Skip to content

QSCD

Person interagiert mit einem digitalen Dokument auf einem Laptop, während sie ein Smartphone hält.

TÜV NORD: your partner for qualified signature and seal creation devices

Qualified electronic signature and seal creation devices (QSCDs) must fulfil the requirements of the eIDAS Regulation (Annex II) and be certified in accordance with it. Testing and certification is carried out in accordance with an authorised security assessment procedure by an independent body appointed by member states of the EU Commission. Certification by an independent and notified body is a prerequisite for the QSCD to be included in the EU list of certified QSCDs.

As an accredited testing and certification body for Common Criteria and a notified certification body for QSCDs, we support you from the assessment and certification through to the final step of publication of your QSCD by the European Commission. Depending on the type of QSCD, the assessment is carried out according to Common Criteria or is based on a certification process developed by TÜV NORD with equivalent security.

In addition, we offer you customised workshops to optimally prepare you for an upcoming certification or make you an expert in eIDAS and ETSI as part of our eIDAS.PROFESSIONAL training.

Request a personalised quote now

Target group of the certification for trust service providers for a qualified signature and seal creation device

Our offer is aimed at a wide range of organisations involved in the secure, legally binding distribution and use of qualified signature and seal creation devices:

  • Companies that already operate a qualified signature and seal creation device or are planning to set one up
  • Providers of digital identity services, certification services or trust services within the meaning of the eIDAS Regulation

The advantages of certification at a glance

  • European recognition: Your QSCD will be included in the official list of the EU Commission and published on our website.
  • European market access: You create the basis for the legally binding use of your QSCD in the European internal market.
  • Objective proof of trust: The IT security of your QSCD can be transparently proven to customers and trust service providers.
  • Efficient process: Our approved assessment procedure and support for Common Criteria documents reduce time and effort.

Your path to becoming a certified trust service provider for a qualified signature and seal creation device

This is how we support you holistically:

Training & Qualification

  • eIDAS.PROFESSIONAL training for your employees

Concept & preparation

  • Overview of the legal requirements for QSCDs, including the relevant eIDAS requirements, relevant ETSI standards, and assessment of these requirements in the respective context
  • Introduction to the TÜV NORD certification programme, including normative and legal requirements, interpretations and other relevant aspects
  • Workshops and preliminary audits to identify non-conformities and potential for improvement through status analyses of the PKI or trust service and GAP analysis of existing documentation and processes

Testing & conformity assessment

Audit of your implementation based on the eIDAS Regulation, including

  • Article 30: Certification of qualified electronic signature creation devices
  • Article 39: Qualified electronic seal creation devices

Application of the following standards:

  • CID (EU) 2016/650: Standards for the security assessment of qualified signature and seal creation devices in accordance with Articles 30(3) and 39(2) of the eIDAS Regulation
  • EU QSCD List: Notifications by Member States of notified bodies, certified qualified electronic signature and seal creation devices under the eIDAS Regulation
  • ISO/IEC 15408-1 (Common Criteria): Information technology - IT security techniques - Evaluation criteria for IT security - Part 1: Introduction and general model
  • ISO/IEC 15408-2 (Common Criteria): Information technology - IT security techniques - Evaluation criteria for IT security - Part 2: Security functional components
  • ISO/IEC 15408-3 (Common Criteria): Information technology - IT security techniques - Evaluation criteria for IT security - Part 3: Security control components
  • EN 419 221-5 (Common Criteria protection profile for crypto modules): CEN/EN 419 221-5:2018, Protection profiles for cryptographic TSP modules - Part 5: Cryptographic module for trust services
  • EN 419 241-2 (Common Criteria protection profile for QSCDs for server signatures): CEN/EN 419 241-2:2019, Trusted systems supporting server signatures - Part 2: Protection profile for QSCDs for server signing

Alternative certification procedures

  • Certification process for eIDAS-compliant QSCDs of the certification body of TÜV Informationstechnik GmbH V. 1.3
  • Certification processfor eIDAS-compliant QSCDs of the Certification Body of TÜV Informationstechnik GmbH V. 1.2

Certification & re-certification

  • Conformity assessment and certification
  • Support for inclusion in the EU Trusted Service List

FAQ – Frequently asked questions about qualified signature and seal creation devices

A qualified signature or seal creation device (QSCD) is a special combination of hardware and software that securely manages cryptographic keys and can be used to create qualified electronic signatures/seals (QES). QSCDs based on crypto modules are used especially for server signatures. The QSCD uses various technical procedures and means to ensure, among other things, that signature keys remain confidential and are generated using established cryptographic procedures.

