Certification Service Provider Accreditation
Upon request, certification service providers can voluntarily be accredited by the competent authority if they can prove that the requirements of the Signature Act and the Signature Ordinance are met.
Accredited certification service providers receive a quality mark from the competent authority. They may call themselves accredited certification service providers and invoke proven security in legal and business transactions.
Note: The application for voluntary accreditation is also considered as a notification of the activity if the requirements stated there are met.
Contact a testing and confirmation body at an early stage. For example, they can advise you on your questions in advance. Have it check and confirm that you have met the requirements. The testing and advice centre can be freely selected from the above-mentioned list on the website of the Federal Network Agency.
After the fulfilment of the requirements has been checked and confirmed by a testing and confirmation body, you must submit the application for accreditation to the competent authority in writing or by means of an electronic document provided with a qualified electronic signature in accordance with the Signature Act. It must contain the name and address of the certification service provider and the names of the legal representatives.
Who should I contact?
Federal Network Agency
Which documents are required?
- Application for accreditation
- for the certification service provider and its legal representatives: current certificates of good conduct in accordance with Section 30 (5) of the Federal Central Register Act or documents of another member state of the European Union or another state party to the Agreement on the European Economic Area which have an equivalent function or which show that the relevant requirement is met,
- current extract from the commercial register or a comparable document or document of another member state of the European Union or another state party to the Agreement on the European Economic Area which has an equivalent function or which shows that the relevant requirement is met,
- Proof of the required technical, administrative and legal expertise,
- Security concept with the following content:
- Description of all necessary technical, structural and organizational security measures and their suitability
- Overview of the products used for qualified electronic signatures with corresponding confirmations in accordance with the Signature Act
- Overview of the structural and procedural organization as well as the certification activities
- Precautions and measures to ensure and maintain operations, especially in the event of emergencies
- Procedures for assessing and ensuring the reliability of the personnel deployed
- Assessment and evaluation of remaining security risks,
- Proof of financial security (e.g. liability insurance or comparable indemnification/warranty obligation of a credit institution) that meets the requirements of § 12 of the Signature Act and § 9 of the Signature Ordinance,
- if applicable, proof of the transfer of tasks under the Signature Act and the Signature Ordinance to third parties (contracts),
- Test and confirmation report of the testing and confirmation body, confirmation of the implementation of safety concepts.
What are the fees?
The competent body shall charge fees and expenses for the processing of the application for accreditation, the amount of which shall depend on the time spent.
What else should I know?
The Signature Act is an implementation of the European Signature Directive (1999/93/EC). Article 3(3) of that provision provides that Member States shall establish 'an appropriate system for the supervision of certification-service-providers established in their territory who issue publicly qualified certificates'. Therefore, only a natural or legal person domiciled in the Federal Republic of Germany can become a certification service provider, as it may only be possible to enforce an administrative act within the framework of supervision vis-à-vis the latter. Section 23 of the Signature Act and Section 18 of the Signature Ordinance apply to foreign certification service providers. The procedure for "becoming a certification service provider" is governed by the respective national regulations in the respective Member State. Insofar as parts of the certification service are operated in another member state of the European Union, another state party to the Agreement on the European Economic Area or a third country, § 1 para. 3 of the Signature Regulation must be observed.
Accredited certification service providers must have a verification and confirmation body inspected and confirmed every three years that the requirements of the Signature Act and the Signature Ordinance continue to be fully met. In addition, the test and confirmation must be repeated after safety-relevant changes.
You must submit the test and confirmation report and the confirmation to the competent authority without being asked.
Accredited certification service providers have
- use products for qualified electronic signatures that have been tested and confirmed for their certification activities,
- issue qualified certificates only to persons who have verifiably verified and confirmed signature creation devices, and
- Notify the signing key holder of verified and confirmed signature application components.
Further requirements or obligations of a certification service provider that have not been set out in this short list or have not been set out in detail (e.g. documentation, blocking, obligation to inform, maintenance of a certificate directory) can be found in the Signature Act and the Signature Ordinance.