3.1 Certificate Requirements

As required by the Regulatory Technical Standards for strong customer authentication and common and secure open standards of communication contained in the DELEGATED REGULATION (EU) 2018/389 of 27 November 2017, TPP need to be equipped with qualified certificates for electronic seals / website authentication (eIDAS Certificates).

TPP eIDAS Certificates can be of two types:

• QWAC (Qualified Website Authentication Certificate): used as Client Certificates – allow TPPs to communicate securely with and identify themselves towards ASPSPs (Opinion of the European Banking Authority on the use of eIDAS certificates under the RTS on SCA and CSC);
• QSeal (Qualified Certificate for Seals): used to sign requests using http-signature – ensure that the communication between TPPs and ASPSPs is secure and that the data submitted originates from the PSP identified in the certificate (Opinion of the European Banking Authority on the use of eIDAS certificates under the RTS on SCA and CSC);

The Testing Facility (Sandbox) made available from the 14th of March, 2019, is accessible to all the TPPs in possession of:

• a Valid QWAC eIDAS Certificate released by a Qualified Trusted Service Provider (QTSP);
• QWAC Test Certificate released by a Qualified Trusted Service Provider (QTSP);
• self-signed Test Certificate “eIDAS-like”.

After the entry into Production on the 1st of June, 2019, the CBI Globe Platform will be accessible only to the TPPs in possession of both QWAC and QSeal (for http-signature) Valid eIDAS Certificates.