To be officially classified as a QSCD, a QSCD must fulfil the requirements of Annex II of Regulation (EU) No. 910/2014 (eIDAS). Article 1 [CID (EU) 2016/650] distinguishes between two types of QSCDs

  1. QSCDs in which the electronic signature or seal creation data is located entirely, but not necessarily exclusively, in the user's environment. In this case, certification is based on Common Criteria protection profiles.
  2. QSCDs where a qualified trust service provider manages the electronic signature or seal creation data on behalf of a signatory or seal creator (remote QSCD or server signature QSCD). As there are no applicable standards for the assessment of remote QSCDs, approved certification procedures with a security level equivalent to Common Criteria certification can be used.

Depending on the type of QSCD, the assessment is carried out:
- On the basis of Common Criteria, e.g. by testing against a suitable protection profile
- Alternatively - for remote QSCDs - by a security assessment procedure with an equivalent level of security approved by a notified body

Only bodies that have been designated by an EU member state in accordance with eIDAS and notified to the EU Commission are authorised to assess QSCDs. TÜV NORD is such a notified body and at the same time an accredited testing centre for Common Criteria.

Only QSCDs that have been successfully assessed may be officially considered "qualified" and are included in the EU list of certified QSCDs. This is a prerequisite for trust service providers to be authorised to use these devices as part of qualified electronic signature or seal creation services.

TÜV NORD provides you with comprehensive support:

  • with status analyses, GAP analyses and workshops
  • through structured support in the testing and assessment process
  • with expertise in the preparation of Common Criteria-compliant documentation
  • with communication with authorities and submission to the EU Commission

The training provides practical knowledge about eIDAS, ETSI standards, IT security requirements and the QSCD assessment process. It qualifies your employees to better understand the requirements and implement projects efficiently.

Why are we a strong partner for you

We support you with in-depth expertise in the field of electronic seals, trust services and conformity assessment - from the initial idea to successful certification. Our experts know the regulatory requirements of the eIDAS Regulation and relevant ETSI standards in detail. With practical workshops, individual training courses (e.g. on eIDAS.PROFESSIONAL) and sound advice, we ensure that your trust service is legally compliant, secure and recognised throughout Europe. Trust in our experience - for maximum security, integrity and authenticity of your digital documents.

Expertise

Our experienced experts have already successfully implemented more than 500 PKI projects of various sizes, some of them transnational.

Industry experience

Thanks to our many years of experience in a wide variety of sectors, we are able to serve companies in a wide range of industries.

Everything from a single source

We provide you with the eIDAS all-round package: from training and workshops to planning support and audits through to conformity assessment (certification).

Sie haben Fragen? Wir helfen gerne!

Additional services

Hand stempelt Dokument, daneben schwebende Symbole von Dokumenten mit Häkchen.

Electronic seals

Become a qualified trust service provider (VDA) for electronic seals: We support you in planning your service(s), carry out tests according to eIDAS & ETSI and accompany you on your way to conformity assessment.
Read more
Hände tippen auf Laptop, umgeben von schwebenden Dokumentensymbolen.

Remote signatures & remote seals

A trustworthy environment is the be-all and end-all when creating electronic remote signatures. To prove this objectively and be officially listed as a VDA, you must fulfil the requirements of the eIDAS regulation.
Read more

Website authentication

Are you in the process of setting up or developing a qualified trust service for the creation of website certificates and would like to demonstrate compliance with the requirements of the eIDAS Regulation? Then you've come to the right (IT) address!
Read more