Regulation on electronic signatures (Signature Ordinance-SigV)

Unofficial table of contents

SigV

Date of completion: 16.11.2001

Full quote:

" Signature Ordinance of 16 November 2001 (BGBl. 3074), as last amended by Article 4 (112) of the Law of 7 August 2013 (BGBl). I p. 3154).

Status:

Last amended by Art. 4 Abs. 112 G v. 7.8.2013 I 3154

For more details, please refer to the menu under Notes

The notification obligations of Directive 98 /34/EC of the European 
Parliament and the Council of 22 June 1998 on an information procedure 
in the field of technical standards and regulations (OJ L 327, 22.7.  EC 
No.  37), as last amended by Directive 98 /48/EC 
European Parliament and Council of 20 July 1998 (OJ L 136, 31.7.1998, p.  EC 
No.  18) have been observed.   

Footnote

(+ + + Text proof: 22.11.2001 + + +) 
(+ + + Official note from the norm-provider on EC law: 
 Consideration of 
 ERL 34/98 (CELEX Nr: 398L0034) + + +) 

  

Unofficial table of contents

Input formula

On the basis of § 24 of the Signature Act of 16 May 2001 (BGBl. 876), in conjunction with the second section of the Administrative Costing Act of 23 June 1970 (BGBl. I p. 821), the Federal Government is responsible for: Unofficial table of contents

Content Summary

§ 1	Form, content and modification of the display
§ 2	Contents of the security concept
§ 3	Identity Check and Attribute Evidence
§ 4	Guide a certificate directory
§ 5	Individual safety precautions of the certification service provider
§ 6	Design of information
§ 7	Locking qualified certificates
§ 8	Scope of documentation
§ 9	Structuring of the financial security
§ 10	Setting up the activity
§ 11	Voluntary accreditation
§ 12	Fixing and charging of fees and levies
§ 13	Setting and collection of contributions
§ 14	Content and validity of qualified certificates
§ 15	Requirements for products for qualified electronic signatures
§ 16	Procedures for the recognition and the activities of audit and certification bodies
§ 17	Period and procedures for long-term data protection
§ 18	Procedures for the identification of the equivalent security of foreign electronic signatures and products
§ 19	Entry into force, external force
Appendix 1	(to § 11 para. 3 and to § 15 para. 5): requirements for the examination of products for qualified electronic signatures
Appendix 2	(on § 12): Fees

Unofficial table of contents

§ 1 Form, content and modification of the display

(1) An advertisement in accordance with § 4 (3) of the Signature Act shall be made in writing or with a qualified electronic signature according to the signature law with the competent authority. (2) The ad must be provided with the following information and documents include:

1.

the name and address of the certifying service provider;

2.

the names of the legal representatives,

3.

for the certification-service-provider and its legal representatives up-to-date guide certificates pursuant to Section 30 (5) of the Federal Central Register Act or documents of another Member State of the European Union or of another Contracting State of the Agreement on the European Economic Area, which has an equivalent function or which indicates that the requirement in question has been met,

4.

a current extract of the trade register or a comparable document or document of another Member State of the European Union or of another Contracting State of the Agreement on the European Economic Area, which shall be equivalent to that of the the function or the fact that the requirement in question is met;

5.

Evidence of the required technical, administrative and legal expertise in accordance with § 4 (2) sentence 3 of the Signature Act,

6.

a security concept with a precise presentation as to how this is implemented, including the transfer of tasks to third parties pursuant to § 4 (5) of the Signature Act, and

7.

proof of financial security according to § 12 of the Signature Act.

If the circumstances as set out in the first or second sentence of the first sentence of 1 or 2 or the circumstances referred to in the first sentence of sentence 1 change, the competent authority shall be in writing or by means of a qualified electronic signature in accordance with the provisions of the Signature Act. to inform the electronic document without delay. § 2 shall remain unaffected. (3) As far as parts of the certification service are operated in a state pursuant to § 23 (1) sentence 1 of the Signature Act or under the conditions of § 23 (1) sentence 2 No. 3 of the Signature Act in a third country, in addition to the evidence that the establishment is subject to equivalent supervision. The operation of parts of the certification service in a State other than that referred to in the first sentence of this Article shall be permitted only in the context of a voluntary accreditation, to the extent that the assurance of supervision is demonstrated. Unofficial table of contents

§ 2 Content of the security concept

The security concept in accordance with § 4 paragraph 2 sentence 4 of the Signature Act shall contain the following:

1.

a description of all the necessary technical, structural and organisational security measures and their suitability,

2.

an overview of the products used for qualified electronic signatures with manufacturer's statements in accordance with § 17 (4) sentence 2 or confirmations pursuant to § 17 (4) sentence 1 or in accordance with § 15 (7) sentence 1 of the Signature Act,

3.

an overview of the structure and process of the process as well as the certification activities,

4.

the arrangements and measures to be taken to ensure and maintain the operation, in particular in the event of emergencies,

5.

the procedures for assessing and ensuring the reliability of the staff employed; and

6.

