How to check QTSP availability via the EU Trusted List before a critical timestamp

Every qualified timestamp flows through infrastructure that, in theory, never stops. In practice, a Qualified Trust Service Provider (QTSP) is still a company with data centres, certification chains and scheduled maintenance windows. When a compliance team needs to seal a high-value act at 6pm on a Friday and the TSA does not respond, the stamping fails: the contract slips, the evidence window closes, the critical operation stalls. Checking the eIDAS status of a provider before the operation is no longer a technical detail: it is part of the compliance workflow.

The answer is not a centralised SaaS-style status page. Trust in QTSPs starts with the EU Trusted List published by the European Commission, which certifies which providers are operational and which qualified services (timestamp, electronic seal, digital signature) are officially in the "granted" state. On top of that formal baseline, organisations that run time-sensitive processes build their own operational availability layer: technical monitoring of the TSA endpoints, and a multi-QTSP strategy that removes the single point of failure.

This insight is part of our guide: Digital timestamp: a complete guide to legal-grade time certification

Where the official QTSP status lives in the EU

The question "is the QTSP down?" has a formal answer and an operational one. The formal answer comes from the trusted lists, which have constitutive value: a provider and a service are qualified only if they appear on the national list with a "granted" status. The operational answer requires different tools, which we address in the next section. For the legal meaning of the token itself, refer to our legal-grade timestamp guide: here we focus exclusively on availability verification.

EU Trusted List Browser: the Commission's authoritative source

The EU/EEA Trusted List Browser aggregates and publishes every Member State and EEA country list. For each QTSP it shows: legal identity, the list of qualified services provided, the current status ("granted", "withdrawn", "recognised at national level"), any suspension date and reason, and the history of previous states. The Commission updates the view monthly and more frequently when national supervisory bodies notify material changes.

A compliance function evaluating a new provider should always start here for pre-contract due diligence. Before entrusting critical timestamping to a QTSP, confirm that the specific service ("Qualified time stamp", "Qualified electronic seal", "Qualified certificate for electronic signature") is listed, that the status is "granted" and that no audit notes are flagged as expiring. Under the eIDAS Regulation, QTSPs must complete a conformity audit at least every two years: an open audit window does not imply instability, but it signals an imminent review.

National trusted lists: the supervisory layer behind each QTSP

Every EU Member State designates a national supervisory body under Article 17 of the eIDAS Regulation. These bodies maintain the national trusted lists that feed into the EU Trusted List Browser. National lists often provide additional documentation in the local language: accreditation decisions, suspension or withdrawal orders, approved termination plans, referenced technical specifications, and contacts for audit bodies. For a multinational compliance team, the practical workflow is simple: use the EU Browser for cross-border due diligence, then drill down to the national list when you need evidence-grade documentation on a specific provider.

Two details make the difference during due diligence. First, national supervisory bodies exercise both ex-ante oversight (before a provider can start operating) and ex-post oversight (audits, complaint-based checks, technical inspections). Second, every QTSP is required to file an up-to-date termination plan that guarantees service continuity or an orderly migration to another QTSP in case of cessation. For the corporate client, this means that even in the worst-case scenario the provider has a documented plan to preserve already-issued timestamps and verification keys.

Building an operational monitoring layer on top of the trusted list

Trusted lists tell you whether a provider is qualified, not whether its TSA is responding right now. Operational monitoring is built at two levels: on the individual TSA, to catch a disruption the moment it happens, and on the sourcing strategy, so you never depend on a single endpoint.

Technical monitoring of TSA endpoints

Qualified TSAs expose endpoints that comply with RFC 3161, typically reachable over HTTP or HTTPS on URLs published in the provider's documentation. Effective monitoring combines three probes.

Availability probe: a HEAD or GET request every 60 seconds to verify that the endpoint replies with a 2xx code or a valid PKI response. A synthetic probe is enough to detect infrastructure outages.
Real stamping probe: an actual Timestamp Request every 5 to 15 minutes, using a constant payload hash, checking that the returned token is correctly signed and temporally consistent. This probe catches malfunctions a simple ping would miss, such as expired certificates, misaligned time sources or invalid signatures.
Latency probe: response-time measurement to identify degradation before it becomes an outage. Typical thresholds: alert above 3 seconds, error above 10 seconds.

