Hi All,
The present document specifies policy and security requirements for TSP services operating a digital signature creation device, including a Qualified Signature/Seal Creation Device (QSCD) as defined in Regulation (EU) 2024/1183 [i.11] amending Regulation (EU) No 910/2014 [i.1] to create a digital signature value on behalf of a remote signer. These requirements are based on the general policy requirements specified in ETSI EN 319 401 [1] and take into account related requirements for certificate issuance in ETSI EN 319 411-1 [2]. The requirements of the present document are aligned with the requirements specified in EN 419241-1 [3].
When digital signatures are created in an entirely user-managed environment, it is assumed that the signature creation data is under the control of the signer, who is physically in possession of the signature creation device. For remote digital signature creation, the signature creation data is maintained and managed by a third party on behalf of the signer. To guarantee that the signature creation environment is reliable and that the signature creation data is used under the control of the signer, the provider of the remote digital signature service has to apply specific management and administrative security procedures and use trustworthy systems and products, including secure electronic communication channels.
------------------------------
Michael Roza CPA, CISA, CIA, CC, CCSKv5, CCZTv1, MBA, EMBA, CSA
------------------------------