Digital signatures with Smart-ID

On the 8th of November 2018, Smart-ID system was upgraded to QSCD level (Qualified Signature Creation Device). This means that signatures given with Smart-ID gained the same legal standing as signatures given by hand (QES level) throughout the European Union.

More specifically: signatures given with new Qualified Smart-ID accounts registered on or after the 8th of November 2018 which have the QCP-n-qscd policy present in the end-user certificates have the same legal standing as signatures given by hand.

There are four levels of e-signatures being differentiated according to eIDAS:

Levels of electronic signatures

Other electronic signatures – all other electronic signatures that do not meet valid standards.

AdES (Advanced Electronic Signature). The signature meets the technological requirements, but the backgrounds of the certificate holder or the issuer of the certificate may be unknown.

Smart-ID Basic

AdES/QC (Advanced Electronic Signature with a Qualified Certificate). The backgrounds have been checked both of the owner of the signature and the issuer of the certificate.

QES (Qualified Electronic Signature). The highest level of e-signatures, equal to handwritten signatures. The backgrounds have been checked both of the owner of the signature and the issuer of the certificate and the signature has been given by approved means (qualified signature creation device).


Preconditions and certification for QSCD

There are multiple preconditions set by eIDAS that need to be fulfilled by the operator for a trust system to gain QSCD level recognition. Additionally, the system itself as a product must be recognized as a remote QSCD system according to eIDAS.

SK ID Solutions (SK) as the operator of Smart-ID system was certified to be compliant with the eIDAS regulation’s requirements for the operators of remote QSCD systems as of 31st of October 2018.

The certification was conducted by eIDAS designated certification body TÜV Informationstechnik GmbH (TÜViT). Note that Smart-ID system is operated under the SK’s EID-SK trust service when accessing the respective certification report.

Recognition for Smart-ID as a product

Additionally, in the scope of the EID-SK certification of 31st of October 2018, Smart-ID as a product was also recognized and allowed to be operated as a QSCD. The recognition of Smart-ID as a QSCD system was based on eIDAS requirements and the evaluation according to the “Common Criteria for Information Technology Security Evaluation”, Version 3.1 Revision 5. The evaluation was also conducted by TÜViT.

No Note that at the time of the EID-SK trust service’s certification, the recognition of Smart-ID product as remote QSCD was possible, as at that time, the Common Criteria evaluation was finalized to the extent which gave the assurance for certifiers that the product is compliant with the eIDAS requirements laid down for remote QSCD systems. The final versions evaluation reports were still under preparation, however.

Although there was legal basis for upgrading Smart-ID to QSCD level already on the 31st of October 2018, the actual upgrade on technical level was conducted on the 8th of November 2018.

QSCD evaluation reports and certificates

The final evaluation reports of Smart-ID system (more specifically, the specific system components constituting the QSCD) were issued by TÜViT at 14th of December 2018 and 16th of May 2019, the certificates can be found here:

Smart-ID has also been included in the “Compilation of Member States notification on SSCDs and QSCDs” list, managed by the European Commission.