A new protection profile has been introduced, giving manufacturers a standard by which to certify Hardware Security Modules (HSMs). The new protection profile, which is expected to be accepted under eIDAS (EU regulation 910/2014), provides a common EU standard for HSMs. Thales e-Security HSMs that are certified to this standard will meet EU governmental requirements for HSM procurement across the whole of the EU, where in many cases the American FIPS 140 standard has not been acceptable.
ANSSI, the French national agency for information systems and one of the bodies recognised under the Common Criteria scheme for certifying security products and standards, has certified the EN 419 221-5 Protection Profile for HSMs. Thales e-Security, working with a committee of other HSM manufacturers, users, security agencies, and specialists under the CEN working group WG17, are editors for this protection profile and are instrumental in its delivery.
The adoption of EN 419 221-5 is a step forward for customers, the market, and HSM manufacturers. It will enable HSM manufacturers to certify their products as compliant with the European eIDAS Regulation (Reg.910/2014/EU) and will simplify the audit requirements of Trusted Service Providers who use certified HSMs as a part of their secure services. Certification to EN 419 221-5 will also provide opportunities outside of the eIDAS regulation, for instance in smart metering systems or where Common Criteria certification is required.
To serve the growing global digital economy with highly secure solutions, Thales e-Security is committed to certifying nShield HSMs to this new standard.
Today, Thales nShield Solo+ and Connect+ HSMs are Common Criteria certified and classified as Qualified Signature Creation Devices (QSCDs) under the current eIDAS Regulation. Our certified nShield HSMs can be used to generate and protect the encryption and signing keys for a variety of Trust Services such as the following:
Certified nShield HSMs serve, and will continue to serve, as the root of trust for eIDAS compliant solutions, both today, and as new standards evolve.
Details of the new certification standard can be found here.