Obtain accreditation as a De-Mail service provider
Description
De-Mail provides a secure infrastructure for digital communication. De-Mails are similar to e-mails, but are more secure: the identity of the sender and recipient cannot be falsified and the messages are transmitted exclusively via encrypted channels. Citizens, businesses and administration can communicate securely through the service. This infrastructure is operated by accredited De-Mail service providers (DMDA).
If you want to become a DMDA, you need accreditation. You can obtain this accreditation from the BSI upon request. To do this, you must meet technical, organizational and data protection requirements. For example, you must provide proof of insurance with certain coverage amounts and obtain certificates from the Federal Commissioner for Data Protection and Freedom of Information.
If you are accredited, you will receive a quality mark. With this quality mark, you may advertise the technical and administrative security of your services.
The accreditation is valid for three years, after which you must apply for re-accreditation.
Before submitting the application, you can meet with BSI staff. In an information meeting, they can explain the accreditation procedure as well as the associated organizational questions and costs.
You must apply for accreditation as a De-Mail service provider in writing. The BSI recommends that you announce your application informally before obtaining the evidence.
Application phase:
- The BSI will offer you an information meeting before submitting your application. In the interview, you can find out about the costs of the procedure as well as possible costs.
- Then fill out the application form completely and send it to the BSI with all the necessary documents.
- The BSI will check your application for formal correctness and completeness. In addition, it checks your submitted evidence for formal and factual correctness, completeness and validity.
- The result of the assessment of your application will be summarized by the BSI in an accreditation report. If you need to improve the submitted documents, the BSI will inform you accordingly.
Review phase:
- On the basis of the assessment of your application and the evidence, the BSI decides on your accreditation. It will inform you of the decision in writing.
- If you are accredited, the BSI will give you an accreditation certificate, the quality mark and a report on your accreditation. You must renew the accreditation after three years at the latest.
- Before a negative decision is sent, the BSI will inform you of the reasons for the rejection. You can comment on this within two weeks. If possible, the BSI will give you the opportunity to remedy the deficiencies.
Operational phase:
- Once your accreditation is complete, the operational phase begins: you are now allowed to offer your De-Mail services.
- From the time of accreditation and start of operation of the De-Mail services, you are subject to supervision by the BSI. This obliges you to do the following things:
- You must notify security vulnerabilities immediately.
- They must grant BSI employees access to business premises and relevant documents.
- You must inform the BSI immediately of any changes to your company that affect the accreditation requirements.
- The BSI ensures continuous cooperation through event-related meetings and workshops. Under certain conditions, the BSI may temporarily prohibit your operation.
As a De-Mail service provider, you must:
- have the reliability and expertise required for the operation of De-Mail services,
- have appropriate financial security to compensate for possible damages,
- meet the technical and organizational requirements so that you can provide the Services reliably and securely, and
- meet the data protection requirements in the design and operation of the De-Mail services.
General proof of the company:
- Company presentation,
- Extract from the register of trade, cooperatives, partnerships or associations,
- Copy of the business registration and
- Certificate of insolvency (self-insurance) that the company is not in insolvency or liquidation.
The general evidence of the company must not be older than six months.
Other required evidence:
- Attestations of certified IT security service providers De-Mail with the associated audit reports (not older than six months),
- a data protection certificate from the Federal Commissioner for Data Protection and Information Security, and
- Evidence of:
- Reliability
- Expertise and
- Financial security.
The fees for your accreditation depend on the time required for the procedure. The following hourly rates apply:
- EUR 84.00 per hour for employees of the higher service,
- EUR 68.00 per hour for employees of the higher service and
- EUR 54.00 per hour for employees of the middle service.
- The accreditation must be renewed after three years at the latest. You must submit the application at least three months before the end of your accreditation.
maximum 3 months
Forms: Application for accreditation as a De-Mail service provider
Online procedure possible: no
Written form required: yes
Personal appearance required: no
The text was automatically translated based on the German content.
Federal Ministry of the Interior, Building and Community
