Trust service providers (TSPs) that use or issue qualified signature creation devices (QSCD) together with qualified certificates for the creation of qualified electronic signatures and seals have to deploy certified devices either by choosing one from the published list of QSCDs or by getting their proper device certified.
As an accredited evaluation and certification body for Common Criteria and QSCDs, TÜViT supports trust service providers, from the planning over the evaluation and certification to the final step of getting the devices published by the European Commission.
Certification of QSCDs
The regulation (EU) 910/2014 (eIDAS) mandates certified QSCDs as prerequisite for the creation of qualified electronic signatures and qualified seals. Article 1 of [CID (EU) 2016/650] distinguishes two types of QSCD:
- QSCDs where the electronic signature creation data or electronic seal creation data is held in an entirely but not necessarily exclusively user-managed environment. Here the evaluation and certification is based on the Common Criteria evaluation.
- QSCDs where the qualified trust service provider manages the electronic signature creation data or seal creation data on behalf of a signatory or of a creator of a seal (remote-QSCD or server signing QSCD). Due to the absence of applicable standards for the evaluation of remote-QSCDs alternative certification procedures may be used which fulfil comparable security levels like the Common Criteria evaluation. For this TÜViT developed an own certification process which is recognized at the EU commission.
As an evaluation and certification basis, we offer the certification of QSCDs according to eIDAS. Depending on the QSCD type, the evaluation is performed against Common Criteria or it is based on certification process with equivalent assurance developed by TÜV Informationstechnik GmbH for that purpose.
Our IT security experts apply an agile approach during the project, evaluation and certification. You thus have the opportunity after each concluded phase, whether in the project or during the evaluation, to consult our experts. This allows the risk of unprofitable investments to be reduced.
The following standards would apply for the preparation of certificates for QSCDs:
- Annex II [eIDAS]: requirements for the certification of the conformity of QSCDs
- [ISO/IEC 15408-1]
- [ISO/IEC 15408-2]
- [ISO/IEC 15408-3]
- Certification Process for eIDAS conformant QSCDs of the TÜV Informationstechnik GmbH
Our services at a glance
- conduct of workshops, one-day or multi-day
- overview of the certification process
- overview of test requirements and joint evaluation of the requirements relevant to you
- coordination of your detailed questions on standard requirements, on tests and certifications
- project support according our agile approach
- evaluation and certification of the QSCD
- result: QSCD certificate
- validity: Depends on the strength of security mechanisms and algorithms that are implemented, shall not exceed a maximum period of 5 years
- if all criteria are fulfilled, a certificate is issued and published on the TÜViT website
- submission of the QSCD certificate to the EU Commission for publication on the official list of QSCDs
Your benefits at a glance
- minimizing unprofitable investments through agile approach
- cost reduction through gap analysis
- targeted project implementation regarding your budget, schedule and standard specifications
- QSCD certificate
- verification that legislation and legal requirements are fulfilled, where these derive from the corresponding requirements
- verification that your QSCD is applied in a targeted, effective and sustainable manner
- audit and certification by the market leader: e.g. TÜViT has issued over 350 certificates under the German Digital Signature Act and eIDAS, and 150 for PKIs using other criteria, e.g. ETSI