QSCD
Certification as a qualified electronic signature creation device or qualified seal creation device according to Art. 30, par. 3 of the eIDAS Regulation. SRC is your eIDAS certification body.
SRC supports you in the certification of cards, HSMs and other hardware components as Qualified Signature/Seal Creation Device (QSCD).
Conformity assessment for modules
We support you in the conformity assessment in accordance with the requirements of Regulation (EU) No. 910/2014 of partial services (e.g. identification) and its organisation, in order to enable the integration of the partial service into qualified trust services.
Trust services
We support you in the qualification of your services and your organisation by the designated supervisory body. SRC carries out conformity assessments according to the requirements of Regulation (EU) No. 910/2014.
QSCD
Certification as a qualified electronic signature creation device or qualified seal creation device according to Art. 30, par. 3 of the eIDAS Regulation. SRC is your eIDAS certification body.
SRC supports you in the certification of cards, HSMs and other hardware components as Qualified Signature/Seal Creation Device (QSCD).
In detail …
Signatures and company seals are critical for security
The act of signing or sealing is a security-critical process. Forgery of these elements can have serious consequences for all parties involved, including significant financial loss or reputational damage to the service provider. For products that generate the technical equivalents of signatures and seals, namely qualified electronic signatures and qualified electronic seals, the eIDAS Regulation defines a mandatory certification procedure with correspondingly high security requirements.
Certification under Article 30(3) of the eIDAS Regulation
SRC, in its role as a designated Conformity Assessment Body (CAB), is authorized to certify products based on or in combination with an existing Common Criteria evaluation as Qualified Signature Creation Devices (QSCDs) or Qualified Seal Creation Devices, in accordance with Article 30(3) of the eIDAS Regulation.
Application of Security Requirements
For such products, security requirements in the form of Protection Profiles must be applied. These are listed in the Commission Implementing Decision (EU) 2016/650 of 25th April 2016, which sets out standards for the security evaluation of QSCDs under Articles 30(3)(a) and 39(2) of the Regulation.
Notified Alternative Evaluation Method
Alternatively, Article 30(3)(b) of the eIDAS Regulation allows for the application of other evaluation methods, provided they ensure equivalent security levels and are notified to the European Commission. Since Commission Decision (EU) 2016/650 does not include Protection Profiles specific to QSCDs for use by Qualified Trust Service Providers (QTSPs) in remote signing, SRC has notified this evaluation method:
“Certification of the conformity of QSCDs for server-signing with the requirements laid down in Annex II of Regulation (EU) No 910/2014”
This alternative evaluation method has been formally notified to the European Commission and is published in its official dashboard (ca. Dashboard of EU Commissions).
SRC Certifies Your Products
SRC Security Research & Consulting GmbH has been designated by the Federal Network Agency as a Conformity Assessment Body pursuant to Article 30(1) of the eIDAS Regulation.
We offer you access to our team’s deep expertise and longstanding experience in the certification of products as Qualified Signature and/or Seal Creation Devices (QSCDs).
The European Commission maintains and regularly updates the official lists of notified Conformity Assessment Bodies (CABs), certified QSCDs, and approved evaluation methods.
In detail …
Conformity assessments in accordance with the requirements of Regulation (EU) No 910/2014 can also be carried out for sub-services of a trust service in order to avoid repeated testing of sub-services used in different qualified trust services. One such service is, for example, the identification of natural persons, which is provided by an identification service provider. The successful conformity assessment of this sub-service can subsequently be used for the conformity assessment of a trust service, e.g. for the generation of qualified certificates for electronic signatures. The conformity assessment body of SRC supports the assessment of sub-services or so-called “modules”.
Conformity assessment for modules
We support you in the conformity assessment in accordance with the requirements of Regulation (EU) No. 910/2014 of partial services (e.g. identification) and its organisation in order to enable the integration of the partial service into qualified trust services.
Trust services
We support you in the qualification of your services and your organisation by the designated supervisory body. SRC carries out conformity assessments according to the requirements of Regulation (EU) No. 910/2014.
In detail …
Trust services: Qualified signatures and seals
With the introduction of the eIDAS Regulation, European Union legislation has redefined the requirements for the qualified electronic signature, the digital replacement of the handwritten signature. In addition, the possibility of a qualified electronic seal has been created, with which the authenticity of sealed data can be proven to third parties by a company or organisation (legal entity). Services (trust services) can be established around the generation and use of qualified signatures and seals, which can be granted the status “qualified” after a successful conformity assessment.
Conformity assessment with review of documentation and audit
The conformity assessment for you as a trusted third party service provider is carried out in two steps: a review of documentation and an on-site audit to verify whether the documented security mechanisms have been implemented correctly. A more detailed description of the procedure and the applicable security requirements from legislation and relevant standards can be found in the associated certification programme. The conformity assessment is performed by SRC, the status is granted by the responsible supervisory body. In Germany these are the BSI (qualified certificates for website authentication) and the Federal Network Agency (all other services).
SRC is accredited by the DAkkS as a conformity assessment body.
