Certificate Number: ETS 030
Scope: On the request of QuoVadis Trustlink B.V. in the Netherlands and DigiCert Europe Belgium BV in Belgium (hereafter referred to as: QuoVadis), the annual certification audit on all areas and processes was performed by BSI Group The Netherlands B.V. (John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The full audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in Digicert’s Statement of Applicability, dated 2 April 2025 and the Overview of Applicability, version 1.28.
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Registration Service;
-,,Certificate Generation Service;
-,,Dissemination Service;
-,,Revocation Management Service;
-,,Revocation Status Service;
-,,Subject Device Provision Service;
This includes operating a remote QSCD / SCDev, where electronic signature creation data is generated and managed on behalf of the signatory.
The TSP component services are performed, partly or completely by subcontractors under the final responsibility of QuoVadis.
These TSP component services are being provided for:
-,,Issuance of public key certificates (non-qualified trust service), in accordance with the policies: NCP, NCP+, OVCP and PTC
The certificates are issued through the issuing Certification Authorities, as specified below:
Root CA: Staat der Nederlanden Private Root CA - G1 (not in scope)
Domain CA: Staat der Nederlanden Private Personen CA - G1 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Private Personen CA - G1
Sha256 Fingerprint:
A5F7150BC358D1498BFDD8EB39732362DCB6A903F57451B930363BDFAF835BA4
+,,PKIOverheid Private Personal Authenticity (OID 2.16.528.1.1003.1.2.8.1), in accordance with policy NCP+
+,,PKIOverheid Private Personal Encryption (OID 2.16.528.1.1003.1.2.8.3), in accordance with policy NCP+
Domain CA: Staat der Nederlanden Private Services CA - G1 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Private Services CA - G1
Sha256 Fingerprint:
69DF8D18C54503F83DC239C3DCF8115B2A447EFC5DEFCA6119D18E988C12276D
+,,PKIOverheid Private Services – Authenticity (OID 2.16.528.1.1003.1.2.8.4), in accordance with policy NCP
+,,PKIOverheid Private Services – Encryption (OID 2.16.528.1.1003.1.2.8.5), in accordance with policy NCP
+,,PKIOverheid Private Services – Server (OID 2.16.528.1.1003.1.2.8.6), in accordance with policy NCP
Root CA: Staat der Nederlanden Root CA - G3 (not in scope)
Domain CA: Staat der Nederlanden Organisatie Persoon CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Persoon CA - G3
Sha256 Fingerprint:
15073C6BBDC74699A88518C27A57C956E5E23D6CA9619E521A468C7873DE4F8A
+,,PKIOverheid Personal Organisation Authenticity (OID 2.16.528.1.1003.1.2.5.1), in accordance with policy NCP+
+,,PKIOverheid Personal Organisation Encryption (OID 2.16.528.1.1003.1.2.5.3), in accordance with policy NCP+
Domain CA: Staat der Nederlanden Burger CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Burger CA - 2021
Sha256 Fingerprint:
3AC3DB2C474FC34FE8011C5A01F622824C6F8B11076F56192AC701DAE3D70534
+,,PKIOverheid Personal Citizen Authenticity (OID 2.16.528.1.1003.1.2.3.1), in accordance with policy NCP+
+,,PKIOverheid Personal Citizen Encryption (OID 2.16.528.1.1003.1.2.3.3), in accordance with policy NCP+
Domain CA: Staat der Nederlanden Organisatie Services CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Services CA - G3
Sha256 Fingerprint:
BECFDE124CEDD344D925CB55EDDA662D9A9C0688FA9A0870CE3DBB6DA4313E4E
+,,PKIOverheid Organisation Service Authenticity (OID 2.16.528.1.1003.1.2.5.4), in accordance with NCP+
+,,PKIOverheid Organisation Service Encryption (OID 2.16.528.1.1003.1.2.5.5), in accordance with policy NCP+
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Services CA - 2022
Sha256 Fingerprint:
B0D9AFDA74163609E4EAB017EEE4CE0B235AEEF7D68C06F86E74C6387999B2B7
+,,PKIOverheid Organisation Service Authenticity (OID 2.16.528.1.1003.1.2.5.4), in accordance with NCP+