Teams that do not want to build the monitoring stack in-house can rely on synthetic monitoring services (Datadog, Checkly, UptimeRobot) configured to probe the TSA endpoint. The investment is small compared with the cost of a failed stamping on a notarised deed, a regulated communication, or a court-ready piece of evidence.

Multi-QTSP strategy and qualified fallback

The principle is the same as for distributed databases: no critical service should depend on a single vendor. A multi-QTSP strategy combines a primary provider and at least one secondary, both listed with "granted" status on the EU Trusted List and with equivalent qualified services.

In practice, the design follows four steps. First, classify stamping flows by criticality and volume, because per-stamp costs vary significantly across providers. Second, define the failover logic, which can be active-active (both providers stamp in parallel) or active-passive (the secondary takes over only when the primary fails). Third, normalise verification: each QTSP uses different signing certificates and the validation chain must recognise all of them. Fourth, document the process in a business continuity plan that is auditable, both internally and in the event of a dispute.

The eIDAS 2.0 Regulation (EU) 2024/1183 strengthens this model by requiring QTSPs to maintain a termination plan that is continuously updated and verified by the supervisory body. For the customer this means that choosing a provider accredited for more than two years, with an inspected termination plan, structurally reduces the risk of unplanned disruption.

TrueScreen as an Italian QTSP: operational continuity on qualified timestamps

TrueScreen is an Italian Qualified Trust Service Provider, accredited by the national supervisory body and listed in the EU Trusted List. It provides qualified timestamps, qualified electronic seals and digital signature services compliant with ETSI EN 319 421 and EN 319 422 and with the eIDAS Regulation. The Data Authenticity Platform combines forensic acquisition of content at source and qualified certification with the QTSP seal, ensuring that the stamped data is simultaneously tamper-evident and dated with legal-grade probative value.

On the continuity side, the operating model is designed to support time-sensitive flows: signing high-value contracts, applying qualified timestamps on digital notarial acts, sealing handover reports, or preserving certified communications for MiFID II. The infrastructure includes internal monitoring of TSA endpoints, a termination plan filed with the supervisory body, and an architecture designed to integrate with enterprise multi-QTSP strategies. Qualified seals issued by TrueScreen benefit, under Article 42 of the eIDAS Regulation, from the presumption of accuracy on the date and time recorded in the token.

For scenarios where the customer manages digital signing directly, TrueScreen exposes the integration via its Data Authenticity Platform and automated flows, without requiring customer-side infrastructure. Public verification of every qualified token remains possible through the standard EU Trusted List tools and national browsers, preserving the transparency of the process.

FAQ: checking QTSP availability

Is there an official "eIDAS down detector" from the European Commission?

No. The European Commission does not publish real-time monitoring of QTSPs. The authoritative source is the EU Trusted List, updated monthly by national supervisory bodies, which records which providers and services are in the "granted" state. To know the technical availability in real time, you need internal monitoring of the TSA endpoints or a synthetic monitoring service configured against the provider's URL.

What happens to a timestamp applied before a QTSP is suspended?

Qualified timestamps issued before suspension keep their legal value, provided the certification chain was valid at issuance time. The eIDAS 2.0 Regulation requires QTSPs to retain all information necessary for verification even after the service ceases, and to file a termination plan that guarantees continuity of validation over time.

Is a multi-QTSP strategy mandatory by law?

It is not mandatory, but it is a recognised best practice for organisations running time-sensitive flows with material legal or economic impact. A multi-QTSP setup removes the operational single point of failure and protects against the temporary unavailability of a single provider. In regulated sectors (financial services, healthcare, energy) it may become a business continuity requirement assessed during audits.

Qualified timestamps without disruptions

Use an Italian accredited QTSP for qualified seals and timestamps with eIDAS legal value and built-in operational monitoring.

Start now

Request a demo