Certificate Number: ETS 010
Scope: On the request of QuoVadis Trustlink B.V. in the Netherlands and DigiCert Europe Belgium BV in Belgium (hereafter referred to as: QuoVadis), the annual certification audit on all areas and processes was performed by BSI Group The Netherlands B.V. (John M. Keynesplein 9, 1066 EP Amsterdam, The Netherlands).
The full audit covered all applicable requirements from the audit criteria listed below (see “Audit Information”) and are defined in Digicert’s Statement of Applicability, dated 2 April 2025 and the Overview of Applicability, version 1.28.
The scope of the assessment comprised the following Trust Service Provider component services:
-,,Registration Service;
-,,Certificate Generation Service;
-,,Dissemination Service;
-,,Revocation Management Service;
-,,Revocation Status Service;
-,,Subject Device Provision Service;
This includes operating a remote QSCD / SCDev, where electronic signature creation data is generated and managed on behalf of the signatory.
The TSP component services are performed, partly or completely by subcontractors under the final responsibility of QuoVadis.
These TSP component services are being provided for the following qualified trust service(s) as defined in Regulation (EU) 910/2014 (eIDAS):
-,,Issuance of qualified certificates for electronic signatures (qualified trust service), in accordance with the policies: QCP-n, QCP-n-qscd
-,,Issuance of qualified certificates for electronic seals (qualified trust service), in accordance with the policy: QCP-l, QCP-l-qscd
-,,Issuance of qualified certificates for website authentication (qualified trust service), in accordance with policies QEVCP-w, QCP-w-psd2;
The certificates are issued through the issuing certification authorities, as specified below:
Root CA: Staat der Nederlanden Private Root CA - G1 (not in scope)
Domain CA: Staat der Nederlanden Private Personen CA - G1 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Private Personen CA - G1
Sha256 Fingerprint:
A5F7150BC358D1498BFDD8EB39732362DCB6A903F57451B930363BDFAF835BA4
+,,PKIOverheid Private Personal Non-Repudiation (OID 2.16.528.1.1003.1.2.8.2), in accordance with policy QCP-n-qscd
Root CA: Staat der Nederlanden Root CA - G3 (not in scope)
Domain CA: Staat der Nederlanden Organisatie Persoon CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Persoon CA - G3
Sha256 Fingerprint:
15073C6BBDC74699A88518C27A57C956E5E23D6CA9619E521A468C7873DE4F8A
+,,PKIOverheid Personal Organisation Non-Repudiation G3 (OID 2.16.528.1.1003.1.2.5.2), in accordance with policy QCP-n-qscd
Domain CA: Staat der Nederlanden Organisatie Services CA - G3 (not in scope)
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Services CA - G3
Sha256 Fingerprint:
BECFDE124CEDD344D925CB55EDDA662D9A9C0688FA9A0870CE3DBB6DA4313E4E
+,,PKIOverheid Organisation Service Seal (OID 2.16.528.1.1003.1.2.5.7), in accordance with policy QCP-l-qscd
-,,Issuing CA: QuoVadis PKIoverheid Organisatie Services CA - 2022
Sha256 Fingerprint:
B0D9AFDA74163609E4EAB017EEE4CE0B235AEEF7D68C06F86E74C6387999B2B7
+,,PKIOverheid Organisation Service Seal (OID 2.16.528.1.1003.1.2.5.7), in accordance with policy QCP-l-qscd
Root CA: QuoVadis Root CA 1 G3
Intermediate CA: QuoVadis Enterprise Trust CA 1 G3
-,,Issuing CA: QuoVadis EU Issuing Certification Authority G4
Sha256 Fingerprint:
1D24222B5EEC71FE99BE9D700FA5FF72312DB3EB0FCB4A4F3BCC135DA36C1355
+,,eIDAS Qualified Natural Person (OID 0.4.0.194112.1.0), in accordance with policy QCP-n
+,,eIDAS Qualified Natural Person - QCSD (OID 0.4.0.194112.1.2), in accordance with policy QCP-n-qscd
+,,eIDAS Qualified Legal Person (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
+,,eIDAS Qualified Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
+,,eIDAS Qualified: PSD2 Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
+,,eIDAS Qualified: PSD2 Legal Person - QCSD (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
-,,Issuing CA: QuoVadis Belgium Issuing CA G2
Sha256 Fingerprint:
AA0E83B4AE0036679703D1603BC7E63A080464A033AE4B9F465838ADC85C61ED
+,,eIDAS Qualified Natural Person (OID 0.4.0.194112.1.0), in accordance with policy QCP-n
+,,eIDAS Qualified Natural Person - QCSD (OID 0.4.0.194112.1.2), in accordance with policy QCP-n-qscd
+,,eIDAS Qualified Legal Person (OID 0.4.0.194112.1.1), in accordance with policy QCP-l
