Can QTSPs Become Cloud Native?
By csc |By Fábio Rego, Business Solutions and Compliance Lead, Ascertia
Why scalable digital trust will require new thinking around infrastructure, certification, and auditability?
The Challenge:
A New Scale of Digital Trust Qualified Trust Service Providers (QTSPs) are entering a period of unprecedented growth. Regulatory initiatives such as eIDAS 2.0 and the rollout of the European Digital Identity (EUDI) Wallet are expanding both the scope and scale of digital trust services across Europe.
Under eIDAS 2.0, new qualified services are being introduced, including:
- Electronic archiving
- Electronic ledgers
- Qualified electronic attestations of attributes (QEAAs)
- Remote management of qualified signature and seal creation devices.
At the same time, the EUDI Wallet is expected to drive significant demand for the issuance and management of digital credentials and QEAAs across Member States.
These attestations will enable users to securely prove attributes such as qualifications, professional status, licences, and other verified information directly from their digital wallets, creating substantial new volume requirements for QTSPs.
Alongside these regulatory developments, organisations are increasingly adopting remote signing and digital identity services as part of broader digital transformation initiatives. As a result, QTSPs are being asked to support higher transaction volumes, greater service availability, and faster deployment cycles than ever before.
Many existing trust service platforms were designed around dedicated physical infrastructure and predictable workloads. The question facing the industry is whether these traditional architectures can continue to scale efficiently or whether a new approach is needed to support the next generation of digital trust services.
What Does Cloud Native Really Mean?
When discussing the future of QTSP infrastructure, it is important to distinguish between simply moving existing systems to the cloud and adopting a truly cloud native approach.
Running a trust service platform on virtual machines in a public cloud is not, by itself, cloud native. Rather, cloud native architectures are designed from the outset to take advantage of capabilities such as:
- Containerisation
- Automation
- Elastic scaling
- Built in resilience.
For QTSPs, this means services can be deployed, updated, and scaled independently according to demand. High-volume components, such as validation or status services, can expand automatically during periods of peak usage, while other services continue operating unchanged. Infrastructure can be managed through automated deployment pipelines rather than manual server configuration, improving consistency and reducing operational overhead.
The result is an architecture that is inherently more scalable, resilient, and adaptable. As demand for digital trust services grows, these characteristics are becoming increasingly important.
The Certification Challenge
The case for cloud native architectures is compelling, but qualified trust services face a challenge that many other industries do not: certification requirements are tied to specific hardware and security boundaries.
At the heart of every qualified trust service are cryptographic components that protect signing keys and ensure the integrity of trust operations. These include Hardware Security Modules (HSMs) and, in the case of remote qualified signatures, Remote Qualified Signature Creation Devices (RQSCDs). These components provide the certified security controls required under eIDAS and related standards.
Unlike application workloads, these systems cannot simply be treated as ephemeral cloud resources. Their certifications are linked to defined hardware, software and operational configurations, creating boundaries that must be maintained throughout the lifecycle of the service.
QTSPs must therefore balance two competing objectives: the flexibility and scalability offered by cloud native infrastructure, and the need to preserve certified trust anchors that underpin the legal validity of qualified services.
This does not mean cloud native architectures are incompatible with qualified trust services. Rather, any transition must carefully consider where certified components remain anchored and how those certification boundaries are maintained, monitored, and audited.
A Hybrid Future for Qualified Trust Services
For most QTSPs, the future is unlikely to be a choice between traditional infrastructure and a fully cloud native model. Instead, the industry is more likely to adopt hybrid architectures that combine the strengths of both approaches.
In such a model, certified trust anchors, including HSMs, RQSCDs and other critical security components, would continue to operate within tightly controlled and audited environments. These elements provide the foundation of trust and legal assurance on which qualified services depend and will remain subject to rigorous certification and conformity assessment requirements.
Around these certified components, however, cloud native approaches can be applied to a much broader range of supporting services. Identity workflows, validation services, orchestration layers, user-facing applications, monitoring platforms, and operational tooling can all benefit from greater automation, elasticity, and resilience. Services can be scaled independently, deployed more rapidly, and operated more efficiently while maintaining the integrity of the underlying trust framework.
This approach recognises that cloud native is not an all-or-nothing proposition. The objective is not to replace certified trust anchors, but to make the surrounding ecosystem more agile and scalable in response to growing demand.
Achieving this vision will require continued collaboration across the trust services community. QTSPs, conformity assessment bodies, auditors, technology providers, and regulators will need to work together to develop common reference architectures, consistent audit methodologies, and practical guidance for cloud native deployments.
As digital trust services continue to expand through eIDAS 2.0 and the EUDI Wallet ecosystem, the question is no longer whether the industry can benefit from cloud native approaches. The challenge is determining how they can be adopted while preserving the assurance, security, and legal certainty on which qualified trust services are built.
Conclusion
Qualified trust services are unlikely to become fully cloud native in the near term, but neither will they likely remain wholly dependent on traditional infrastructure. A hybrid model that combines certified trust anchors with cloud native services offers the most practical path forward.
Realizing that visions will require common reference architectures, consistent audit methodologies, and evolving standards that enable greater scalability and innovation without compromising trust. The opportunity now is for the industry to define how cloud native principles can be applied in a way that strengthens, rather than challenges, the foundations of digital trust.