An assessment and evaluation of remaining security risks.

Unofficial table of contents

§ 3 Identity Check and Attribute Proofs

(1) The certification-service-provider shall carry out the identification of the applicant in accordance with § 5 (1) of the Signature Act using the following documents or procedures:

1.

Identity card,

2.

Passport issued to a person with a nationality of a Member State of the European Union or of a State of the European Economic Area,

3.

electronic identity card, or

4.

Documents or appropriate technical procedures with equivalent security for identification on the basis of the documents referred to in points 1 to 3.

The identification of the applicant can also be carried out by means of the electronic identity card according to § 18 of the German Personnel Reference Act. Insofar as a request for a qualified certificate by means of one with a qualified electronic Signature according to the electronic document of the applicant, which is provided according to the Signature Act, the certification-service-provider may not be able to identify it again. The identification must be carried out before the handover of the qualified certificate and before setting into the certificate directory according to § 4 para. 1. (2) Should be included in a qualified certificate according to § 5 (2) of the Signature Act , the consent or confirmation required pursuant to section 5 (2) sentence 2 or sentence 4 or clause 3 sentence 2 of the Signature Act must be given by means of an electronic electronic signature with a qualified electronic signature according to the signature law Document or in writing. The third person or the body responsible for the professional or other information relating to the person shall be informed in writing of the contents of the qualified certificate and shall be informed of the possibility of blocking. Unofficial table of contents

§ 4 Guided tour of a certificate directory

(1) The certification-service-provider shall have the qualified certificates issued by him, subject to a later point in time in accordance with § 5 (2) sentence 2, from the date of their exhibition for the specified certificate specified in the respective certificate. Validity period as well as at least five more years from the end of the year in which the validity of the certificate ends, in a list according to the specifications according to § 5 paragraph 1 sentence 3 of the Signature Act. (2) An accredited Certification-service-provider shall have the qualified certificates issued by him, subject to a later date in accordance with the second sentence of Article 5 (2), from the date of issue of the exhibition for the period of validity specified in the relevant certificate, and at least 30 more years from the end of the year in which the validity of the (3) In the case of the acquisition of qualified certificates pursuant to § 13 (1) sentence 2 of the Signature Act, paragraphs 1 and 2 shall apply. accordingly. Unofficial table of contents

§ 5 Individual safety precautions of the certification service provider

(1) The certification service provider shall take appropriate measures to ensure that signature keys are only available on the respective secure signature-creation unit or with it or another certification-service-provider, using technical components according to § 17 para. 3 no. 1 of the Signature Act are generated and transferred to secure signature-creation units. Insofar as it also provides knowledge data for the identification of the signature key holder in relation to a secure signature-creation unit or technical components for the collection of biometric characteristics and transmission of reference data to the safe The signature-creation unit shall also make arrangements to ensure the secrecy of the identification data and its storage outside the respective secure signature-creation unit after being placed in the same (2) The certification-service-service provider has Signature key holder shall confirm the possession of the secure signature creation unit on which the signature key has been created or passed, and in the case of § 5 (1) sentence 2, to confirm the possession of the identification data; the confirmation shall be made in writing or in the form of an electronic document provided with a qualified electronic signature in accordance with the Signature Act, unless a different form of confirmation has been agreed. Only after the signature key holder has confirmed the possession of the secure signature-creation unit in accordance with the first sentence, may the associated qualified certificate be verifiable in accordance with § 5 (1) sentences 3 and 4 of the Signature Act and, where agreed, (3) In order to fulfil the requirements of Article 5 (5) of the Signature Act, the certification-service-service-provider has to take appropriate measures to ensure the reliability of persons involved in the certification procedure. . In particular, he may, for this purpose, submit a certificate pursuant to Section 30 (1) of the Federal Central Register Act or documents of another Member State of the European Union or of another Contracting State of the Agreement on the European Union An economic area which has an equivalent function or which indicates that the requirement in question has been met. Unreliable persons shall be excluded from the certification procedure. In addition, the certification-service-provider shall be satisfied with the manufacturer's information or in any other appropriate way from the suitability of the products he uses for qualified electronic signatures, and shall make arrangements for: to protect them from unauthorized access. Unofficial table of contents

