eIDAS Trustmark Logo

The legitimacy of qualified electronic signatures

 

Positive conformity assessment for A-Trust

Pursuant to the eIDAS Regulation, [1] trust service providers have until 30 June 2017 to have the conformity of their services to the eIDAS Regulation assessed. In a first step, these conformity assessment bodies needed to be created and the necessary changes made.

 

In addition, the Austrian supervisory authority RTR has announced that there will be no time extensions. Services that are unable to deliver a positive report by the time indicated will lose their authorisation to issue qualified certificates.

 

A-Trust proudly announces that it is in receipt of the positive conformity assessment report for all qualified services and that it has been submitted to the supervisory authority. We are happy to be able to continue supporting our customers with products that comply to highest security standards and compliance guidelines and that make digital life easy and secure.

 

View certificate of conformity

 

[1] http://eur-lex.europa.eu/legal-content/DE/TXT/?uri=celex%3A32014R0910

 

 

eIDAS Regulation

As of 1 July 2016, trust services can be offered in all 28 EU member states in accordance with "Regulation (EU) No 910/2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC", or eIDAS Regulation for short.

The eIDAS Regulation provides binding European rules relating to "electronic identification" and "electronic trust services". The Regulation creates a uniform framework for cross-border use of electronic identification and trust services.

As an EU Regulation, it is directly applicable law in all 28 EU member states and takes precedence over national signature laws.

According to Article 25 of the eIDAS Regulation, a qualified electronic signature has the same legal effect as a handwritten signature and is recognised in all member states.


Generating a qualified electronic signature

A qualified electronic signature is an electronic signature based on a qualified certificate that is generated by a qualified signature creation device.

A signature creation device is a configured software or hardware used to create an electronic signature. In the web ID procedure, the hardware security module (HSM) located in A-Trust's high-security centre serves as a qualified signature creation device.

A qualified certificate is a certificate issued by a qualified trust service provider and contains specific information as laid out in Annexes I, III and IV of the eIDAS Regulation. The essential quality attributes of a qualified certificate are:

  • that the identity of the natural or legal persons for whom the certificate is issued has been reliably verified[1], and that
  • strict requirements are applicable for the trust service provider and, in particular, for the technical components used by such trust service provider.

The supervisory body which is established by national law, grants the qualified trust service provider its status by entering its name in a trusted list in acc. with Article 22 eIDAS Regulation. For this purpose, the qualified trust service provider must submit a conformity assessment report issued by a conformity assessment body (Art. 20 eIDAS Regulation). It is also for the conformity assessment body to certify the qualified signature creation device (Art. 30 eIDAS Regulation).

A-Trust GmbH has been accredited by the Austrian supervisory body (Telekom Control Commission) following an evaluation by the conformity assessment body "A-SIT Secure Information Technology Center" (in accordance with Regulation No 765/2008) and set up on the basis of the regulation of the Federal Chancellor and included in the Austrian trusted list. Furthermore, A-SIT has certified all the qualified signature creation devices used by A-Trust GmbH. Evaluations are repeated every 24 months in order to ensure compliance of the qualified trust services.

Full compliance of A-Trust GmbH with the provisions of the eIDAS Regulation and the Austrian Signature and Trust Services Act [2] (SVG) warrant the technical integrity and legitimacy of the qualified signatures created by means of the process described above.

To warrant legal certainty with respect to the validity of the signatures, qualified electronic signatures can be validated at all times using the signature verification service made available free of charge by the Austrian supervisory body in acc. with sec. 14(2) Signature and Trust Services Act (SVG). Alternatively, qualified electronic signatures can also be verified using the validation service of A-Trust GmbH.

 

A-Trust GmbH is an Austrian company that provides secure communication services for the digital and mobile world. Its focus is on confidentiality, integrity and convenience, as well as the creation of secure digital signatures. The company has been accredited as a certification service provider since 2002 and has been active as a qualified trust service provider for qualified certificates since July 2016 (eIDAS). A-Trust Gesellschaft für Sicherheitssysteme im elektronischen Datenverkehr GmbH is subject to regular inspections by the Telekom Control Commission.

 


 

 [1] In the web ID procedure, WebID Solutions GmbH verifies identities in compliance with German law (German Money Laundering Act; GwG). Admissibility of the procedure has been confirmed by the German Federal Ministry of Finance (BMF) and the German Federal Financial Supervisory Authority.

 [2] The Austrian Signature and Trust Services Act (SVG) transposing the eIDAS Regulation into Austrian law took effect on 1 July 2016.