Testing and Certification Bodies Recognition
Confirmation, testing and confirmation bodies have the task of checking and confirming security concepts of certification service providers (testing and confirmation body) as well as confirming that the legal requirements for products for qualified electronic signatures are met (confirmation authority).
The recognised bodies must carry out their tasks impartially, without instructions and conscientiously. Tests and confirmations carried out must be documented.
Upon request, both natural and legal persons can be recognized as a confirmation, testing and confirmation body.
The application for recognition as a confirmation, testing and confirmation body can be submitted informally. It must contain the names and addresses of the applicant and his or her legal representatives.
After checking the conditions, the competent authority may grant recognition as follows:
- unlimited
- limited in content
- temporary
- temporary
- with conditions.
Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railways (abbreviated: Federal Network Agency)
A person is considered to be reliable if he or she is suitable for the proper performance of the tasks incumbent on him or her by virtue of his or her personal characteristics, behaviour and abilities.
- Independence A person who is not subject to economic, financial or other pressures which may influence his judgment or jeopardise the impartial performance of his duties is considered to be independent.
- The necessary specialist knowledge is possessed by those who, on the basis of their education, professional training and practical experience, are suitable for the proper performance of the tasks incumbent on them.
- Accreditation of the applicant body in accordance with DIN EN 45011 as a certification body for IT security according to ITSEC or CC or accreditation as a testing body in accordance with DIN EN ISO/IEC 17025 as a testing laboratory for IT security with licensing for tests according to ITSEC or CC by the Federal Office for Information Security (BSI).
- For recognition as a testing and confirmation body for safety concepts: Submission of a documented testing and confirmation procedure for safety concepts
For the applicant and his/her legal representatives: current certificates of good conduct in accordance with Section 30 (5) of the Federal Central Register Act or documents from another member state of the European Union or another state party to the Agreement on the European Economic Area which have an equivalent function or from which it can be seen that the relevant requirement has been met,
- an up-to-date extract from the commercial register or a comparable document or document from another member state of the European Union or another state party to the Agreement on the European Economic Area which has an equivalent function or from which it is clear that the relevant requirement is met,
- Proof of financial independence (in particular through minimum capital and comparable collateral),
- Proof of the required technical, administrative and legal expertise,
- Declaration of the legal activities of the Signature Act to which the application relates (confirmation body for products for qualified electronic signatures pursuant to Section 17 (4) or Section 15 (7) sentence 1 of the Signature Act and/or testing and confirmation body for security concepts pursuant to Section 15 (2) of the Signature Act),
- Proof of sufficient experience in the application of the test criteria according to Annex 1 of the Signature Ordinance,
- where applicable, a description of how the appropriate monitoring of the audit activity will be ensured.
The competent authority shall charge fees for the processing of the application, the amount of which depends on the time spent, and expenses.