Certification of the eIDAS conformity of qualified signature and seal creation devices

Trust service providers (TSPs) that use or issue qualified signature creation devices (QSCD) together with qualified certificates for the creation of qualified electronic signatures and seals have to deploy certified devices either by choosing one from the published list of QSCDs or by getting their proper device certified.

As an accredited evaluation and certification body for Common Criteria and QSCDs, TÜViT supports trust service providers, from the planning over the evaluation and certification to the final step of getting the devices published by the European Commission.

Certification of QSCDs

The regulation (EU) 910/2014 (eIDAS) mandates certified QSCDs as prerequisite for the creation of qualified electronic signatures and qualified seals. Article 1 of [CID (EU) 2016/650] distinguishes two types of QSCD:

  1. QSCDs where the electronic signature creation data or electronic seal creation data is held in an entirely but not necessarily exclusively user-managed environment. Here the evaluation and certification is based on the Common Criteria evaluation.
  2. QSCDs where the qualified trust service provider manages the electronic signature creation data or seal creation data on behalf of a signatory or of a creator of a seal (remote-QSCD or server signing QSCD). Due to the absence of applicable standards for the evaluation of remote-QSCDs alternative certification procedures may be used which fulfil comparable security levels like the Common Criteria evaluation.

For this TÜViT developed an own certification process which has been notified to the European Commission in accordance with Article 30.3(b) and 39.2 of the eIDAS Regulation (EU) 910/2014.

Our approach

As an evaluation and certification basis, we offer the certification of QSCDs according to eIDAS. Depending on the QSCD type, the evaluation is performed against Common Criteria or it is based on certification process with equivalent assurance developed by TÜV Informationstechnik GmbH for that purpose.

Our IT security experts apply an agile approach during the project, evaluation and certification. You thus have the opportunity after each concluded phase, whether in the project or during the evaluation, to consult our experts. This allows the risk of unprofitable investments to be reduced.

The following standards would apply for the preparation of certificates for QSCDs:

  • [eIDAS]
  • Annex II [eIDAS]: requirements for the certification of the conformity of QSCDs
  • [ISO/IEC 15408-1]
  • [ISO/IEC 15408-2]
  • [ISO/IEC 15408-3]
  • Certification Process for eIDAS conformant QSCDs of the TÜV Informationstechnik GmbH

Our services at a glance

  • conduct of workshops, one-day or multi-day
  • overview of the certification process
  • overview of test requirements and joint evaluation of the requirements relevant to you
  • coordination of your detailed questions on standard requirements, on tests and certifications
  • project support according our agile approach
  • evaluation and certification of the QSCD
  • result: QSCD certificate
  • validity: Depends on the strength of security mechanisms and algorithms that are implemented, shall not exceed a maximum period of 5 years 
  • if all criteria are fulfilled, a certificate is issued and published on the TÜViT website
  • submission of the QSCD certificate to the EU Commission for publication on the official list of QSCDs

Your benefits at a glance

  • minimizing unprofitable investments through agile approach
  • cost reduction through gap analysis
  • targeted project implementation regarding your budget, schedule and standard specifications
  • QSCD certificate
  • verification that legislation and legal requirements are fulfilled, where these derive from the corresponding requirements
  • verification that your QSCD is applied in a targeted, effective and sustainable manner
  • audit and certification by the market leader: e.g. TÜViT has issued over 350 certificates under the German Digital Signature Act and eIDAS, and 150 for PKIs using other criteria, e.g. ETSI

TÜViT has been testing trust services and their products for 15 years.

You have questions? We are pleased to help!

Peter Kania

Sales & Account Manager eID & Trust Services

+49 201 8999-513
Fax : +49 201 8999-555

Matthias Wiedenhorst

Head of Certification Division Trust Service Provider

+49 201 8999-536
Fax : +49 201 8999-555

Further services

Electronic signatures and seals

Electronic Signatures

We accompany trust service providers for electronic signatures on the way to their qualification status: from the planning of their services to the required tests up to the conformity assessment / re-certification.
Read more

Electronic Seals

Become a qualified trust service provider (VDA) for electronic seals: We support you in planning your service(s), perform audits according to eIDAS & ETSI and accompany you on your way to conformity assessment.
Read more
Website Authentication

Website Authentication

Servers and websites available on the internet must be clearly attributed to their operators if users are to trust them. The secure identification of websites and server systems on the internet takes place using electronic certificates.
Read more
Validation Services for Electronic Signatures, Seals and Timestamps

Validation Services for Electronic Signatures, Seals and Timestamps

Validation services are indispensable for assessing the correctness and integrity of electronically signed, sealed and timestamped documents. They review certificates in real time and ensure transparency.
Read more
Electronic Archives and Archiving Services

Electronic Archives and Archiving Services

Documents that are electronically signed or marked with a timestamp are subject to ageing, just like their hard copy counterparts. If the certificates or mathematical algorithms used there are no longer up to date, this results in them losing their value as evidence.
Read more
Electronic Identification (eID)

Electronic Identification (eID)

Electronic identification systems have the great advantage that they save companies time and expense, and significantly simplify communication for customers – provided that the systems work securely and that they are trustworthy.
Read more

Electronic Registered Delivery Services

Electronic registered delivery services transmit electronic data such as emails between third parties and provide evidence relating to sending and receiving the transmitted data at a certain date and time.
Read more

Cooperative Intelligent Transport Systems (C-ITS)

We support you on your way to an IT-secure C-ITS solution: from planning or further development, through testing, to successful certification according to the security requirements of the European Commission.
Read more