Assigned ETSI XML URIs

EU Member States Trusted Lists Scheme Type Community Rules: specific statement for Denmark

Trust service providers can be obtained on the Danish trusted list either by proving that they operate according to the eIDAS regulation or by entering into an agreement with the Agency for Digitisation to operate under the legal framework of the OCES concept.

Only trust service providers operating according to the eIDAS regulation can achieve status as qualified trust service providers.

Conformity assessment under the eIDAS regulation

Conformity assessment reports delivered by an accredited conformity assessment body conforming that the trust service provider operates according to the eIDAS regulation are to be sent to the Danish supervisory body. Further clarification on the process of becoming a qualified trust service can be found in the eIDAS regulation.

Information on ETSI standards and audit bodies that audit conformance of implementations of these standards can be found here: https://portal.etsi.org/TBSiteMap/ESI/TrustServiceProviders.aspx

The Danish supervisory body encourages trust service providers to contact the supervisory body at an early stage if they wish to become qualified trust service providers.

The Danish supervisory body can be contacted by e-mail: tilsyn_eidas@digst.dk.

Accreditation according to the OCES framework

The legal framework of the OCES concept consists of an agreement between the CSP and the Agency for Digitisation. The four OCES CP’s (Certificate Policy for OCES Personal Certificates, Certificate Policy for OCES Employee Certificates, Certificate Policy for OCES Company Certificates and Certificate Policy for OCES Functional Certificates), are part of this agreement.

In order to issue OCES certificates, a CSP must enter into an agreement with the Agency for Digitisation. In this agreement, the CSP undertakes to comply with the terms of the certificate policies drawn up by the Agency.

For audit purposes the CSP undertakes to submit an annual report to the Agency for Digitisation. The report implies an external system audit of the CSP. The terms governing the annual report have been drawn up on the same principles as those appearing from the Act on Electronic Signatures.

The external system audit includes auditing of:

general IT controls in the company;
IT-based user systems etc. for generating keys and key components and for registration, issuing, verification, storage and revocation of certificates; and
IT systems for exchanging data with other parties.

The CSP must appoint an external state-authorised auditor to perform the system audit of the CSP. In special cases, the Agency for Digitisation may exempt from the requirement that the system auditor must be a state-authorised auditor.

Please refer to the OCES CP’s for further information:

https://www.nemid.nu/dk-en/