Artifact GuideEU eIDAS

eIDAS remote signature and cloud HSM controls

A grounded control guide for remote signature services that use QTSP-managed signing infrastructure, including remote QSCD scope, signer authentication, certificate linking, signature activation, validation, and evidence.

Use it to separate eIDAS remote QSCD requirements from ordinary cloud HSM hosting claims, and to define the records a provider, relying party, or auditor should ask for.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Remote signature work under eIDAS is not a generic cloud HSM checklist. The core question is whether a qualified trust service provider is managing a remote qualified electronic signature creation device on behalf of the signatory, and whether the service can prove signer control, certificate linkage, device qualification, validation status, and operational evidence.

Section 1

Scope: remote QSCD management versus ordinary cloud key hosting

Under the consolidated eIDAS text, a remote qualified electronic signature creation device is a QSCD managed by a qualified trust service provider on behalf of a signatory. Article 29 and Article 29a focus on generating, managing, and where permitted duplicating electronic signature creation data for a remote qualified signature creation device.

That means the control record should start with service classification. If the service only hosts keys in a cloud HSM for internal signing, it may still need strong cryptographic controls, but the page should not label it a qualified remote signature service unless the QTSP, remote QSCD, signatory request, certificate, and qualified-service facts are present.

  • Identify whether the service is a qualified trust service for management of a remote qualified electronic signature creation device.
  • Record the QTSP that manages the device and the subscriber or signatory population covered by the service.
  • Keep the certification status of the specific remote QSCD separate from general HSM vendor attestations.
  • Document any backup or continuity design only against the eIDAS rule for duplicated signature creation data, not as a broad permission to copy keys.
  • For seals, treat the analysis separately because eIDAS applies the remote QSCD signature rules to remote qualified electronic seal creation devices by cross-reference.
Sources for this answer
Regulation (EU) No 910/2014, consolidated eIDAS text
Supports the distinction between remote qualified electronic signature creation devices, QTSP management, signatory request, backup limits, certification, and validation requirements.
ETSI TS 119 431-1 remote QSCD / SCDev policy requirements
Grounds the remote signing service components used for scoping: signing key generation, eID or identity linking, certificate linking, signature activation, key deletion, and optional eID means provision.
Section 2

Server-side signing controls to define before launch

For a server-side remote signature service, ETSI TS 119 431-1 breaks the service into component responsibilities rather than treating the HSM as the whole control. The useful implementation record should show how signing keys are generated, how the signer identity or eID means is linked, how the certificate is linked, how signature activation data is verified, and how keys are deleted or recovered when applicable.

ETSI TS 119 431-2 covers the service component that creates AdES digital signatures. It is relevant when the remote signing service receives documents or hashes, prepares the data to be signed, obtains the digital signature value from the signature creation device, and builds the final signature.

  • Define the signing key generation path, proof of possession handoff, and certificate issuance dependency.
  • Map eID means or identity linking to the associated signing key and the subject in the signing certificate.
  • Specify how signature activation data is collected, protected, sent to the right destination, and protected after activation.
  • Keep signature creation policy identifiers, supported algorithms, and critical parameters in the practice statement or equivalent service documentation.
  • Log signature creation operations with the known subscriber or signer identifier, without exposing sensitive signing material.
Sources for this answer
ETSI TS 119 431-1 remote QSCD / SCDev policy requirements
Supports the SSAS component model, signature activation controls, eID or identity linking, certificate linking, practice statement content, and audit logging expectations.
ETSI TS 119 431-2 AdES signature creation service components
Supports controls for the signature creation application service component that prepares data to be signed, applies signature creation policies, and creates AdES signatures.
Section 3

Authentication, signer control, and delegated-party evidence

The remote signing control is strongest when the evidence links a particular signer, signing key, certificate, signature session, and explicit authorization to sign. ETSI TS 119 431-1 treats eID means or identity linking as a dedicated component and requires integrity protection for the link between the signer key and the eID means reference or identity.

