The provision of a signature or the creation of a company seal are security-critical processes, the forgery of which can have unpleasant consequences for all parties involved, possibly involving a high monetary loss or causing significant damage to the reputation of a provider. For this reason, the legislator has defined an approval procedure with correspondingly high security requirements in the eIDAS Regulation for products used to generate the technical counterparts of signatures and seals, i.e., qualified electronic signatures and qualified electronic seals.
The “eIDAS Certification Body” of the SRC is able to certify a product in combination with or based on an existing evaluation according to Common Criteria as a qualified electronic signature creation device or seal creation device (QSCD) according to Art. 30 Par. 3 of the eIDAS Regulation.
In this context, security requirements (Protection Profiles) listed in the “Commission Implementing Decision (EU) 2016/650 of 25 April 2016 laying down standards for the security evaluation of qualified signature and seal creation devices referred to in Articles 30(3) and 39(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market” shall be applied to products (Art. 30 par. 3 (a)).
Alternatively, the eIDAS Regulation allows the use of other verification procedures provided that equivalent levels of security are applied and the verification procedure has been notified to the EU Commission (Art. 30 par. 3 (b)). Since the above-mentioned Implementing Decision (EU) 2016/650 does not yet list PPs that contain security requirements for QSCDs for use by a trust service provider, SRC has notified a test procedure “Certification of the conformity of QSCDs for server-signing with the requirements laid down in Annex II of Regulation (EU) No. 910/2014” for the certification of QSCDs for use in the context of remote signatures to the EU Commission.
SRC Security Research & Consulting GmbH has been certified by the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railway as “eIDAS Certification Body” according to Art. 30 para. 1 of the eIDAS Regulation.
We are happy to offer you the opportunity to use the expertise and extensive experience of our independent experts when certifying your product as a qualified signature and/or seal creation device.
The EU Commission publishes and updates lists of notified “eIDAS certification bodies” and QSCDs, as well as all currently notified alternative verification methods.