De-Mail services are set to make the legally binding and confidential transmission of electronic documents and messages much simpler. De-Mail is a very simple option for sending electronic correspondence in an encrypted, authentic and verifiable way. Sending a De-Mail is just as easy as sending a conventional e-mail.
De-Mails are used in the same way as conventional e-mails, but they have some important characteristics that regular e-mails do not:

• The identities of the sender and the addressee can be proven unequivocally and cannot be faked.
• Messages are only transmitted via encrypted channels and saved in encrypted format. They can never be accessed by unauthorised parties and they can neither be read nor modified.

De-Mail will save you time and money, as you will no longer need to send printed documents by post or even deliver them by hand. De-Mail combines the speed of e-mail with the security of a letter and the verifiability of a registered service.

All De-Mail advantages and functions

What do I need to do if I want to use De-Mail and what advantages does De-Mail have over conventional e-mail?

Accreditation of De-Mail service providers

Your messages need to be transmitted under a high security level. That's why all De-Mail providers are subject to intensive testing and screening before they are accredited.

As part of the assessment phase, future De-Mail providers must prove that they meet the high requirements set out in the De-Mail Act regarding the organisational and technical security of the De-Mail services they offer. The details of the requirements are set out in the technical guidelines of the BSI. Only providers who can demonstrate that they meet the requirements and the comply with the technical guidelines can be accredited by the BSI.

BSI Accreditation

The audit outcome attestation and proof of data protection are submitted to the BSI, which is the only authority in Germany authorised to accredit De-Mail providers. The provider is only allowed to operate its De-Mail services once it has been granted accreditation by the BSI. Subsequently, regular review is performed to ensure that the De-Mail provider continues to meet the technical and organisational requirements.

The list of accredited De-Mail providers is available on the BSII website. If your provider loses its accreditation or stops operating, your account is protected by legal regulations for changing providers. Naturally, the same applies if you want to change your provider for personal reasons.

Examples of requirements for De-Mail providers

• The IT systems must be located in secure data centres with infrastructural safeguards (e.g. against unauthorised access and against fire, heat and water damage) that continue to operate even in the event of a power failure.
• The staff who provide technical support for the De-Mail systems must have been police checked to provide assurance that they are trustworthy.
• A security management system compliant with ISO 27001 based on IT-Grundschutz must be established which, in addition to IT-specific security safeguards (e.g. network security and protection of IT systems), also takes organisational measures into account (e.g. split of responsibilities for security-critical tasks to prevent access to the messages).

De-Mail providers are audited

In the assessment phase, the potential provider of De-Mail services must demonstrate that it meets the high requirements, especially for IT security, interoperability and the functionality of its system.

The audit consists of a two-part process. The actual audits are carried out by independent auditing authorities and auditors who have been recognised or certified by the BSI for De-Mail. The audit reports are then validated by independent IT security service providers who must also be approved by the BSI. If the audit is passed, attestations can be issued that certify that the De-Mail service providers meet the requirements.

Another expert body checks whether the requirements for data protection are observed. The German Federal Commissioner for Data Protection and Freedom of Information(BfDI) issues the relevant certificate if the audit is passed. The audit outcome attestation for security is based on the certification methodology according to ISO 27001 on the basis of IT-Grundschutz. In addition, De-Mail-specific requirements are examined.

Further information

If you have any further questions about De-Mail or information security, please contact the BSI.

The latest information is available to private individuals, companies and public institutions at www.de-mail.de. The De-Mail Information Portal provides information on the various options for using De-Mail for communication with companies and public authorities.