Akkreditierung als De-Mail-Diensteanbieter Erteilung

If you would like to obtain accreditation as a De-Mail service provider, you can apply for this from the Federal Office for Information Security (BSI).

De-Mail provides a secure infrastructure for digital communication. De-Mails are similar to e-mails, but more secure: the identities of sender and recipient cannot be falsified and messages are transmitted exclusively via encrypted channels. Citizens, companies and administrations can communicate securely via the service. This infrastructure is operated by accredited De-Mail service providers (DMDAs).

If you want to become a DMDA, you need to be accredited. You can apply for this accreditation from the BSI. For this, you have to fulfil technical, organisational and data protection requirements. For example, you must provide proof of insurance with certain coverage amounts and obtain certificates from the Federal Commissioner for Data Protection and Freedom of Information.

If you are accredited, you will receive a quality mark. This quality mark allows you to advertise the technical and administrative security of your services.

Accreditation is valid for three years, after which you must apply for re-accreditation.

Before you apply, you can meet with BSI staff. In an informational interview, they can explain the accreditation procedure to you, as well as the associated organizational issues and costs.

General evidence about the company:

• Company description,
• extract from the commercial, cooperative, partnership or association register,
• Copy of business registration and
• Insolvency certificate (self-insurance) that the company is not in insolvency or liquidation.

The general proofs about the company must not be older than six months.

Further required proofs:

• Test certificates from certified IT security service providers De-Mail with the associated test reports (not older than six months),
• a data protection certificate from the Federal Commissioner for Data Protection and Information Security, and
• Evidence of:
  • reliability,
  • expertise and
  • coverage.
    
    

As a De-Mail service provider you must:

• possess the reliability and expertise required for the operation of De-Mail services,
• have appropriate insurance cover to meet compensation for possible damages,
• meet the technical and organisational requirements to provide the services reliably and securely, and
• comply with data protection requirements in the design and operation of De-Mail services.
  
  

The fees for your accreditation are based on the time required for the procedure. The following hourly rates apply:

• EUR 84.00 per hour for employees of the higher service,
• EUR 68.00 per hour for staff of the higher service and
• EUR 54.00 per hour for employees of the intermediate civil service.

You must apply for accreditation as a De-Mail service provider in writing. BSI recommends that you give informal notice of your application before collecting evidence.

Application stage:

• The BSI will offer you an informational interview prior to submitting your application. During the interview, you can find out about the effort involved in the procedure as well as possible costs.
• Then complete the application form in full and send it to BSI with all the necessary documents.
• The BSI will check your application for formal correctness and completeness. It will also check your submitted evidence for formal and factual correctness, completeness and validity.
• The result of the assessment of your application is summarised by the BSI in an accreditation report. If you need to amend the submitted documents, the BSI will inform you of this.

Assessment phase:

• Based on the assessment of your application and the supporting documents, the BSI decides on your accreditation. It will notify you of its decision in writing.
• If you are accredited, the BSI will give you an accreditation certificate, the quality mark and a report on your accreditation. You must renew your accreditation after three years at the latest.
• Before a negative decision is sent, the BSI will inform you of the reasons for the rejection. You can comment on this within two weeks. If possible, BSI will give you the opportunity to rectify the deficiencies.

Operational phase:

• Once your accreditation is complete, the operational phase begins: you may now offer your De-Mail services.
• From the time of accreditation and commencement of operation of the De-Mail services, you are subject to supervision by the BSI. This obliges you to do the following things:
  • You must report security vulnerabilities immediately.
  • You must grant BSI staff access to business premises and relevant documents.
  • You must inform the BSI immediately of any changes at your company that affect the accreditation requirements.
• The BSI ensures continuous cooperation by holding meetings and workshops on an ad hoc basis. Under certain conditions, the BSI may temporarily prohibit you from operating.
  
  

maximum 3 months

• The accreditation must be renewed after three years at the latest. You must submit the application for this at least three months before your accreditation expires.

• Accreditation as a De-Mail service provider Granting of accreditation
• To be accredited as a De-Mail service provider, a written application must be submitted
• Accreditation made possible,
  • to offer De-Mail services and
  • advertise comprehensively tested technical and administrative security with a quality mark.
• Accreditation process is divided into three parts
  • Application phase,
  • assessment phase and
  • operational phase.
• Accreditation is valid for three years, after which re-accreditation is necessary.
• Potential service providers are offered an informational interview prior to application to explain accreditation procedures and related organizational issues and costs
• Responsible: Federal Office for Information Security (BSI)
  
  

Forms: Application for accreditation as a De-Mail service provider.

Online procedure possible: no

Written form required: yes

Personal appearance required: no