Press releases

Eurosmart Welcomes ANSSI Certification of protection profiles for Qualified Electronic Signature (QES) in the cloud

30 June 2016

Eurosmart, the voice of the Smart Security Industry, welcomes the latest certification by the French Agence Nationale de la Sécurité des Systèmes d'Information (ANSSI) for the Qualified Electronic Signatures (QES).

QES are used for all kinds of documents and are the digital equivalent of handwritten signatures. Analogue to a signature by hand they are recognized as legally binding which is the reason for the very high security requirements, specified in articles 3 and 26 of the eIDAS Regulation.

“Security for digital identification and authentication should always be as high as possible. Only then can identities and data be protected. This applies especially in the case of QES,” stated Eurosmart’s Chairman Timothée Mangenot. “A legally binding electronic signature can have far-reaching consequences; just think of contracts or wills. It is therefore imperative that the QES be equipped with the best security technology has to offer. The identification and authentication process is the key for the proper verification of the signatory and thus the guarantee for the authenticity of the document in question. We welcome this new specification as it will promote a common standard for the secure usage of QES, also in the cloud, across the European Union.”

According to articles 3 and 26 of the eIDAS Regulation, the specifications for QES must meet the following requirements:
• Absolutely certain identification of signatory.
• Unique link to the signatory.
• Signatories must have complete control over their QES.
• The data in question cannot be changed; or rather, any change must be immediately detectable.
• Identification and authentication must be based on a qualified certificate.
• QES must be generated via a certified device/tool.

These protective mechanisms are based on international ISO standards, ISO 15408, also known as Common Criteria, which provide the highest level of security against cyberattacks and are considered to make corresponding applications tamper proof. For the QES in the cloud, this means for example that personal keys will be stored on a secure central server and not on any personal device. In addition, any product certified to be compliant with the eIDAS token specification as well as any national eID card certified according to eIDAS specifications can be used for QES authentication in the cloud. Cloud QES can be used complementary to the local QES, provided the implementation is compliant with the eIDAS specifications for QES in the cloud protection profile.

“Eurosmart and its key protection profile experts have contributed to the establishment to these protection profiles by providing the expertise on securing authentication and identification. Their proposal for solutions helped to complete this document in compliance with the eIDAS Regulation” said François Guerin, Head of the Eurosmart Product and System Security (PSS) Committee.