QSCD
Certification as a Qualified Electronic Signature Creation Device or Seal Creation Device according to Art. 30, Para. 3 of the eIDAS Regulation. SRC is your eIDAS certification body.
SRC Cert supports you in the certification of cards, HSMs, and other hardware components as Qualified Signature/Seal Creation Devices (QSCD).
Conformity assessment for modules
We support you with conformity assessment according to the requirements of Regulation (EU) No. 910/2014 for sub-services (e.g., identification) and their organization, to enable the integration of the sub-service into qualified trust services.
Trust services
We support you in qualifying your services and your organization through the approved supervisory body. SRC Cert conducts conformity assessments according to the requirements of Regulation (EU) No. 910/2014.
QSCD
Certification as a Qualified Electronic Signature Creation Device or Seal Creation Device according to Art. 30, Para. 3 of the eIDAS Regulation. SRC is your eIDAS certification body.
SRC supports you in the certification of cards, HSMs, and other hardware components as Qualified Signature/Seal Creation Devices (QSCD).
In detail …
Signatures and company seals are critical for security
The act of signing or creating a company seal are security-critical processes, the forgery of which can have unpleasant consequences for all parties involved, potentially leading to significant financial loss or considerable damage to a provider’s reputation. For products used to generate the technical equivalents of signatures and seals – qualified electronic signatures and qualified electronic seals – the legislator has therefore established an approval procedure with correspondingly high security requirements in the eIDAS Regulation.
Certification according to Art. 30, Para. 3 of the eIDAS Regulation
SRC’s “eIDAS certification body” is able to certify a product as a Qualified Electronic Signature Creation Device or Seal Creation Device (QSCD) according to Art. 30, Para. 3 of the eIDAS Regulation, either in combination with or based on an existing Common Criteria evaluation.
Application of Security Requirements
For products, security requirements (Protection Profiles) must be applied as listed in “Commission Implementing Decision (EU) 2016/650 of 25 April 2016 laying down standards for the security assessment of qualified signature and seal creation devices pursuant to Article 30(3) and Article 39(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market” (Art. 30, Para. 3 (a)).
SRC Cert has notified the EU Commission of a testing procedure
Alternatively, the eIDAS Regulation allows for the application of other testing procedures, provided that equivalent security levels are applied and the testing procedure has been notified to the EU Commission (Art. 30, Para. 3 (b)). Since the aforementioned Implementing Decision (EU) 2016/650 does not list Protection Profiles that contain security requirements for QSCDs for use by a trust service provider, SRC has notified the EU Commission of a testing procedure “Certification of the conformity of QSCDs for server-signing with the requirements laid down in Annex II of Regulation (EU) No. 910/2014” for the certification of QSCDs for use in remote signatures (cf. EU Commission Dashboard).
SRC Cert certifies your products
SRC Cert has been designated as an “eIDAS certification body” by the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railways according to Art. 30, Para. 1 of the eIDAS Regulation.
We are happy to offer you the opportunity to leverage the expertise and extensive experience of our independent experts for the certification of your product as a qualified signature and/or seal creation device.
The EU Commission publishes and updates lists of notified “eIDAS certification bodies” and QSCDs, as well as all currently notified alternative testing procedures.
In detail …
Conformity assessments according to the requirements of Regulation (EU) No. 910/2014 can also be carried out for sub-services of a trust service to avoid repeated testing of sub-services used in various qualified trust services. One such service is, for example, the identification of natural persons, offered by an identification service provider. The successful conformity assessment of this sub-service can then be used for the conformity assessment of a trust service, e.g., for the creation of qualified certificates for electronic signatures. SRC’s conformity assessment body supports the assessment of sub-services or so-called “modules.”
Conformity assessment for modules
We support you with conformity assessment according to the requirements of Regulation (EU) No. 910/2014 for sub-services (e.g., identification) and their organization, to enable the integration of the sub-service into qualified trust services.
Trust services
We support you in qualifying your services and your organization through the approved supervisory body. SRC conducts conformity assessments according to the requirements of Regulation (EU) No. 910/2014.
In detail …
Trust Services. Qualified Signatures and Seals
With the introduction of the eIDAS Regulation, the European Union’s legislation redefined the requirements for qualified electronic signatures, the digital equivalent of handwritten signatures. Additionally, the possibility of a qualified electronic seal was created, which allows the authenticity of sealed data by a company or organization (legal entity) to be proven to third parties. Services (trust services) can be established around the creation and use of qualified signatures and seals, which can be granted “qualified” status after a successful conformity assessment.
Conformity Assessment with Documentation and Audit
The conformity assessment for you as a trust service provider is carried out in two steps: a review of the documentation and an on-site audit to verify whether the documented security mechanisms have been correctly implemented. A more detailed description of the procedure and the applicable security requirements from legislation and relevant standards can be found in the associated certification program. The conformity assessment is carried out by SRC, and the status is granted by the competent supervisory body. In Germany, these are the BSI (qualified certificates for websites) and the Federal Network Agency (all other services).
