Assessment of Standards related to eIDAS

Back to News

The eIDAS Regulation (EU) No 910/2014, lays down requirements for qualified electronic signature creation devices (QSCD) to ensure the functionality of advanced electronic signatures and seals. In the specific context of QSCD however, security evaluation and certification must be carried out against standards established by means of a Commission implementing act (CID).

While CID (EU) 2016/650 lays down standards for the security assessment of QSCDs at the time of drafting it there were no available standards for signing devices yet; consequently, a Trust Services Provider (TSP) managing signature creation data on behalf of the user was unable to support the creation of Qualified Electronic Signature and seals. In a broader context, standards for remote signing devices have yet to be developed too. There are two important use cases relating to the identified gap, namely:

  • trust service providers managing signature creation data on behalf of the user to support the creation of qualified electronic signature and seals 
  • trust service providers creating qualified electronic signature and seals on their own behalf.

In this report, ENISA presents aspects of QSCD certification and QTSP supervision to identify the way to combine respective elements therein, in line with the eIDAS requirements. In this context, this report seeks to support standards CEN EN 419 241‐2 and CEN EN 419 221‐5:2018 so that they could be referenced in an amended version of CID (EU) 2016/650. 

This report suggests that there is shared responsibility between the TSP managing the QSCD to work with appropriate TSP issuing certificates and on the issuing TSP to work with an appropriate TSP to manage the QSCD. Competent supervisory bodies retain of course their function to verify that such requirements are followed in qualified devices management and qualified certificates issuance. 

As a certain amount of coordination across stakeholders is required to achieve a global trust level, it would be pertinent to provide a way to advertise the elements of supervision. Besides the official compilation of Member States notification on secure signature creation devices (SSCDs) and QSCDs, the trusted list of the country where QTSP operates might provide an indication on the way a QSCD is managed. Alternatively, the list of notified SSCDs and QSCDs compiled by the European Commission might also be used for this purpose. Market stakeholders would benefit from further developments in this regard. 

Read the full report here: Assessment of Standards related to eIDAS