Operating Your Own HSM for Qualified Electronic Seals | CEN/TS 419221-6

Invoices, contracts, or large-scale transaction batches – organizations dealing with high volumes of documents face a common challenge: proving the authenticity and integrity of their data in a legally secure way. A Qualified Electronic Seal (QSeal) is the digital successor to the corporate seal: it confirms that a document originates from a specific legal entity and that it has not been altered.

With the technical specification CEN/TS 419221-6, organizations are now provided with a clear legal and technical framework that enables them to operate their own Qualified Seal Creation Device (QSCD), also known as a Hardware Security Module (HSM) and their own QSealCertificate – fully autonomous and independent from a Qualified Trust Service Provider (QTSP).

What does CEN/TS 419221-6 regulate?

The specification builds on EN 419221-5, which defines requirements for cryptographic modules used for qualified signatures and seals. While EN 419221-5 was primarily written with Trust Service Providers in mind, CEN/TS 419221-6 explicitly addresses organizations that wish to operate their own sealing infrastructure.

In practice, the standard defines the conditions under which an EN 419221-5 certified device can be used as a QSealCD:

• The HSM/QSCD must be certified according to Common Criteria (CC) Protection Profile EN 419221-5.
• Documented security practices must govern operation.
• The device must be operated in its evaluated configuration, as described in the official operational guidance.
• The QSCD must be administered by trained personnel in a protected operating environment.

Benefits for organizations with high document volumes

For enterprises and institutions that need to secure large numbers of documents or transactions, operating their own QSCD offers major advantages:

• Full data sovereignty: Keys, certificates, and processes remain entirely under the organization’s control.
• On-premise security: By combining HSM, QSCD, and a dedicated QSealCertificate, documents can be sealed locally – without relying on external service providers.
• Legal certainty: Seals generated in this way fully comply with eIDAS requirements and are legally recognized throughout the EU as qualified electronic seals.
• Efficiency in mass sealing: Large volumes of documents can be sealed automatically, in a standard-compliant and high-throughput process.
• Independence and future-proofing: Investments are based on well-established European standards (EN 419221-5, CEN/TS 419221-6).

SIGNIUS as your partner

SIGNIUS delivers all the components required for a qualified sealing infrastructure – as a complete package or modular, depending on your needs:

• HSM/QSCD certified under EN 419221-5 Common Criteria Protection Profile,
• QSealCertificate issued by a Qualified Trust Service Provider,
• SIGNIUS Sealing Software (Sealing Server) with REST API or network drive interface.

This allows organizations to implement a complete on-premise solution – or integrate individual building blocks into their existing infrastructure.

Management Takeaways

1. Strategic control: With CEN/TS 419221-6, organizations can operate their own QSCD with their own QSealCertificate – without being a QTSP.
2. CC-certified security: Only an HSM/QSCD certified against EN 419221-5 Common Criteria Protection Profile fulfills the requirements.
3. On-prem operation strengthens sovereignty: Documents and keys never leave the organization’s datacenter.
4. eIDAS compliance: Seals are qualified, legally binding, and recognized across the EU.
5. Flexible delivery: SIGNIUS provides full solutions or individual components – tailored to organizational needs.
6. Scalability: Particularly valuable for organizations with high document volumes, enabling efficient and secure mass sealing.

Conclusion

With CEN/TS 419221-6, organizations gain the ability to manage their own sealing infrastructure. Operating a QSCD on-premise with a Common Criteria certified HSM, a QSealCertificate, and robust sealing software ensures data sovereignty, compliance, and trust – making this approach especially attractive for enterprises, institutions, and public bodies with high-volume document workflows.

The qualified electronic seal thus becomes a strategic tool for building trust in digital processes – efficient, scalable, and future-proof.

Contact us to get more infomration.