According to the BSI Establishment Act, the Federal Office for Information Security (BSI) is a recognised confirmation body within the meaning of Section 18 of the Signature Act (SigG). As such, the BSI is authorised to issue confirmations for products in accordance with SigG, Section 15 (7) Sentence 1 or Section 17 (4). The prerequisite for issuing a confirmation is the detailed technical examination (evaluation) of the security features of the product to fulfil the corresponding requirements. Manufacturers of such products apply to the BSI for the issuance of a confirmation.

In accordance with the requirements of the Signature Ordinance, the evaluation of a product according to the security criteria publicly announced by the BSI is carried out by an auditing body recognised by the BSI. The evaluation as a basis for issuing a confirmation proceeds in the same way as an evaluation that is the basis for issuing an IT security certificate. According to the information in Annex 1 of the Signature Ordinance, the test depth is between EAL 3 and EAL 4 with a test against high attack potential.

The result of a successful evaluation is recorded in the confirmation certificate. The first page of this certificate contains, among other things, the name of the product, the date of issue and a unique identifier. This is followed by a description of the product as well as a precise specification of those requirements from the Signature Act and the Signature Ordinance which are fulfilled by the security features of the product and are part of the evaluation. Furthermore, the confirmation certificate contains instructions for the user and requirements for the environment in which the product is to be used.

Since the requirements for issuing an IT security certificate are also fulfilled after a successful evaluation, it is usually issued at the request of the manufacturer in addition to the confirmation by the BSI.

The confirmations issued by the BSI are published by the BSI and the Federal Network Agency. In accordance with the requirements of the Signature Ordinance, the Federal Network Agency also publishes the issued confirmations in the Federal Gazette.