In order to carry out such an assessment, SRC, as the examining body, must also prove its expertise and independence in an accreditation procedure. National conformity assessment bodies are accredited by the Deutsche Akkreditierungsstelle (DAkkS).
We are pleased to offer you the possibility to fall back on the expertise and experience of our independent security experts for the conformity assessment of your trusted service.
The trust services in detail…
Creation of qualified certificates for electronic signatures
The qualified trust service for the issuance of qualified certificates in accordance with Article 28 of Regulation (EU) No. 910/2014 (the eIDAS Regulation) includes the generation, issuance, and management of qualified certificates for the creation of (qualified) electronic signatures. For the creation of qualified electronic signatures, the use of a Qualified Signature Creation Device (QSCD) is mandatory. The signer may either be provided with a signature card, or the QSCD may be hosted by a trust service provider through a remote QSCD management service (remote signature service).
Creation of qualified certificates for electronic seals
The qualified trust service for the issuance of qualified certificates in accordance with Article 38 of Regulation (EU) No. 910/2014 (the eIDAS Regulation) includes the generation, issuance, and management of qualified certificates for the creation of (qualified) electronic seals.
For the creation of qualified electronic seals, the use of a Qualified Seal Creation Device (QSCD) is mandatory. The seal creator may either be provided with a seal card, or the QSCD may be hosted by a trust service provider through a remote QSCD management service (remote seal service).
Management of Remote QSCDs
The qualified trust service for the management of remote QSCDs involves the operation of a remote QSCD by a qualified trust service provider in order to enable customers to create qualified electronic signatures (remote signatures)in accordance with Article 29a, or qualified electronic seals (remote seals) in accordance with Article 39a of the eIDAS Regulation.
Creation of qualified certificates for website authentication
This qualified trust service includes the creation, issuance and management of qualified certificates for website authentication (QWAC) in accordance with Article 45 of Regulation (EU) No 910/2014 (eIDAS Regulation). The conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the standards ETSI EN 319 401 and ETSI EN 319 411-2 / -1.
Creation of qualified electronic time stamps
This qualified trust service includes the creation of qualified electronic time stamps in accordance with the requirements of Article 42 of Regulation (EU) No 910/2014 (eIDAS Regulation). Qualified electronic time stamps are subject to the presumption of the accuracy of the date and time indicated therein and the integrity of the data associated with the date and time. They serve as proof that the data were present at a given date and time. The conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the standards ETSI EN 319 401 and ETSI EN 319 421.
Electronic registered delivery service
This qualified confidential service includes the service of electronic registered delivery in accordance with the requirements of Article 44 of Regulation (EU) No 910/2014 (eIDAS Regulation). Electronic registered delivery ensure the identification of sender and recipient. The sending and receiving of data is secured at least by an advanced signature or seal of a trusted service provider and includes qualified electronic time stamps to indicate the date and time of sending and receiving. The conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the standards ETSI EN 319 401 and ETSI EN 319 521 (Electronic Registered Delivery Services) or the standard ETSI EN 319 531 (Policy and security requirements for Registered Electronic Mail Service Providers) if the implementation is based on the use of e-mail.
Validation service for qualified electronic signatures
The qualified validation service in accordance with Article 40 (in conjunction with Article 33) of Regulation (EU) No. 910/2014 (eIDAS Regulation) includes the implementation of the validation of qualified electronic seals. The result of the validation is to be transmitted to the relying parties together with a confirmation by means of an advanced electronic signature or an advanced electronic seal of the provider of the validation service. The conformity assessment is based on the requirements of the eIDAS Regulation and the requirements of the ETSI EN 319 401 standard and the technical specification ETSI TS 119 441 (Policy Requirements for TSP providing signature validation services).
Qualified trust service for the validation of qualified electronic signatures and seals
Preservation services for qualified electronic signatures
Qualified trust service for the validation of qualified electronic signatures and seals
The qualified trust service for the issuance of electronic attestation of attributes, in accordance with Articles 45d et seq. of Regulation (EU) No. 910/2014 and Amending Regulation (EU) 2024/1183 (the eIDAS Regulation), enables the verification of specific attributes of a person — such as their professional role, qualification, affiliation with an organisation, or specific access rights.
These attestations are a core component of EUDI Wallets and can replace paper-based attestations or certificates, provided they are issued by or on behalf of a public authority responsible for an authentic source.
Recording of electronic data in an electronic journal
This qualified trust service comprises the electronic archiving of electronic data and electronic documents in accordance with the requirements of Article 45j of the revised eIDAS Regulation.
It ensures that electronic data and documents are properly archived and guarantees their durability and long-term readability, while protecting them against loss or alteration. For the duration of storage by the qualified trust service provider, the integrity and accuracy of the origin are presumed.
Recording of electronic data in an electronic journal
The qualified trust service for the recording of electronic data in an electronic journal, in accordance with Article 45l of Regulation (EU) No. 910/2014 and Amending Regulation (EU) 2024/1183 (the eIDAS Regulation), enables the chronological, immutable and traceable logging of security-relevant events.
It serves, among other purposes, to document voting actions, approvals and system accesses, and meets strict requirements for immutability, time-stamping and access protection.