If authentication is delegated outside the qualified trust service, the record should show the delegation boundary and the assurance basis. The standard recognizes delegated authentication and points to notified eID schemes or the EUDI Wallet at the needed level of assurance as a way to support the required assurance, but the QTSP still needs to show how the external party fits the remote-signing requirements.

  • Capture the signer identity source, eID means reference or one-time identity link, and the matching certificate subject data.
  • Require explicit signer action for authorizing the specific documents or data referenced by the signature activation data.
  • Document whether authentication is performed by the QTSP service or delegated to an external party.
  • When delegated authentication is used, retain the agreement, assurance basis, signed assertion or equivalent proof, and the link to the signature session.
  • Avoid using a generic multifactor authentication screenshot as proof unless it also ties the signer to the signing key, certificate, session, and signature activation data.
Sources for this answer
ETSI TS 119 431-1 remote QSCD / SCDev policy requirements
Supports signer eID or identity linking, delegated authentication handling, explicit authorization, signature activation data, and integrity protection of signer-key links.
Regulation (EU) No 910/2014, consolidated eIDAS text
Supports the eIDAS requirement that remote signature creation data is generated or managed on behalf of the signatory and at the signatory's request.
Section 4

Certificate, trusted-list, and validation checks

A remote signature control record is incomplete if it stops at successful signing. eIDAS validation of a qualified electronic signature requires confirming the qualified certificate at signing time, the issuing qualified trust service provider, the signatory data, the QSCD, data integrity, and the advanced-signature requirements.

Operational validation should therefore keep the trusted-list evidence used to establish qualified status, the certificate chain and status evidence, the validation policy, and the signature qualification result. The European Commission eSignature building block and eIDAS Dashboard context are useful because they point implementers to DSS, the Trusted List Browser, notification tooling, and validation tests.

  • Validate that the signing certificate was qualified and valid at the relevant signing time.
  • Verify that the qualified certificate was issued by a QTSP with a granted status for the relevant service.
  • Check revocation and certificate status evidence rather than relying only on the certificate embedded in the document.
  • Record the trusted list or list of trusted lists used to establish QTSP and certificate qualification status.
  • Retain the validation report, signature policy result, timestamp or best-signature-time evidence when used, and any exception decision.
Sources for this answer
Regulation (EU) No 910/2014, consolidated eIDAS text
Supports qualified electronic signature validation criteria, including qualified certificate status, QTSP issuance, signatory data, QSCD use, and signed-data integrity.
ETSI TS 119 612 Trusted Lists
Supports trusted-list structure and service information used to determine trust-service status for validation workflows.
European Commission eSignature building block
Supports the practical validation tooling context: DSS, eIDAS Dashboard, Trusted List Browser, notification tooling, and validation tests.
Section 5

Evidence pack for QTSP and relying-party review

The evidence pack should be organized around the claim being made: qualified remote signature, advanced remote signature, remote seal, or non-qualified server-side signing. Each claim needs different evidence, and a cloud HSM attestation alone does not prove qualified signature status.

For QTSP-operated services, ETSI EN 319 401 supports baseline trust-service evidence such as terms and conditions, trustworthy systems, stored data authenticity controls, relevant records for legal proceedings and continuity, change communication, incident handling, and service termination planning.

Does eIDAS require every remote signing service to use a qualified cloud HSM?

No. eIDAS focuses on qualified electronic signature creation devices and, for remote qualified signatures, QTSP management of the remote qualified signature creation device. A cloud HSM may be part of an implementation, but the eIDAS evidence must prove QTSP service status, remote QSCD qualification, signer control, certificate linkage, and validation results.

What is the first check before calling a server-side signature qualified under eIDAS?

Check whether the signing certificate was a qualified certificate issued by a QTSP, whether the private key was held in a QSCD, and whether the remote device management service is a qualified service when Article 29a applies. Then retain the trusted-list and validation evidence for the signing time.

