eIDAS Certification

Certification of Trust Services

The eIDAS Regulation applies to trust services across the EU. The eIDAS regulates the legal framework for electronic signatures, electronic seals, electronic time stamps as well as electronic registered delivery services and certificate services for website authentication. Therefore, many sections of the eIDAS replace the provisions of the German federal Digital Signature Act (“Signaturgesetz” - SigG). The qualifies trust services providers must be verified and certified with the qualified trust services.
datenschutz cert GmbH is accredited by DAkkS, and can therefore issue certificates in accordance with eIDAS.

Background

eIDAS stands for “Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC”. eIDAS mostly repeals the German federal Digital Signature Act SigG, as the eIDAS, an EU Regulation, will take precedence over the application of the SigG. As a result, the requirements listed in both SigG and the previous Directive (“Signaturverordnung” - SigV) will no longer be applicable, and now fall within the scope of the eIDAS. The scope of SigG that remains unaffected, i.e. the requirements which do not fall within eIDAS, shall be provided for in a new German federal law, the Trust Services Act (“Vertrauensdienstegesetz”).
eIDAS regulates electronic identification means for natural and legal persons as well as for trust services. In doing so, the eIDAS provides the legal framework for electronic signatures, electronic seals, electronic time stamps as well as electronic registered delivery services and certificate services for website authentication. The eIDAS includes the following detailed services:

Creation

  • Qualified certificates for electronic signatures  
  • Qualified certificates for electronic seals
  • Qualified certificates for website authentication
  • Qualified electronic time stamps
  • Qualified electronic signatures
  • Qualified electronic seals

Verification and Validation

  • Qualified electronic signatures, electronic seals, electronic time stamps and accompanying qualified certificates
  • Qualified certificates for website authentication
  • Preservation
  • Qualified electronic signatures, electronic seals or accompanying qualified certificates

 Electronic registered delivery services

  • Electronic services

While electronic signatures, certificates and electronic time stamps were also provided for in SigG and SigV, electronic seals are an entirely new provision. The legislature is enacting the long-harboured wishes from national authorities and the business community, that organisations can also generate signatures.
Preservation and Electronic registered delivery services are also new. According to the eIDAS, the “electronic registered delivery service” is “a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations”.
Website certificates were already called for via the CA/Browser (CAB)-Forum: to date, those who wished to have their certificates pre-installed in the browser and operating systems, had to generate a corresponding certification. These regulations have now also been included in the eIDAS.

The Advantages of eIDAS-Certification for You

It is perfectly clear: the eIDAS Regulation prescribes certification for qualified trust service providers.
Aside from this prerequisite for market entry in accordance with the eIDAS, we also know from experience: both processes and products are continually improved and made more efficient, when they are reviewed and tested by independent experts.

Certification Norms

For the assessment and certification of trust service providers and the trust services that you offer, the following ETSI-norms will be used:

  • ETSI EN 319 401: The basic requirements of Trust Service Providers (TSP) are provided in the norm ETSI EN 319 401. Its title (“General Policy Requirements for Trust Service Providers supporting Electronic Signatures”) demonstrates, that all subsequent norms require the fulfilment of ETSI EN 319 401.
  • ETSI EN 319 411-2 (“Trust Service Providers issuing certificates; Part 2: Policy requirements for certification authorities issuing qualified certificates”) defines the requirements that a TSP must meet, if they wish to issue certificates.
  • ETSI TS 319 411-3 (“Trust Service Providers issuing certificates; Part 3: Policy requirements for Certification Authorities issuing public key certificates”) defines the requirements that a TSP must meet, if they wish to issue advanced certificates. The certification under this norm has a further advantage: the creators of internet browsers accept this certification as a prerequisite for the acceptance of the TSP in the internet browsers’ respective certificate storage.
  • ETSI EN 319 421: The requirements that a TSP must meet, if they wish to issue qualified electronic time stamps.  

As was previously the case in SigG, qualified electronic signature creation devices are required for the creation of signatures, which is loosely provided for in Annex II eIDAS.  These requirements were substantiated in the Implementation Decision (EU) 2016/650 of 25 April 2016 “laying down standards for the security assessment of qualified signature and seal creation devices pursuant to Articles 30(3) and 39(2) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market”, where the Common Criteria Certifications on the basis of Common Criteria Protection Profiles norms. 

Our Approach

The German Accredation Body (“Deutsche Akkreditierungsstelle” - DAkkS) accredits conformity assessment bodies on the basis of the ETSI EN 319 403 in connection with ISO/IEC 17065. The conformity assessment bodies that are accredited by the DAkkS will be enabled to certify the above name trust services.
datenschutz cert GmbH is accredited by DAkkS, and can therefore issue certificates in accordance with the existing ETSI norms.
We aspire not only to advise you in all matters surrounding an eIDAS certification, but also to accompany you through auditing procedures and certification as a partner.

Costs

The costs/fees that you should prepare for: As the costs are strongly dependant on the complexity of your scope, please feel free to contact us for a detailed offer.