+,,PKIOverheid Organisation Service Encryption (OID 2.16.528.1.1003.1.2.5.5), in accordance with policy NCP+
Root CA: QuoVadis Root CA 1 G3
Intermediate CA: QuoVadis Enterprise Trust CA 1 G3
-,,Issuing CA: QuoVadis EU Issuing Certification Authority G4
Sha256 Fingerprint:
1D24222B5EEC71FE99BE9D700FA5FF72312DB3EB0FCB4A4F3BCC135DA36C1355
+,,QV Advanced (OID 0.4.0.2042.1.1), in accordance with policy NCP
+,,QV Advanced + (OID 0.4.0.2042.1.2), in accordance with policy NCP+
-,,Issuing CA: QuoVadis Belgium Issuing CA G2
Sha256 Fingerprint:
AA0E83B4AE0036679703D1603BC7E63A080464A033AE4B9F465838ADC85C61ED
+,,QV Advanced (OID 0.4.0.2042.1.1), in accordance with policy NCP
+,,QV Advanced + (OID 0.4.0.2042.1.2), in accordance with policy NCP+
The TSP component services are documented in the following Certification Practice Statements:
-,,DigiCert Europe CP/CPS v6.03 - Effective 27 February 2025
-,,DigiCert Europe PKI Disclosure Statement v2.01 - Effective 16 January 2025
-,,Certification Practice Statement for PKIoverheid Certificates v2.01 - Effective 24 March 2025
-,,DigiCert Europe PKIoverheid PKI Disclosure Statement v2.0 - Effective 12 March 2025
For the component service: Registration Service (Remote Identity Proofing), we confirm, based on the objective evidence collected during the audit, that as of 17 December 2021, the following identification method(s) provide equivalent assurance in terms of reliability to physical presence, pursuant to Regulation (EU) 910/2014 (eIDAS) article 24, paragraph 1a, sub c, for the trust services (and Identity Proofing Context) covered by this Certificate of Conformity:
-,,“DigiCert Remote ID Validation level RIV2, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"; and
-,,“DigiCert Remote ID Validation levels RIV4, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"
Our annual certification audit was performed in March, May, June 2025. The result of the full audit is that we conclude, based on the objective evidence collected during the certification audit from 1 June 2024 through 31 May 2025, the areas assessed during the audit were generally found to be effective, based on the applicable requirements defined in Digicert’s Statement of Applicability, dated 2 April 2025 and the Overview of Applicability, version 1.28.
Audit information:
Audit criteria:
-,,ETSI EN 319 401 v3.1.1 (2024-06) General Policy Requirements for Trust Service Providers
-,,ETSI EN 319 411-1 v1.4.1 (2023-10) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements, for the policies: NCP, NCP+, OVCP and PTC, EVCP
-,,ETSI TR 119 461 v2.1.1 (2025-02) Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects
-,,ETSI TS 119 495 V1.7.1 (2024-07) Electronic Signatures and Infrastructures (ESI); Sector Specific Requirements; Certificate Profiles and TSP Policy Requirements for Open Banking, for the policies: QCP-l, QCP-l-qscd, QEVCP-w / QEVCP-w-psd2;
-,,CA/Browser Forum - Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted TLS-Server Certificates v2.1.2 (16 December 2024);
-,,CA/Browser Forum - Guidelines for the Issuance and Management of Extended Validation Certificates v2.0.1 (6 May 2024);
-,,CA/Browser Forum - Network and Certificate System Security Requirements v2.0.3 (13 December 2024);
-,,Regulation (EU) N 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, Chapter III – Trust Services (as amended by Regulation (EU) 2024/1183)
-,,PKIoverheid – Program of Requirements v5.1 (11 December 2024)
-,,G3 Legacy Organization Person certificates (previously 3a)
-,,G3 Legacy Organization Services certificates (previously 3b)
-,,G3 Legacy Citizen certificates (previously 3c)
-,,Private Organization Services certificates (previously 3g)
-,,Private Server certificates (previously 3h)
-,,Private Private Person certificates (previously 3i)
Audit Period of Time:
1 June 2024 - 31 May 2025
Audit performed:
March, May, June 2025
Information and Contact:
BSI Group The Netherlands B.V., John M. Keynesplein 9, 1066 EP Amsterdam, NL
