Trust service providers (TSPs) that use or issue qualified signature creation devices (QSCD) together with qualified certificates for the creation of qualified electronic signatures and seals have to deploy certified devices either by choosing one from the published list of QSCDs or by getting their proper device certified.
As an accredited evaluation and certification body for Common Criteria and QSCDs, TÜViT supports trust service providers, from the planning over the evaluation and certification to the final step of getting the devices published by the European Commission.
Certification of QSCDs
The regulation (EU) 910/2014 (eIDAS) mandates certified QSCDs as prerequisite for the creation of qualified electronic signatures and qualified seals. Article 1 of [CID (EU) 2016/650] distinguishes two types of QSCD:
- QSCDs where the electronic signature creation data or electronic seal creation data is held in an entirely but not necessarily exclusively user-managed environment. Here the evaluation and certification is based on the Common Criteria evaluation.
- QSCDs where the qualified trust service provider manages the electronic signature creation data or seal creation data on behalf of a signatory or of a creator of a seal (remote-QSCD or server signing QSCD). Due to the absence of applicable standards for the evaluation of remote-QSCDs alternative certification procedures may be used which fulfil comparable security levels like the Common Criteria evaluation.
For this TÜViT developed an own certification process which has been notified to the European Commission in accordance with Article 30.3(b) and 39.2 of the eIDAS Regulation (EU) 910/2014.
Our approach
As an evaluation and certification basis, we offer the certification of QSCDs according to eIDAS. Depending on the QSCD type, the evaluation is performed against Common Criteria or it is based on certification process with equivalent assurance developed by TÜV Informationstechnik GmbH for that purpose.
Our IT security experts apply an agile approach during the project, evaluation and certification. You thus have the opportunity after each concluded phase, whether in the project or during the evaluation, to consult our experts. This allows the risk of unprofitable investments to be reduced.
The following standards would apply for the preparation of certificates for QSCDs:
- [eIDAS]
- Annex II [eIDAS]: requirements for the certification of the conformity of QSCDs
- [ISO/IEC 15408-1]
- [ISO/IEC 15408-2]
- [ISO/IEC 15408-3]
- Certification Process for eIDAS conformant QSCDs of the TÜV Informationstechnik GmbH
Our services at a glance
- conduct of workshops, one-day or multi-day
- overview of the certification process
- overview of test requirements and joint evaluation of the requirements relevant to you
- coordination of your detailed questions on standard requirements, on tests and certifications
- project support according our agile approach
- evaluation and certification of the QSCD
- result: QSCD certificate
- validity: Depends on the strength of security mechanisms and algorithms that are implemented, shall not exceed a maximum period of 5 years
- if all criteria are fulfilled, a certificate is issued and published on the TÜViT website
- submission of the QSCD certificate to the EU Commission for publication on the official list of QSCDs
Your benefits at a glance
- minimizing unprofitable investments through agile approach
- cost reduction through gap analysis
- targeted project implementation regarding your budget, schedule and standard specifications
- QSCD certificate
- verification that legislation and legal requirements are fulfilled, where these derive from the corresponding requirements
- verification that your QSCD is applied in a targeted, effective and sustainable manner
- audit and certification by the market leader: e.g. TÜViT has issued over 350 certificates under the German Digital Signature Act and eIDAS, and 150 for PKIs using other criteria, e.g. ETSI
TÜViT has been testing trust services and their products for 15 years.
You have questions? We are pleased to help!
Peter Kania
Sales & Account Manager eID & Trust Services
+49 201 8999-513
Fax
: +49 201 8999-555
Matthias Wiedenhorst
Head of Certification Division Trust Service Provider
+49 201 8999-536
Fax
: +49 201 8999-555