SRC is accredited by DAkkS as a conformity assessment body.
To carry out such an assessment, SRC, as the auditing body, must also demonstrate its expertise and independence in an accreditation procedure. National conformity assessment bodies are accredited by the German Accreditation Body (DAkkS).
We are happy to offer you the opportunity to draw on the expertise and experience of our independent security experts for the conformity assessment of your trust service.
The trust services in detail…
Creation of qualified certificates for electronic signatures
The qualified trust service for the creation of qualified certificates according to Article 28 of Regulation (EU) No. 910/2014 (eIDAS Regulation) includes the creation, issuance, and management of qualified certificates for the creation of (qualified) signatures. The use of a Qualified Signature Creation Device (QSCD) is mandatory for the creation of qualified signatures. For this purpose, a signature card can be issued to the signatory, or the QSCD can be hosted by a trust service provider through the remote QSCD management service (remote signatures).
Creation of qualified certificates for electronic seals
The qualified trust service for the creation of qualified certificates according to Article 38 of Regulation (EU) No. 910/2014 (eIDAS Regulation) includes the creation, issuance, and management of qualified certificates for the creation of (qualified) seals. The use of a Qualified Seal Creation Device (QSCD) is mandatory for the creation of qualified seals. For this purpose, a seal card can be issued to the seal creator, or the QSCD can be hosted by a trust service provider through the remote QSCD management service (remote seals).
Management of Remote QSCDs
The qualified trust service for the management of remote QSCDs includes the operation of a remote QSCD by a qualified trust service provider to offer customers the possibility of creating qualified electronic signatures (remote signatures) according to Art. 29a or qualified electronic seals (remote seals) according to Art. 39a of the eIDAS Regulation.
Creation of qualified certificates for website authentication
This qualified trust service includes the creation, issuance, and management of qualified certificates for website authentication (QWAC) according to Article 45 of Regulation (EU) No. 910/2014 (eIDAS Regulation).
Creation of qualified electronic time stamps
This qualified trust service includes the creation of qualified electronic time stamps according to the requirements of Article 42 of Regulation (EU) No. 910/2014 (eIDAS Regulation). For qualified electronic time stamps, the presumption of accuracy of the date and time indicated therein, as well as the integrity of the data associated with the date and time, applies. They serve as proof that the data existed at a given date and time.
Electronic registered delivery service
This qualified trust service includes the delivery of electronic registered mail according to the requirements of Article 44 of Regulation (EU) No. 910/2014 (eIDAS Regulation). It ensures the identification of sender and recipient, sending and receiving of data are secured by at least an advanced electronic signature or an advanced electronic seal of a trust service provider, and incorporate qualified electronic time stamps to indicate the date and time of sending and receiving.
Validation service for qualified electronic signatures
The qualified validation service according to Article 33 of Regulation (EU) No. 910/2014 (eIDAS Regulation) includes the performance of validation of qualified electronic signatures according to Article 32, Paragraph 1 of the eIDAS Regulation. The result of the validation must be communicated to the relying parties with confirmation by an advanced electronic signature or an advanced electronic seal of the validation service provider.
Qualified trust service for the validation of qualified electronic signatures and seals
The qualified preservation service for qualified electronic signatures according to Article 34 and qualified electronic seals according to Article 40 (in conjunction with Art. 34) of Regulation (EU) No. 910/2014 (eIDAS Regulation) includes extending the trustworthiness of qualified signatures and qualified seals beyond their technological validity period.
Qualified trust service for the validation of qualified electronic signatures and seals
The qualified trust service for the issuance of electronic attribute attestations according to Article 45d et seq. of Regulation (EU) No. 910/2014 and Amending Regulation (EU) 2024/1183 (eIDAS Regulation) enables the proof of certain attributes of a person, such as professional role, professional qualification, affiliation with an organization, or specific access rights. They are a central component of EUDI Wallets and can replace any paper-based attestations or proofs if they have been issued by or on behalf of a public body responsible for an authentic source.
Recording of electronic data in an electronic journal
This qualified trust service includes the electronic archiving of electronic data and electronic documents according to the requirements of Article 45j of the adapted eIDAS Regulation. It ensures that electronic data and documents are archived and guarantees their durability and long-term readability, while protecting the data from loss or alteration. For the duration of preservation by the qualified trust service provider, the integrity and correctness of the origin information are presumed.
Recording of electronic data in an electronic journal
The qualified trust service for recording electronic data in an electronic journal according to Article 45l of Regulation (EU) No. 910/2014 and Amending Regulation (EU) 2024/1183 (eIDAS Regulation) enables the chronological, unalterable, and traceable logging of security-relevant processes. It serves, among other things, to document votes, approvals, and system accesses and meets high requirements for immutability, timestamping, and access protection.