§ 6 Design of information

The applicant shall be informed in accordance with Section 6 (1) of the Signature Act in a language which is generally understood by the applicant, and shall cover at least the following:

1.

the storage and use of the secure signature-creation unit and appropriate measures in the event of a loss or suspicion of abuse;

2.

the secrecy of personal identification numbers or other data identifying the signature key holder in relation to the secure signature-creation unit;

3.

the necessary security measures for the production and testing of a qualified electronic signature,

4.

the possibility of restrictions in qualified certificates according to § 7 (1) No. 7 of the Signature Act,

5.

the need to resign data with a qualified electronic signature, if the signature loses its security value by time-lapse,

6.

the existence of a voluntary accreditation system;

7.

the scope of complaint and redress available to the applicant, as well as the details of the use of such procedures, and

8.

the procedure of blocking in accordance with § 7.

The information shall also be made available to third parties upon request. Unofficial table of contents

§ 7 Locking of qualified certificates

(1) The certification-service-provider has to announce the number of persons entitled under § 8 of the Signature Act for blocking a telephone number, under which they can immediately initiate a blocking of the qualified certificates. (2) The Certification-service-provider has to be convinced of the identity of the person entitled to lock it in a suitable way before blocking. The blocking of qualified certificates must be clearly identified by stating the date and the legal time valid at this time in the certificate directory according to § 4. Unofficial table of contents

§ 8 Scope of the documentation

(1) The documentation according to § 10 of the Signature Act has to be based on the security concept, including all changes, the documents relating to the subject-specific customer of the persons operating in the company and the contractual agreements with the applicants. (2) At least the following particulars and documents shall be documented by the applicant:

1.

a record of the name, date of birth, place of birth and nationality on the basis of the identity document used pursuant to the first sentence of Article 3 (1) or (2). Where an electronic service card is used for identification in accordance with the first sentence of Article 3 (1), the issuing authority shall be recorded instead of the place of birth and nationality;

2.

a vetted pseudonym,

3.

the proofs of the authorisations of the beneficiaries pursuant to § 5 (2) sentence 2 and 4 and paragraph 3 sentence 2 of the Signature Act,

4.

the confirmations of the competent authorities pursuant to Section 5 (2) sentence 2 of the Signature Act,

5.

the qualified certificates issued, together with the date of issue and the date of submission, and the date of the setting in the certificate directory,

6.

the blocking of qualified certificates,

7.

Information pursuant to § 14 (2) sentence 2 of the Signature Act and

8.

the confirmation in accordance with § 5 (2) sentence 1.

(3) Subject to sentence 3, the documentation shall be kept at least for the period referred to in § 4 (1) and with accredited certification-service providers at least for the period referred to in section 4 (2). In the case of a court procedure in which proof of certification is of concern, the documentation shall be kept at least until the end of the procedure has been passed without prejudice to the first sentence. The documentation of information according to § 14 para. 2 sentence 2 of the Signature Act shall be kept for twelve months. Unofficial table of contents

§ 9 Strucement of the financial security

(1) The security of cover according to § 12 of the Signature Act can be provided

1.

through the insurance of civil liability in respect of a person within the scope of this Act, in another Member State of the European Union or in another Contracting State of the Agreement on the European Economic Area, insurance undertakings or

2.

by an exemption or warranty obligation of one of the provisions of this Act, in another Member State of the European Union or in another State Party to the Agreement on the European Economic Area, to the A credit institution authorised to operate when it is guaranteed that it provides comparable security to civil liability insurance.

(2) In so far as the financial security is provided by insurance under paragraph 1 (1), the following provisions shall apply:

1.

§ 113 (2) and (3) and § § 114 to 124 of the Insurance Contract Act apply to this insurance. The competent authority pursuant to Section 117 (2) of the Insurance Contract Law is the Federal Network Agency for Electricity, Gas, Telecommunications, Post and Railways.

2.

The minimum amount of insurance must be 2.5 million euros for the individual insurance case. The insurance case is any liability-triggering event relating to the individual case within the meaning of § 12 sentence 1 of the Signature Act, regardless of the number of damage cases triggered thereby. An agreement according to which an error which affects several certificates, time stamps or the information according to § 5 (1) sentence 2 of the Signature Act is deemed to be an insurance case is not permitted. Where an annual maximum amount is agreed for all damage caused in an insurance year, it shall be at least four times the minimum amount of insurance.

