Requiring the regulated hardware/software to force user authentication prior to generating a QES
For the past two years, I have been involved in a venture to build mobile signing solutions. The initial product 'Quali-Sign Banking' (QSB) is now complete (Android version) and provides corporate users with the ability to authorise their organisation's payment orders via their mobile device. The solution is aligned to eIDAS 'Qualified Electronic Signatures' (QES) and PSD2 'Strong Customer Authentication' requirements.
At the time of writing this 'issue', the list of 'Qualified Signature Creation Devices' (QSCD) has not been published, however it is my belief that Android devices running version 23 and above with 'secure hardware' (to manage the user's cryptographic private keys) are well placed to qualify.
I have however raised a feature request, which I believe would further strengthen Android's credentials. This would require the regulated hardware/software to force apps to authenticate the user when a QES is generated. I have also requested API's to support KeyUsage and the creation of 'Certificate Signing Requests'. This will make it easier for others in the future to implement QES on Android.