A Conformity Assessment Body (CAB) is the legal entity that performs a conformity assessment of the TSP against eIDAS regulations and relevant standards and submits a conformity assessment report to the Supervisory Body (SB).
The SB reserves the rights of additional audit or conformity assessment at any time to confirm that requirements are fulfilled. European Accreditation (EA) defines common rules for all national accreditation bodies to implement. The common rules are based on ETSI and ISO standards.
eIDAS certified CABs perform two audits to verify compliance against the eIDAS regulation:
1) Pre-assessment: This includes documentation assessment (i.e. technical, functional, and organizational security measures) and their appropriateness for fulfillment of eIDAS requirements. This also includes identification of applicants (qualified, experienced and reliable staff, sufficient financial resources, liability insurance, communication with supervisory body).
2) On-site audit: This includes verification of implementation of security measures, processes, network, systems. The technical testing includes penetration testing.
A Conformity Assessment report detailing the findings of the audit is then submitted to the Supervisory Body, which ultimately decides if the TSP is entitled to receive the qualified level of certification and be referenced in the EU Trust List.
⇐ Back to all FAQs