3.

The territorial scope of the insurance cover may be within the scope of Directive 1999 /93/EC of the European Parliament and of the Council of 13 December 1999 on a Community framework for electronic signatures (OJ L 327, 22.12.1999, p. EC 2000, No L 13 p. 2).

4.

The insurance can only be excluded from the insurance for compensation claims arising from intentionally committed breach of duty of the certification service provider or of the persons for which he has to stand.

5.

The agreement of a deductity of up to 1 percent of the minimum insurance sum is permitted.

Unofficial table of contents

§ 10 Setting up the activity

The certification-service-provider is to inform the competent authority according to § 13 para. 1 sentence 1 of the Signature Act no later than two months before the establishment of the company. Unofficial table of contents

§ 11 Voluntary Accreditation

(1) The application for accreditation pursuant to § 15 para. 1 of the Signature Act shall be submitted in writing or by means of an electronic document provided with a qualified electronic signature according to the Signature Act. The application for voluntary accreditation shall be deemed to be an indication in accordance with § 1, if the conditions mentioned there are fulfilled. (2) The evidence pursuant to § 15 (1) sentence 2, second sentence 2 sentence 2 and paragraph 7 of the Signature Act shall be based on the submission of the results of the test , in writing or by means of an electronic document provided with a qualified electronic signature in accordance with the Signature Act. The regular examinations in accordance with § 15 para. 2 sentence 2 of the Signature Act are to be carried out at intervals of three years. The audit report and the confirmation that the requirements of the Signature Act and this Regulation will continue to be fully complied with shall be submitted to the competent authority unsolicly. In the case of changes in safety, the tests and confirmations are to be limited to the modified components of the safety concept and their interfaces to the retained components. (3) In the examination and confirmation of the The safety of products for qualified electronic signatures according to § 15 para. 7 sentence 1 of the Signature Act must comply with the requirements of Section I of Appendix 1 to this Regulation. Unofficial table of contents

Section 12 Setting and charging of fees and charges

(1) The chargeable event for individually attributable public services pursuant to Section 22 of the Signature Act shall be the result of Annex 2 to this Regulation. Expositions are levied in accordance with § 23 Paragraph 6 of the Federal Law on Fees. Fees shall be charged for the revocation or withdrawal or rejection of an application or administrative act in accordance with § 15 of the Administrative Costing Act in the version valid up to 14 August 2013. (2) For the hourly rates after Point 2 of Annex 2 to this Regulation shall be calculated for each quarter of an hour of which a quarter of these hourly rates are to be calculated. Where public services are provided by members of the competent authority outside the authority, charges shall also be charged which are within the normal working time or are particularly reputed by the competent authority, and in the case of waiting periods which the fee debtor has caused. Unofficial table of contents

Section 13 Setting and collection of contributions

(1) The contributions in accordance with Section 22 (2) sentence 1 of the Signature Act shall be calculated according to the necessary personnel and material expenses of the competent authority, including the expense for investments. The contribution rate shall be EUR 0.48 for each qualified certificate issued by the contributor. The share of the costs resulting from the general interest was taken into account in a contribution reduction. The shares in the remaining expenses shall be allocated to the contributors in accordance with the number of qualified certificates issued by them, which are to be carried out in the certificate directory according to § 4 (1). The persons responsible for contributing shall inform the competent authority of the number of allowances in accordance with the second sentence of each year, at the latest by 31 January of the following year. In the event that a person responsible for the contribution does not comply with the obligation laid down in the fifth sentence, the competent authority may make an estimate of the qualified certificates issued by a person responsible for the contribution. (2) The costs of the investment expenditure shall be: (3) The provisions of paragraphs 1 and 2 shall apply in respect of the contributions pursuant to section 22 (2) sentence 2 of the Signature Act, with the exception of the fourth sentence of paragraph 1 of this article, accordingly. The shares in the remainder of the expenditure referred to in the first sentence of paragraph 1 shall be allocated to the contributors in accordance with the number of qualified certificates issued by them and to be carried out in the certificate register in accordance with Article 4 (2). (4) The The obligation to contribute in accordance with § 22 (2) sentence 1 of the Signature Act begins with the month of notification in accordance with Section 4 (3) of the Signature Act, the obligation to contribute in accordance with § 22 para. 2 sentence 2 of the Signature Act with the month of accreditation. The obligation to contribute ends with the expiry of the month of the cessation of the activity in accordance with § 13 para. 1 of the Signature Act as well as with voluntary accreditation also with the expiry of the month of the withdrawal or the withdrawal of an accreditation pursuant to § 15 para. 5 of the Signature Act. The contribution is collected annually. The calendar year shall be decisive. If the contribution to the contribution is not the full calendar year, the contribution shall be calculated pro rata; the rates 1 and 2 shall apply accordingly. The contributions shall be contributed in accordance with the provisions of the Administrative Enforcement Act. Unofficial table of contents

