checklist

Qualified timestamping provider checklist: what to look for

At first glance, many timestamping providers can look quite similar. They use the same terms, mention compliance, and promise secure digital evidence.

But the differences start to matter when you need to rely on timestamps in real life – for audits, long-term archiving, compliance, digital signing, or proving that a document existed at a specific moment in time.

A regular file date or system timestamp is not enough. Local clocks and file metadata can be changed, which makes them weak as evidence. A trusted timestamping service solves this by using a trusted third party, secure time source, and cryptographic proof to show when data existed and whether it has remained unchanged.

If you are choosing a qualified timestamping provider, here are the key things to check.

1. Check whether the provider is officially qualified under eIDAS

The first question is simple: is the provider officially recognised as a Qualified Trust Service Provider under the EU eIDAS regulation?

This matters because qualified timestamping gives a higher level of legal assurance than ordinary timestamping. Under eIDAS, a qualified electronic timestamp benefits from a presumption of the accuracy of the date and time it indicates and the integrity of the data to which that date and time are bound.

A reliable provider should not only claim compliance, it should be verifiable in the official EU Trusted List.

What to check:

  • Is the provider listed as a Qualified Trust Service Provider?
  • Is qualified timestamping explicitly listed as one of its services?
  • Can you verify both in the official EU Trusted List?

2. Make sure the service supports recognized technical standards

Technical standards are important because they ensure that a timestamping service can be integrated, used, and verified across different systems. Without them, timestamps may only work in isolated environments or cannot be reliably checked later.
For timestamping, one of the key standards is the RFC 3161 timestamp protocol, which defines how timestamp requests and responses should work between systems.

What to check:

  • Does the provider mention support for the RFC 3161 timestamp protocol in its technical documentation?
  • Are supported hash algorithms clearly listed? Look for commonly used algorithms such as SHA256, SHA384, and SHA512.
  • Does the provider clearly document supported signing key algorithms? For example, SK supports both RSA and Elliptic Curve Cryptography (ECC) signing keys.
  • If this information is missing, ask the provider directly.

3. Look at reliability and SLA, not just legal status

Legal compliance is important, but it does not guarantee how the service performs in real life. If timestamping is part of your core workflows, reliability becomes just as important as legal status.

An important concept here is the SLA (Service Level Agreement) – a commitment that defines how available and reliable the service is. For example, it may specify uptime targets such as 99.95% or higher.

What to check:

  • What SLA does the provider offer? Check the provider’s documentation, product page, or contract terms for SLA details.
  • Is there a proven uptime track record, e.g., public status page available
  • Is the service designed for business-critical or high-volume use? Look for signals such as public references to large customers, high volumes (e.g. millions of timestamps), or mentions of use in regulated environments like finance or government.

4. Evaluate integration and testing options

In practice, you should look at how easy it is to get started and whether the service can be tested before going live.

What to check:

  • Is it easy to integrate the timestamping service? Look for clear technical documentation, API access, and examples. The integration process should be straightforward for developers and not require complex setup.
  • Can you test the service before going live? Check if there is a testing or demo environment available. This allows you to validate your use case without committing upfront.

5. Consider long-term evidence and compliance needs

Timestamping is often used not just to prove something today, but to provide reliable evidence months or even years later, for example in audits, compliance checks, or legal situations.

Because of this, it’s important to choose a provider whose service remains trustworthy over time and is backed by clear audit and compliance practices.

What to check:

  • Is the service designed for audit, compliance, or long-term evidence use cases? Look for references to digital signing, archiving, or legally valid proof of data existence.
  • Is there publicly available documentation describing the service and its guarantees?
  • Has the service been independently audited?

How SK ID Solutions meets these requirements

CriteriaWhat to look forSK ID Solutions
1.eIDAS complianceQualified Trust Service Provider status and qualified timestamping service✅ Included in the EU Trusted List as a Qualified Trust Service Provider
2. Technical standardsRFC 3161 support, clear technical documentation, supported hash and signing key algorithms✅ RFC 3161 support, public technical documentation, SHA256/SHA384/SHA512 hash algorithms, and RSA & ECC signing key support  
3. Reliability and service availabilityStrong service availability track record and transparent status monitoringPublic status page available; 100% service availability track record since August 2022
4. Integration and testing environmentEasy integration and available testing environment✅ Easy integration, free testing environment, and no contract required.
5. Long-term evidence & compliancePublic documentation, audit information, and use in compliance or archiving scenarios✅ Public timestamping principles and audit info + used for digital signing, archiving, and legal evidence

Choosing a qualified timestamping provider is not just about technical features or pricing, it’s about trust.

A reliable provider should meet both legal and technical requirements, and it should be transparent about how its service works, how it performs in real-world use, and how it can be verified over time.

By focusing on the criteria above, you can make a more informed decision and avoid hidden risks, especially in compliance, audit, and business-critical environments.

Need qualified timestamping you can rely on?

SK ID Solutions was the first company to issue eIDAS-qualified time stamps and provides a qualified timestamping service for organisations that need reliable proof of data existence, integrity, and legal validity.

You can order the Timestamping service online

If you want to clarify your requirements first, contact our sales team via the website form or at ue.snoitulosdiks@selas.