Secure Signature Creation Device (SSCD) in Procurement Law 2026
Secure Signature Creation Device (SSCD): hardware component for creating qualified electronic signatures – definition, requirements and use.
Definition: A secure signature creation device (SSCD) is a specially secured hardware or software module that generates and stores cryptographic keys for the creation of qualified electronic signatures, ensures that the private key cannot be read or used without authorisation, and thus forms the basis for legally secure electronic signatures in procurement law and beyond.
Last updated: January 2026 · Legal basis: eIDAS Regulation (EU) No 910/2014 Annex II, Austrian Signature Act (SigG), SigV
Technical background
The secure signature creation device (referred to in EU law as a "qualified electronic signature creation device" or QSCD) is the technical heart of every qualified electronic signature. It ensures that the private cryptographic key used for signature creation never leaves the device and cannot be read out. Even if an SSCD is physically stolen, the key remains protected by PIN protection and tamper evidence/resistance.
Typical SSCD forms:
- Smartcard: the classic form; the key is stored on a chip inserted into a card reader.
- USB token: compact USB sticks with embedded security chip.
- Hardware Security Module (HSM): networked hardware for server environments and bulk processing.
Requirements under eIDAS
Annex II of the eIDAS Regulation sets the minimum requirements for qualified electronic signature creation devices. Key requirements:
- The confidentiality of the private signature key must be ensured.
- The private key must not be readable from the SSCD.
- The key must not be forgeable.
- The signatory must be able to reliably protect the key against unauthorised use.
- The SSCD must not alter the data to be signed.
Significance in electronic procurement
In electronic procurement, the SSCD is of particular significance, as qualified electronic signatures may be legally required for certain procurement documents. In Austria, for example, bidders submitting tenders via e-procurement platforms can use a qualified electronic signature (via citizen card or mobile signature / ID Austria), which is based on an SSCD.
Certification
SSCDs must be certified by an accredited assessment body against the relevant security standards (e.g. Common Criteria EAL 4+, FIPS 140-2 Level 3) and listed on the national trust list or the European Trusted List. In Austria, the Federal Ministry for Digitisation maintains the trusted list; in Germany this is done by the Federal Office for Information Security (BSI) on the basis of the Trust List Ordinance.
Related terms
- Qualified electronic signature
- Qualified electronic seal
- Electronic signature
- Electronic procurement
- Signature card
FAQ
Does every bidder need an SSCD? Only those who need to create qualified electronic signatures. For many electronic procurement platforms, an advanced electronic signature is sufficient, which does not require an SSCD.
Is a software SSCD (software token) permissible? Software-based SSCDs can be certified, but generally offer a lower level of security than hardware SSCDs. For qualified signatures within the meaning of EU law, a hardware SSCD is usually required.
How long are SSCD certificates valid? The validity period varies by provider; typical periods are 2–5 years. After that the certificate must be renewed.
Last updated: January 2026 All information without guarantee. For legally binding advice, please consult a law firm specialising in procurement law.
Book a demo.
See what BOND finds for your company — tenders, suppliers, and partners you'd never discover on your own. Cancel any month, anytime.