Section 14 Content and validity of qualified certificates

(1) The information in accordance with § 7 (1) of the Signature Act in a qualified certificate must be clear. (2) A qualified attribute certificate in accordance with § 7 para. 2 of the Signature Act must, in addition to a clear reference to the underlying qualified certificate shall contain at least the following information and shall bear a qualified electronic signature of the certification service provider:

1.

the designation of the algorithms used to use the signature verification key of the certification service provider;

2.

the number of the attribute certificate;

3.

the name of the certification service provider and the State in which it is established;

4.

information that it is a qualified certificate, and

5.

one or more attributes according to § 5 (2) of the Signature Act.

(3) The period of validity of a qualified certificate may not exceed ten years and shall not exceed the period of validity of the algorithms used and the parameters associated with it. The validity of a qualified attribute certificate shall end at the latest with the validity of the qualified certificate to which it refers. Unofficial table of contents

§ 15 Requirements for products for qualified electronic signatures

(1) Secure signature-creation units pursuant to Section 17 (1) sentence 1 of the Signature Act must ensure that the signature key is not held until after the holder has been identified by possession and knowledge or by possession and one or more biometric Characteristics can be applied. The signature key must not be priced. Where biometric features are used, it must be sufficiently ensured that unauthorised use of the signature key is excluded and that a security equivalent to the knowledge-based procedure is provided. The technical components required for the generation and transmission of signature keys in accordance with § 17 (1) sentence 2 or paragraph 3 no. 1 of the Signature Act must ensure that a signature verification key or a signature does not include the Signature keys can be calculated and the signature keys cannot be duplicated. (2) Signature application components in accordance with § 17 paragraph 2 of the Signature Act must ensure that

1.

in the production of a qualified electronic signature

a)

the identification data are not disclosed and these are only stored on the respective secure signature-creation unit,

b)

a signature is made only by the person signing the authority,

c)

the creation of a signature is clearly indicated in advance, and

2.

in the examination of a qualified electronic signature

a)

the correctness of the signature is reliably checked and displayed, and

b)

it is clear whether the verified qualified certificates were present in the respective certificate directory at the specified time and were not locked.

(3) Technical components according to Article 17 (3) of the Signature Act must ensure that the blocking of a qualified certificate cannot be undone unnoticed and that the information can be checked for its authenticity. The information referred to in the first sentence must include the existence of the qualified certificates verified in the list of qualified certificates at the specified date, and whether they were not blocked. Only verifiably held qualified certificates may not be publicly available. In the case of § 17 para. 3 no. 3 of the Signature Act, it must be ensured that the legal time valid at the time of the generation of the qualified time stamp is taken up in the unadulterated legal period. (4) Safety-related changes to Products for qualified electronic signatures in accordance with paragraphs 1 to 3 must be recognized for the user. (5) A manufacturer's declaration in accordance with Section 17 (4) of the Signature Act must be made available to the user.

1.

precisely identify the exhibitor and the product, and

2.

contain details of the requirements of the Signature Act and of this Regulation in detail.

In the examination and confirmation of the safety of products according to § 17 (1) and (3) (1) of the Signature Act, the requirements of Section II of Appendix 1 to this Regulation must be observed. (6) Insofar as within the scope of the procedure provided for in Article 3 (5) and Article 9 of Directive 1999 /93/EC, as amended, lays down reference numbers for generally accepted standards for products for qualified electronic signatures, and shall be published in the Official Journal of the European Communities, shall apply in derogation from paragraphs 1 to 5, with the exception of the products referred to in § 15 Section 7 of the Signature Act. The competent authority shall publish in the Federal Gazette the currently valid requirements on the basis of the stipulations as set out in the first sentence. Unofficial table of contents

Section 16 Procedure of recognition as well as of the activities of inspection and certification bodies

(1) A request from a test and confirmation body pursuant to section 18 (1) of the Signature Act must include the following:

1.

the name and address of the applicant and his legal representatives,

2.

for the applicant and his legal representatives, current management certificates pursuant to Section 30 (5) of the Federal Central Register Act or documents of another Member State of the European Union or of another Contracting State of the Agreement on the European Economic Area, which has an equivalent function or which indicates that the requirement in question has been met,

3.

a current extract of the trade register or a comparable document or document of another Member State of the European Union or of another Contracting State of the Agreement on the European Economic Area, which shall be equivalent to that of the the function or the fact that the requirement in question is met;

4.

evidence of financial independence, in particular of minimum capital and comparable collateral,

5.

