Compliance & Certifications
The WvdS Crypto Service meets the requirements of the following standards and regulations.
NIS2 (EU Directive)
The NIS2 Directive (Network and Information Security 2) has been in effect since January 2023 and must be transposed into national law by October 2024.
Article 21: Risk Management Measures
| Requirement | WvdS Implementation |
| (a) Risk analysis | Documented threat analysis |
| (b) Security incident handling | Logging, audit trail |
| (d) Supply chain security | OpenSSL FIPS-validated |
| (h) Cryptography | Post-Quantum algorithms |
| (i) Access control | L4Re Capability System |
Affected Sectors
Critical infrastructure operators (energy, transport, health, water, digital infrastructure) must comply with NIS2.
The WvdS Crypto Service is designed for these sectors.
BSI TR-03116-4
Technical guideline from the German Federal Office for Information Security for cryptographic requirements in eHealth systems.
Allowed Algorithms
| Category | Allowed | WvdS |
| Symmetric | AES-256-GCM | ✓ |
| Signature | ECDSA, RSA-PSS | ML-DSA (PQC) |
| Key Exchange | ECDH | ML-KEM (PQC) |
| Hash | SHA-256, SHA-384 | ✓ (internal) |
Post-Quantum Note
BSI TR-03116-4 recommends gradual migration to post-quantum algorithms from 2025. The WvdS Crypto Service is prepared for this.
FIPS 140-3
The WvdS Crypto Service uses OpenSSL 3.6 with FIPS Provider.
Validated Modules
| Module | Certificate |
| OpenSSL 3.0 FIPS Provider | #4282 (in process for 3.6) |
FIPS Mode Activation
FIPS mode is enabled by default. Verification:
// In your code #include <openssl/crypto.h> if (OSSL_PROVIDER_available(NULL, "fips")) { printf("FIPS Provider active\n"); }
Non-FIPS Algorithms
The following algorithms are not available in FIPS mode:
- MD5, SHA-1 (deprecated)
- DES, 3DES (deprecated)
- RC4 (insecure)
FIPS 203 (ML-KEM)
NIST Post-Quantum Standard for Key Encapsulation.
| Parameter | Value |
| Algorithm | ML-KEM-768 |
| Security Level | NIST Level 3 (~AES-192) |
| Public Key | 1184 bytes |
| Ciphertext | 1088 bytes |
| Shared Secret | 32 bytes |
Migration Note
ML-KEM replaces classical methods like:
- RSA Key Exchange
- ECDH (P-256, P-384)
- X25519
FIPS 204 (ML-DSA)
NIST Post-Quantum Standard for digital signatures.
| Parameter | Value |
| Algorithm | ML-DSA-65 |
| Security Level | NIST Level 3 |
| Public Key | 1952 bytes |
| Signature | 3293 bytes |
Migration Note
ML-DSA replaces classical methods like:
- RSA-PSS
- ECDSA (P-256, P-384)
- Ed25519
Compliance Checklist
For your audit:
| Requirement | Status | Evidence |
| State-of-the-art encryption | ✓ | AES-256-GCM, ML-KEM |
| Post-Quantum ready | ✓ | FIPS 203, 204 |
| FIPS-validated crypto | ✓ | OpenSSL FIPS Provider |
| Key management | ✓ | Key Storage (File/TPM/HSM) |
| Access control | ✓ | L4Re Capabilities |
| Logging/Audit | ✓ | Configurable |
| Secure key destruction | ✓ | Zeroize on Drop |
| Nonce management | ✓ | Automatic tracking |
| DoS protection | ✓ | Rate Limiting |
Documentation for Auditor
The following documents are available for your audit:
| Document | Content |
| README_OEM.md | Technical integration |
| WvdS_KB_OEM.md | Knowledge Base (details) |
| SECURITY.md | Security Policy |
| CHANGELOG.md | Change history |
Request for additional documents:
Contact: Wolfgang van der Stille / EMSR DATA d.o.o. / DATECpro GmbH