+,,eIDAS Qualified Legal Person - QCSD (OID 0.4.0.194112.1.3), in accordance with policy QCP-l-qscd
Root CA: QuoVadis Root CA 2 G3
-,,Issuing CA: QuoVadis Qualified Web ICA G2
Sha256 Fingerprint:
7FEB9374EAB08D392717C647436DAE06176A24C010607FDA1CCE5E5F0106B472
+,,Qualified certificate for website authentication (OID 0.4.0.194112.1.4), in accordance with policy QEVCP-w
+,,PSD2 Qualified certificate for website authentication (OID 0.4.0.194112.1.4), in accordance with policy QCP-w (QEVCP-w) and QCP-w-psd2 (OID 0.4.0.19495.3.1)
The TSP component services are documented in the following Certification Practice Statements:
-,,DigiCert Europe CP/CPS v6.03 - Effective 27 February 2025
-,,DigiCert Europe PKI Disclosure Statement v2.01 - Effective 16 January 2025
-,,Certification Practice Statement for PKIoverheid Certificates v2.01 - Effective 24 March 2025
-,,DigiCert Europe PKIoverheid PKI Disclosure Statement v2.0 - Effective 12 March 2025
For the component service: Registration Service (Remote Identity Proofing), we confirm, based on the objective evidence collected during the audit, that as of 17 December 2021, the following identification method(s) provide equivalent assurance in terms of reliability to physical presence, pursuant to Regulation (EU) 910/2014 (eIDAS) article 24, paragraph 1a, sub c, for the trust services (and Identity Proofing Context) covered by this Certificate of Conformity:
-,,For Issuing CAs Belgium (C=BE): the identification method: “DigiCert Remote ID Validation level RIV2, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"; and
-,,For Issuing CAs Belgium (C=BE) and The Netherlands (C=NL): “DigiCert Remote ID Validation levels RIV4, supporting the ETSI TS 119461 Use Case for Unattended remote identity proofing (9.2.3): "Hybrid manual and automated operation" (9.2.3.3)"
Our annual certification audit was performed in March, May, June 2025. The result of the full audit is that we conclude, based on the objective evidence collected during the certification audit from 1 June 2024 through 31 May 2025, the areas assessed during the audit were generally found to be effective, based on the applicable requirements defined in Digicert’s Statement of Applicability, dated 2 April 2025 and the Overview of Applicability, version 1.28.
Audit information:
Audit criteria:
-,,ETSI EN 319 401 v3.1.1 (2024-06) General Policy Requirements for Trust Service Providers
-,,ETSI EN 319 411-1 v1.4.1 (2023-10) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates - Part 1: General requirements, for the policies: NCP, NCP+, OVCP and PTC, EVCP
-,,ETSI EN 319 411-2 v2.5.1 (2023-10) Electronic Signatures and Infrastructures (ESI) - Policy and security requirements for Trust Service Providers issuing certificates;- Part 2: Requirements for trust service providers issuing EU qualified certificates, for the policies: QCP-n-qscd, QCP-l-qscd, QCP-n, QCP-l, QEVCP-w;
-,,ETSI TR 119 461 v2.1.1 (2025-02) Electronic Signatures and Infrastructures (ESI); Policy and security requirements for trust service components providing identity proofing of trust service subjects
-,,ETSI TS 119 495 V1.7.1 (2024-07) Electronic Signatures and Infrastructures (ESI); Sector Specific Requirements; Certificate Profiles and TSP Policy Requirements for Open Banking, for the policies: QCP-l, QCP-l-qscd, QEVCP-w / QEVCP-w-psd2;
-,,CA/Browser Forum - Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted TLS-Server Certificates v2.1.2 (16 December 2024);
-,,CA/Browser Forum - Guidelines for the Issuance and Management of Extended Validation Certificates v2.0.1 (6 May 2024);
-,,CA/Browser Forum - Network and Certificate System Security Requirements v2.0.3 (13 December 2024);
-,,Regulation (EU) N 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, Chapter III – Trust Services (as amended by Regulation (EU) 2024/1183)
-,,PKIoverheid – Program of Requirements v5.1 (11 December 2024)
-,,G3 Legacy Organization Person certificates (previously 3a)
-,,G3 Legacy Organization Services certificates (previously 3b)
-,,G3 Legacy Citizen certificates (previously 3c)
-,,Private Organization Services certificates (previously 3g)
-,,Private Server certificates (previously 3h)
-,,Private Private Person certificates (previously 3i)
Audit Period of Time:
1 June 2024 - 31 May 2025
Audit performed:
March, May, June 2025
Information and Contact:
BSI Group The Netherlands B.V., John M. Keynesplein 9, 1066 EP Amsterdam, NL