Proof of proof of the required technical, administrative and legal expertise in accordance with § 18 (1) sentence 1 of the Signature Act and

6.

a declaration on which legal activities of the Signature Act relates to the application.

(2) In order to be recognised as a confirmation body for activities pursuant to § 15 (7) and § 17 (4) sentence 1 of the Signature Act, the applicant must prove that he has sufficient experience in the application of the test criteria according to Appendix 1. of this Regulation. It must also indicate how it will ensure proper supervision of the audit activity. (3) The work as a confirmation body or verification point pursuant to Section 18 (1) of the Signature Act and the Commission's decision 2000/709 /EC of 6 November 2000 (OJ L 136, 31.4.2000, p. EC No 42) on the minimum criteria laid down in Article 3 (4) of Directive 1999 /93/EC

1.

the reliability of who is appropriate for the proper performance of the tasks assigned to him by reason of his or her personal characteristics, behaviour and abilities,

2.

shall be independent of any person who is not subject to any economic, financial or other pressure which may affect his or her judgment or which may call into question the confidence in the impartiality of the task of the person,

3.

The subject of his/her training, vocational training and practical experience is the person who is suitable for the proper performance of the tasks assigned to him.

(4) The operator of a confirmation body or inspection and confirmation body according to § 18 of the Signature Act has to be convinced of the reliability and expertise of persons who participate in the examination or confirmation in a suitable manner. (5) The competent authority shall publish in the Federal Gazette the details of the requirements laid down in paragraphs 1 to 4, and the minimum criteria laid down in Article 3 (4) of Directive 1999 /93/EC. Unofficial table of contents

§ 17 Period and procedures for long-term data protection

Data with a qualified electronic signature shall be resigned in accordance with Section 6 (1) sentence 2 of the Signature Act if it is required in signed form for a longer period of time than the algorithms used for its generation and testing and Related parameters are considered suitable. In this case, the data must be provided with a new qualified electronic signature before the time of the expiry of the suitability of the algorithms or the associated parameters. This must be done with appropriate new algorithms or related parameters, include earlier signatures and a qualified timestamp. Instead of a new qualified electronic signature according to sentence 2, a qualified Time stamp shall be applied when the time stamp itself carries a qualified electronic signature. Unofficial table of contents

§ 18 Procedure for the determination of the equivalent security of foreign electronic signatures and products

(1) A certification-service-provider which, in accordance with Article 23 (1), second sentence, No. 2 of the Signature Act for qualified certificates with legal effect pursuant to Article 5 (1) of Directive 1999 /93/EC of a non-member state outside the European Economic Area (third country) the competent authority shall, at the latest at the time when these certificates are to become effective in the scope of the Signature Act, in writing or by means of a certificate service provider established by the competent authority, qualified electronic signature according to the signature law to display the electronic document. He has to ensure that the qualified certificates of the foreign certification service provider and the qualified electronic signatures based on it meet the requirements of the Signature Act and this Regulation and to submit the documents to the foreign certification service provider in accordance with § 1 (2). § 2 shall apply mutatily to the information on the foreign certification service provider. The competent authority shall keep the name of the foreign certification service provider available under the indication of the certification service provider who enters for its qualified certificates, in accordance with section 19 (6) of the Signature Act. (2) The the equivalent security of foreign electronic signatures in accordance with Section 23 (2) of the Signature Act shall be provided if the competent authority has established that:

1.

the safety requirements for certification-service-providers and products for qualified electronic signatures,

2.

the audit procedures for certification-service-providers and products for qualified electronic signatures, as well as the requirements for testing and certification bodies; and

3.

the accreditation and supervisory system

provide an equivalent level of security. In order to establish equivalent security, the competent authority may, together with the competent foreign body, agree on the procedures for recognition, unless appropriate national or intergovernmental agreements have been concluded. (3) The equivalence of products pursuant to Section 23 (3), second sentence, of the Signature Act shall be given if the competent authority has established the latter after the appropriate application of the requirements referred to in paragraph 2. (4) The competent authority shall have in its List according to § 16 (2) of the Signature Act also the qualified certificates for Signature verification keys of the top foreign certification service providers, which are recognized as equivalent in accordance with § 23 (2) of the Signature Act. It has to confirm the recognition by a qualified electronic signature with provider accreditation in accordance with § 15 of the Signature Act. Unofficial table of contents