What should a relying party ask a remote signature provider for?

Ask for the qualified service identity, trusted-list status, practice statement or terms, remote QSCD certification evidence, signer authentication and activation controls, certificate status handling, validation report format, incident process, and record retention approach.

  • Service classification: qualified trust service status, QTSP identity, service name, country, supervisory context, and trusted-list status.
  • Device and key evidence: remote QSCD certification reference, practice statement, supported algorithms, key generation controls, backup rationale, and key deletion process.
  • Signer-control evidence: identity proofing or eID means link, certificate subject match, delegated authentication record, signature activation data handling, and explicit authorization to sign.
  • Signature evidence: AdES format, signature creation policy, signed data or hash handling, validation report, certificate status, trusted-list result, and timestamp or preservation evidence when used.
  • Operations evidence: audit logs, incident records, change history, subscriber and relying-party terms, termination plan, and retained records needed to explain a signature after service changes.
Sources for this answer
ETSI EN 319 401 general policy requirements for trust service providers
Supports baseline QTSP governance and evidence expectations, including terms, trustworthy systems, records, change handling, incidents, and termination planning.
ETSI TS 119 431-1 remote QSCD / SCDev policy requirements
Supports the evidence categories specific to remote QSCD or SCDev operation, including practice statements, service components, signature activation, and audit logging.
EU eIDAS remote signature next step

Review remote signing controls against eIDAS and ETSI evidence

Sorena can help turn this remote signature control guide into service classification questions, QTSP evidence requests, validation checks, and implementation records for eIDAS work.

Research workflow
Open Research Copilot for eIDAS remote signatures

Ask grounded questions about remote QSCD scope, QTSP evidence, signer authentication, trusted lists, and validation using the cited sources on this page.

Explore next step
Talk to Sorena
Talk through remote signature controls

Review your remote signing workflow, cloud HSM assumptions, validation evidence, and QTSP source gaps with Sorena.

Explore next step
Primary sources

References and citations

ETSI TS 119 612 Trusted Lists
etsi.org
Referenced sections
  • Supports trusted-list structure and service information used to determine trust-service status for validation workflows.
"Trusted Lists"
European Commission eSignature building block
ec.europa.eu
Referenced sections
  • Supports the practical validation tooling context: DSS, eIDAS Dashboard, Trusted List Browser, notification tooling, and validation tests.
"Trusted List Browser"
Regulation (EU) No 910/2014, consolidated eIDAS text
eur-lex.europa.eu
Referenced sections
  • Supports qualified electronic signature validation criteria, including qualified certificate status, QTSP issuance, signatory data, QSCD use, and signed-data integrity.
"Requirements for the validation"
Related guides

Explore more topics

eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services
Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes
Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks
Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties
Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties
Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
eIDAS electronic signatures: SES, AES, QES legal effect and evidence
A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
eIDAS penalties and fines for trust service providers
Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
eIDAS QES validation checks for relying parties
How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
eIDAS Qualified Trust Services: QTSP Selection
How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
eIDAS signature legal effect selector: SES, AES, AES-QC, or QES
Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer
Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
eIDAS trusted list validation: LOTL, QTSP status, and evidence
How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws
Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements
Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.
eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations
Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations
Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation
Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates
A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks
What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
EU eIDAS checklist for signatures, trust services, and wallets
Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation
FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
EU eIDAS QTSP authorization and supervision guide
How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence
Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence
Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence
How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
EUDI Wallet readiness for service providers under eIDAS
Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
EUDI Wallet Relying Parties under eIDAS
What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
EUDI Wallet Relying Party Onboarding Workflow under eIDAS
A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
EUDI Wallet Relying Party Registration Under eIDAS
What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
EUDI Wallet Technical Architecture Guide under eIDAS
Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence
Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
QWACs under eIDAS: website authentication certificates
A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs
A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
What is a qualified trust service provider under eIDAS?
How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
What is a QWAC under the EU eIDAS Regulation?
Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.