Certification Service Provider Accreditation

Contact a testing and confirmation body at an early stage. For example, they can advise you in advance on your questions. Have them check and confirm that they meet the requirements. The testing and advisory body can be freely selected from the above-mentioned list on the website of the Federal Network Agency.

After the fulfilment of the requirements has been checked and confirmed by a testing and confirmation body, you must submit the application for accreditation in writing or by means of an electronic document with a qualified electronic signature in accordance with the Signature Act to the competent authority. It must contain the name and address of the certification service provider and the names of the legal representatives.

Federal Network Agency

• Application for accreditation
• for the certification service provider and its legal representatives: up-to-date certificates of good conduct in accordance with Section 30 (5) of the Federal Central Register Act or documents from another member state of the European Union or another state party to the Agreement on the European Economic Area which have an equivalent function or from which it can be seen that the relevant requirement has been met,
• an up-to-date extract from the commercial register or a comparable document or document from another member state of the European Union or another state party to the Agreement on the European Economic Area which has an equivalent function or from which it is clear that the relevant requirement is met,
• Proof of the required technical, administrative and legal expertise,
• Security concept with the following content:
  • Description of all necessary technical, structural and organizational safety measures and their suitability
  • Overview of the products used for qualified electronic signatures with corresponding confirmations in accordance with the Signature Act
  • Overview of the organizational structure and processes as well as the certification activities
  • Precautions and measures to ensure and maintain operations, especially in the event of emergencies
  • Procedures for assessing and ensuring the reliability of the personnel deployed
  • Assessment and assessment of remaining security risks,
• Proof of financial security (e.g. liability insurance or comparable indemnification/warranty obligation of a credit institution) that meets the requirements of § 12 of the Signature Act and § 9 of the Signature Ordinance,
• If applicable, proof of the transfer of tasks in accordance with the Signature Act and the Signature Ordinance to third parties (contracts),
• Audit and confirmation report from the testing and confirmation body, confirmation of the implementation of safety concepts.

The competent authority charges fees for the processing of the application for accreditation, the amount of which depends on the time spent, and expenses.

The Signature Act is an implementation of the European Signature Directive (1999/93/EC). Article 3(3) of that provision provides that Member States are to establish 'an appropriate system for monitoring certification service providers established in their territory which issue publicly qualified certificates'. Therefore, only a natural or legal person resident in the Federal Republic of Germany can become a certification service provider, as it is only against this person that it may be possible to enforce an administrative act within the framework of supervision. For foreign certification service providers, § 23 of the Signature Act and § 18 of the Signature Ordinance apply. The procedure "to become a certification service provider" is governed by the respective national regulations in the respective Member State. Insofar as parts of the certification service are operated in another member state of the European Union, another state party to the Agreement on the European Economic Area or a third country, § 1 para. 3 of the Signature Ordinance must be observed.

Accredited certification service providers must have a testing and confirmation body check and confirm every three years that the requirements of the Signature Act and the Signature Ordinance continue to be fully met. In addition, the test and confirmation must be repeated after safety-relevant changes.

You must submit the test and confirmation report and the confirmation to the competent authority without being asked.

Accredited Certification Service Providers have

• use tested and confirmed products for qualified electronic signatures for their certification activities,
• issue qualified certificates only to persons who have verifiably tested and confirmed signature creation devices, and
• Notify the signing key holder of verified and confirmed signature application components.

Further requirements or obligations of a certification service provider that have not been specified or not detailed in this short list (e.g. documentation, blocking, obligation to inform, maintenance of a certificate directory) can be found in the Signature Act and the Signature Ordinance.