What is PCSe?
An Electronic Certification Service Provider (PSCe) is an entity or technical provider that delivers services for the issuance, management, and revocation of electronic certificates.
The qualified PSCe provider status is granted based on the French General Security Framework (RGS). This regulatory and technical framework sets the legal and organizational specifications essential to guarantee the validity and inviolability of digital identities and their underlying infrastructures. The qualification is granted per certificate use-case, clearly identified by the Object Identifier (OID) of the corresponding Certificate Policy (CP).
What are the Key Stakes of PSCe Qualification?
For users and procurement authorities utilizing trust services (such as electronic signatures, strong authentication, and encryption), the PSCe qualification represents a fundamental token of trust and answers critical imperatives:
- Risk Reduction: The assurance that the provider complies with the highest quality and security requirements, thereby minimizing the risks of fraud and identity theft.
- Regulatory Compliance: The guarantee of satisfying strict regulatory requirements, particularly for electronic exchanges with administrative authorities and public bodies (a legal requirement for accessing certain markets).
- Transaction Credibility: Securing the entire digital value chain, enhancing the reliability, traceability, and legal validity of paperless transactions.
- Selectivity: Simplifying the choice of reliable technological partners through official and public recognition issued by ANSSI.
Who is the PSCe Qualification For?
The PSCe qualification procedure applies to a broad ecosystem of digital trust actors and is intended for the following entities:
- Trust Service Providers (TSPs / PSCo): Entities issuing electronic certificates (Certification Authorities - CAs) that bear the legal and financial responsibility for their Certificate Policies (CP). Obtaining this qualification allows them to list their services on ANSSI's official registry.
- Technical Providers and Delegated Third Parties: Operators or Registration Authorities (RAs / AE) performing technical functions or identity verification on behalf of a Certification Authority. These actors may undergo a targeted assessment to obtain an attestation of conformity limited to their specific scope of responsibility.
- Software Providers and Integrators: Entities developing digitalization applications, electronic signature platforms, or encryption tools that must interface with certificates recognized as compliant with the French General Security Framework (RGS).
- Procurement Authorities and Major Accounts: Public administrations, local authorities, and private companies in regulated sectors (banking, insurance, healthcare) deploying their own internal Public Key Infrastructures (PKI / IGC) to secure access for their agents and certify their business applications.
How does PVID certification work?
The initial evaluation is executed using a rigorous methodology, in compliance with international standards ISO/IEC 17065 and ETSI EN 319 403:
The Two-Step Initial Audit Process
- Step 1 (Documentary Audit): An in-depth analysis of the provider’s documentation to validate the inclusion of RGS criteria and check the operational readiness of the teams. This phase results in an interim milestone report. The maximum allowed delay before moving to Step 2 is 6 months.
- Step 2 (On-Site Audit): Verification on the production site of the effective and operational implementation of the PSCe's procedures, operational workflows, and tools. Any non-conformity findings are presented and discussed during the closing meeting.
Qualification Decision and Cycle Maintenance
- Validity and Renewal: The attestation of qualification and the certificate of conformity are issued for a period of 2 years (24 months). At this expiration date, a full audit is required to guarantee the renewal of the title.
- Surveillance: Intermediate surveillance audits, although not systematically mandated by the RGS scheme, can be scheduled at the provider's request (notably to meet the requirements of certain web browser vendors).
The qualification certifies the provider's compliance with quality and security requirements in the production of its electronic certification services.
Reminder: LSTI operates exclusively as an independent certification body. LSTI does not issue any electronic signature certificates. To obtain certificates, please contact a qualified PSCe listed in the official registry directly.
You can search for a Trust Service Provider among our certified clients.
You will also find a list of Electronic Certification Service Providers on this website.
Your questions about PSCe Qualification
-
What is the primary function of ANSSI's General Security Framework (RGS v2.0)?
The French General Security Framework (RGS) v2.0, approved by decree of the Prime Minister, sets the security rules that must be respected by information system functions contributing to the security of electronic exchanges. Governed by French Ordinance No. 2005-1516 of December 8, 2005, this regulatory framework defines the technical and organizational obligations imposed on administrative authorities to guarantee data confidentiality, authentication, and integrity in their relations with users or other administrations. -
What are the three security levels defined by the RGS for the evaluation of PSCes?
ANSSI's General Security Framework (RGS) structures the robustness of digital trust mechanisms according to three increasing requirement levels, symbolized by stars:
- Medium Level (*): Intended for services facing moderate risks. It imposes basic rules for certificate management and identification.
- Strong Level (**): Designed for significant risks, requiring reinforced controls and a high level of cryptographic reliability.
- Enhanced Level (***):* Reserved for the most critical and sensitive applications, requiring the implementation of highly resilient physical security anchoring devices and state-of-the-art algorithms.
-
What is the difference under the RGS between certificates for individuals and certificates for application services?
ANSSI separates the requirements applicable to Electronic Certification Service Providers (PSCe) based on the nature of the certificate holder:
- Rules regarding electronic certificates for individuals (natural persons or administrative agents) govern the identity verification of individuals and the issuance of personal electronic signatures.
- Rules regarding application service certificates concern the technical components of an information system (web servers, business applications), enabling machine authentication or the creation of automated electronic seals.
- Rules regarding electronic certificates for individuals (natural persons or administrative agents) govern the identity verification of individuals and the issuance of personal electronic signatures.
-
Which technical areas are audited for the qualification of a PSCe under the RGS?
The RGS conformity evaluation conducted on a PSCe encompasses the entire lifecycle of keys and certificates. The assessment strictly covers: Certificate Policy (CP) governance, the provider's impartiality and organization, physical security of the premises (cryptographic server rooms), logical protection of information (Information Systems Security Policy - ISSP/PSSI), the reliability of the subscriber registration process, the resilience of real-time revocation infrastructures (CRLs/OCSP), and the qualification of the cryptographic algorithms used. -
What is the legal value of a certificate issued by an RGS-qualified PSCe?
Obtaining PSCe qualification based on the RGS provides legal recognition and a presumption of reliability to a provider's electronic processes. In accordance with the provisions of the 2005 Ordinance, using an RGS-qualified certificate (particularly at the two- and three-star levels) guarantees the legal admissibility of signatures, authentications, or encryptions in the event of a dispute before French courts, while constituting a mandatory prerequisite for accessing digitized public tenders.
Why Choose LSTI?

Recognized expertise
With over twenty years of experience, LSTI supports more than 300 organisations in France and Europe as a benchmark certification body and evaluation centre, operating in the fields of cybersecurity, digital trust, and information security.

Specialized Auditors
Our auditing teams consist of seasoned professionals with deep expertise in ANSSI cybersecurity frameworks, information security management practices, and European digital trust frameworks. Their approach ensures rigorous, balanced evaluations adapted to each organisation's operational context.

Independent Third Party and Dedicated Support
Accredited by ANSSI, LSTI guarantees impartiality, transparency, and consistency throughout the entire cycle: preparation, audits, surveillance, and renewals. A dedicated point of contact ensures continuity and clarity throughout the certification journey.
Discover ou other
news




