Can trust services only be offered with their own certification?
In an increasingly digital world, companies need to modernize their processes while complying with legal and regulatory requirements. Electronic signatures play a central role in this, as they digitize documents in a secure and legally binding manner. However, the provision of such signatures is complex and requires certification as a Trust Service Provider(TSP) to ensure legal validity. In Switzerland, this certification is based on the Federal Act on Electronic Signatures(ZertES), which defines the requirements for providers of trust services – in particular for issuing qualified electronic signatures (QES). Certification is carried out by the Swiss Accreditation Service (SAS) or a body accredited by it. Many companies that do not focus on trust services are faced with the challenge of offering such services without compromising their core business. For example, a bank’s main business is to offer financial services such as accepting deposits, granting loans or processing payments. However, if a bank wants to provide online loans and have contracts digitally signed, it would have to certify itself as a TSP – a time-consuming and often unattractive process.
This is how it works even without certification:
Companies can use trust services by connecting directly to the security infrastructure of a certified Trust Service Provider (TSP) via an interface (API). This means that the entire process remains seamless for the end customer: for example, a loan agreement can be digitally signed directly in the bank’s system without the customer having to be forwarded to an external platform – such as that of the TSP. The API processes the signature in the background via the TSP’s certified infrastructure. This enables companies to offer legally valid electronic signatures without having to go through the time-consuming certification process as a TSP themselves.
Comparison: Integration of trust services vs. own certification
Criterion
Integration
Own certification
certification effort:
Not required: Certification is carried out by the TSP.
Required: Compliance with strict regulatory requirements.
Implementation effort:
Low: Use of an existing infrastructure via APIs.
High: Establishment of an own, legally compliant infrastructure.
Costs:
Usage-based fees (pay-per-use or license model).
High initial costs and ongoing costs for certification and operation.
Time-to-Market:
In short: integration is possible in just a few weeks.
Long: Permanent projects for establishment and certification.
Expertise:
No internal expertise required – provided by the TSP.
High demands on internal specialists for compliance and technology.
Conclusion: Integration of trust services or own certification – which is more worthwhile for me?
Integration is the ideal solution for companies that want to offer trustworthy signature services quickly and efficiently. They benefit from short implementation times and the Trust Service Provider assuming regulatory responsibility. This enables companies to seamlessly integrate legally valid electronic signatures into their systems without having to deal with complex certification processes or setting up their own infrastructures. In-house certification, on the other hand, makes sense if trust services are part of a strategic core business and sufficient resources can be provided in the long term for operation, maintenance and compliance with regulatory requirements. However, this approach requires considerable investment in time, expertise and infrastructure. The choice between these two options should therefore be carefully weighed up based on the company’s individual objectives and resources.
