 2(2)(b). §28 BSIG places the company in the 'besonders wichtige Einrichtung' tier. Two regulators, two reporting channels, one company.
What practitioners actually do: take the eIDAS Article 24 audit evidence and reuse it for the relevant Article 21 NIS 2 controls (cryptography, access control, incident handling, business continuity). Run the §33 BSIG registration with the BSI. Add the items eIDAS does not cover: Article 20 management training, Article 21(2)(d) supplier risk, the §32 BSIG significant-incident channel. The two regimes overlap on cryptography and incident response; everything else is additional.
The applicability check identifies qualified TSPs through Article 2(2)(b) and turns off the size test automatically. The output is a written Anwendbarkeitsprüfung that cites Annex I sector 8 and Article 2(2)(b), signed by the management body, version-pinned to the directive text.
The control catalogue mirrors the two-regime reality. Article 19 eIDAS controls are tagged so you can attach the most recent conformity assessment report once and have it counted against the relevant Article 21 NIS 2 measures. The supplier register flags any sub-processors that are themselves TSPs, so the Article 21(2)(d) supply-chain duties stay traceable.
- Directive (EU) 2022/2555 (NIS 2), Annex I sector 8 and Article 2(2)(b) — eur-lex.europa.eu/eli/dir/2022/2555/oj
- Regulation (EU) 910/2014 (eIDAS), Article 3(16), Article 3(17), Article 19, Article 24 — eur-lex.europa.eu/eli/reg/2014/910/oj
- BSI Act (BSIG), §28 (Anwendungsbereich), §32 (Meldepflichten) and §33 (Registrierung) as amended by the NIS2 Implementation and Cybersecurity Strengthening Act
- Vertrauensdienstegesetz (VDG) — gesetze-im-internet.de/vdg
- Bundesnetzagentur German trusted list under Article 22 eIDAS
- ENISA Technical Implementation Guidance for trust services under Article 19 eIDAS — enisa.europa.eu