Section 19 Entry into force, external force

This Regulation shall enter into force on the day after the date of delivery; ... Unofficial table of contents

Appendix 1 (to § 11 para. 3, § 15 para. 5 and § 16 para. 2)
Guidelines for the testing of products for qualified electronic signatures

Source of the original text: BGBl. I 2001, 3081-3082

I.

Article 11 (3) of this Regulation and Section 15 (7) of the Signature Act (Voluntary Accreditation)

1.

Audit Preferences

1.1

Requirements for testing depth The testing of products for qualified electronic signatures in accordance with section 15 (7) and section 17 (4) of the Signature Act has according to the " common criteria for the examination and evaluation of the safety of Information technology "(Common Criteria for Information Technology Security Evaluation, BAnz. 1999 S. 1945,-ISO/IEC 15408) or according to the" Criteria for the Evaluation of the Security of Information Technology Systems " (ITSEC-GMBl of 8 August 1992, p. 545) in the current version. The examination must be

a)

in the case of technical components in accordance with Article 2 (12) (a) of the Signature Act, at least the test depth EAL 4 or E 3,

b)

in the case of secure signature-creation units according to § 2 No. 10 of the Signature Act, at least the test-depth EAL 4 or E 3 shall comprise,

c)

i)

in the case of technical components for certification services according to § 2 No. 12 (b) and (c) of the Signature Act, which are outside a particularly secure area ("Trustcenter") shall include at least the EAL 4 or E3 test level,

ii)

in the case of technical components for certification services in accordance with § 2 (12) (b) and (c) of the Signature Act, which are used within a particularly secure area, at least the test level shall include "EAL 3" or "E 2",

d)

In the case of signature application components according to § 2 No. 11 of the Signature Act, at least the test level "EAL 3" or "E 2" comprise.

1.2

Requirements for Vulnerability Assessment/Mechanisms thicknesses "EAL 4" and "EAL 3" in accordance with Section I, point 1.1 (a) to (c) (i) and (d) shall be complementary to the measures imposed at this stage in respect of a high level of The strength of the safety mechanisms must be valued at "high" for all products listed in Section I, point 1.1 (a) to (d) in the case of "E 3" and "E 2". of this shall be sufficient for the mechanism for identification by biometric characteristics Evaluation of the security mechanisms with "medium", if they are used in addition to the identification through knowledge data.

1.3

Requirements for Algorithms The algorithms and their associated parameters must be considered suitable in accordance with Section I No. 1.2 of this Appendix.

2.

Algorithms-Publication and re-determination of the aptitude The competent authority publishes in the Federal Gazette an overview of the algorithms and associated parameters used to generate signature keys, to hone the data to be signed or for the production and testing of qualified electronic signatures, and the time at which the suitability is applicable. The date shall be at least six years after the date of evaluation and publication. The suitability is to be determined annually as well as if necessary. The suitability shall be given if, within the specified period of time according to the state of science and technology, a non-detectable forgery of qualified electronic signatures or falsification of signed data with security it can be excluded. According to the Federal Office for Information Security, the suitability is determined in the light of international standards. Experts from industry and academia are to be involved.

3.

Security confirmations for signature-productsIn the confirmation of compliance with the requirements for products for qualified electronic signatures,

a)

the requirements laid down in Section 17 of the Signature Act and Article 15 of this Regulation shall be subject to confirmation and under what conditions of use,

b)

which algorithms and related parameters are used in accordance with Section I, point 2, and at which point they are at least suitable; and

c)

After which stage the products were tested and which mechanism strength was achieved.

A copy of the test report, the assessment by the confirmation body and the confirmation shall be filed with the competent authority. On request, they must also be provided with all other test documents. It may, in the case of any indication of defects in the tests or confirmed products, obtain expert opinions from an independent third party on whether the products have been tested in accordance with this Annex and whether they satisfy the requirements of the Signature Act and the signature ordinance. Manufacturers, distributors and verifiers concerned shall provide the necessary assistance. If this is not granted or if it is found that confirmed products have not been sufficiently tested or do not meet requirements, the competent authority may declare invalidated confirmations.

4.

Publication of the safety confirmation for productsThe competent authority shall have products for qualified electronic signatures obtained by a body recognised in accordance with Section 18 of the Signature Act, in accordance with Section I No. 3 have to publish in the Federal Gazette. It shall specify the date at which the confirmation shall be at least valid. If a confirmation is declared invalid, the competent authority shall also publish it in the Bundesanzeiger (Bundesanzeiger), indicating the point in time from which this measure applies.

II.

§ 15 (5) of this Regulation and pursuant to Section 17 (1) and (3) (1) of the Signature Act (certification service providers, which are indicated in accordance with § 4 (3) of the Signature Act, without voluntary accreditation) For the examination of products pursuant to § 15 (5) the requirements referred to in Section I may be appropriate.

-

products which comply with the standards laid down in Article 15 (6),

-

Products according to § 17 para. 2 and 3 Nos. 2 and 3 of the Signature Act (or referred to in Section I (1.1) (c) and (d), where a manufacturer ' s declaration pursuant to section 17 (4) of the Signature Act is issued instead of the confirmation.

Unofficial table of contents

Appendix 2 (to § 12)
Fees

(Fundstelle: BGBl. I 2001, 3083-3084)

Fees for individually attributable public services pursuant to section 22 (1) of the Signature Act 1.1 Fees pursuant to § 22 (1) No. 1 of the Signature Act
Due number	Individually attributable public service	Euro
1	Examination and granting of an accreditation pursuant to § 15 (1) of the Signature Act	Fee by time
2	Rejection of an application for accreditation pursuant to § 15 para. 4 of the Signature Act or withdrawal or revocation of an accreditation pursuant to § 15 para. 5 of the Signature Act	Fee by time
3	Complete or partial rejection of an appeal in the context of the procedure pursuant to § 15 (1) to (6) of the Signature Act	2 500
4	Verification of audit reports and confirmations pursuant to section 15 (2) of the Signature Act	3 500
5	Measures in the event of withdrawal or withdrawal of an accreditation or in case of termination of the activity of an accredited certification service provider according to § 15 para. 6 of the Signature Act	Fee by time
6	Examinations and other measures according to § 19 of the Signature Act	Fee by time
1.2 Charges pursuant to Section 22 (1) No. 2 of the Signature Act
Due number	Individually attributable public service	Euro
7	Issuance of a qualified certificate as well as its blocking according to § 16 para. 1 of the Signature Act	500
8	Issue of a certificate according to § 16 (3) of the Signature Act	500
1.3 Fees pursuant to § 22 (1) No. 3 of the Signature Act
Due number	Individually attributable public service	Euro
	Granting of recognition as a confirmation body or examination and confirmation body in accordance with section 18 (1) of the Signature Act after
9	a) Section 15 (2) of the Signature Act	2 500
10	b) Section 15 (7) of the Signature Act	2 500
11	c) Section 17 (3) of the Signature Act Rejection of an application for recognition or withdrawal or revocation of recognition for activities after	1 000
12	a) Section 15 (2) of the Signature Act	2 500
13	b) Section 15 (7) of the Signature Act	2 500
14	c) Section 17 (4) of the Signature Act	1 000
15	Complete or partial rejection of an appeal in the context of the procedure pursuant to section 18 (1) of the Signature Act	1 000
1.4 Fees according to § 22 (1) No. 4 of the Signature Act
Due number	Individually attributable public service	Euro
16	Processing of an ad according to § 4 (2) and (3) of the Signature Act and first-time verification of compliance with the Signature Act and this Regulation in accordance with § 19 of the Signature Act	Fee by time
17	Random checks in the context of the supervision pursuant to section 19 (1) of the Signature Act in the event of a breach of the provisions of the Signature Act or of this Regulation relevant to the operation of a certification service	Fee by time
18	Exams and other measures pursuant to Section 19 (1) of the Signature Act in the event of an infringement of the provisions of the Signature Act or of this Regulation relevant to the operation of a certification service	Fee by time
1.5 Fees according to § 23 (1) of the Signature Act
Due number	Individually attributable public service	Euro
19	Processing of an advertisement in accordance with § 18 (1) sentence 1 of this Regulation, including inclusion in the certificate list in accordance with section 18 (1) sentence 4 of this Regulation	Fee by time
2. hourly rates and Km-flat rate for car use
Due number	Official handling	Euro
20	Officials of the higher service or comparable employees	125
21	Senior service officials or comparable employees	95
22	Middle-service officials or comparable employees	69
23	Use of vehicles	0,70 Euro/km