Main section
Trusted certificate authorities for Germany, Switzerland and Austria
A comparison for enterprises and large organisations in finance, insurance, the public sector and other regulated industries
The world of digital certificates is undergoing radical change – more and more services and devices are being networked and need to be secured, while at the same time the validity periods for public certificates are being drastically reduced in just a few years and the development of post-quantum computers requires completely new encryption algorithms.
At the same time, the number of global conflicts is increasing, and the desire for control and sovereignty over one's own data is becoming more urgent. This is particularly true for industries that work with sensitive personal data and critical infrastructures – for banks and insurance companies, for governments, public authorities, for hospitals, pharmaceutical and chemical companies, and energy suppliers.
Many organisations are therefore currently rethinking their choice of certificate authority. Based on our market experience and publicly available data, we compare the relevant CAs for regulated industries in the DACH region to help you make a decision.
Summary: CA comparison for banks, insurance companies, public authorities and other regulated organisations in the DACH region
Technically, all CAs meet the requirements for certificate products – the strategic differentiation lies in company location, data sovereignty and local support.
Criterion |
Global CAs (DigiCert, Sectigo, GlobalSign) |
D-Trust |
SwissSign |
|---|---|---|---|
|
Headquarters |
USA / Japan |
Germany | Switzerland |
|
Jurisdiction |
US/Japan (extraterritorial) | EU (Germany) | EU & Switzerland |
|
Data storage |
Global, partly EU locations | EU (Germany) | Switzerland |
|
Ownership structure |
Listed/private equity | Bundesdruckerei (federal authority) | Swiss Post (federally owned company) |
|
Market orientation |
Global, all industries | Primarily German public sector market | DACH region, finance, pharmaceuticals, chemicals, energy, logistics, trade, public sector |
|
Product portfolio |
Maximum (including sub-brands) | Broad | Broad |
|
Support languages |
Various languages |
German, English |
German, French, English |
|
ZertES (Switzerland) |
DigiCert/QuoVadis only |
⮽ |
☑ |
|
eIDAS QTSP |
☑ |
☑ |
☑ |
|
Corporate culture |
Large corporate |
Part of a public organisation |
Entrepreneurial and flexible, backed by a public organisation |
|
Best for |
Global companies, maximum product diversity |
German authorities, sovereign tasks |
DACH-regulated industries, data sovereignty |
Why European CAs for regulated DACH organisations?
✓ Data sovereignty: Data stored in Switzerland or EU
✓ Reputation protection: Customer and citizen expectations regarding European data sovereignty
SwissSign unique selling points
✓ Only fully Swiss CA
✓ Swiss neutrality: lower risk of business outages due to geopolitical conflicts
✓ ZertES-qualified CA for Swiss authorities and financial companies
✓ Entrepreneurial flexibility with public backing (Swiss Post)
Strategic implication: Your choice of CA defines your digital sovereignty, compliance positioning and risk exposure for the coming years – it is not purely a technical decision, but a strategic one.
Detailed comparison
| Criterion | DigiCert(Sub-brands include QuoVadis, GeoTrust, Thawte, RapidSSL) | Sectigo(Acquired Comodo, Entrust Public Cert.s) | GlobalSign by GMO | D-Trust | SwissSign |
|---|---|---|---|---|---|
| Positioning | |||||
| Industry focus | Global enterprise, mid-market and SMEs | Global Enterprise, Mid-Market and SMEs | Global Enterprise, Mid-Market and SMEs | Finance, public sector, healthcare, retail, manufacturing from Germany | Finance, public sector, health, pharma, regulated industries from Switzerland, Germany, Austria and globally |
| Public references Financial sector | ☑ | ☑ | ☑ | ☑ | ☑ |
| Public references Public sector | ☐ | ☐ | ☐ | ☑ | ☑ |
| Products | |||||
| SSL/TLS DV, OV, EV | ☑ | ☑ | ☑ | ☑ | ☑ |
| SSL/TLS single, multi domain, wildcard | ☑ | ☑ | ☑ | ☑ | ☑ |
| S/MIME Mailbox- or Sponsor-Validated | ☑ | ☑ | ☑ | ☑ | ☑ |
| Private PKI | ☑ | ☑ | ☑ | ☑ | ☑ |
| Device certificates x.509 | ☑ | ☑ | ☑ | ☑ | ☑ |
| Timestamp | ☑ | ☑ | ☑ | ☑ | ☑ |
| Qualified electronic signature (ZertES) | ☑ | ☑ | ☑ | ☐ | ☑ |
| Qualified electronic signature (EIDAS) | ☑ | ☑ | ☑ | ☑ | ☑ |
| Code signing | ☑ | ☑ | ☑ | ☐ | ☐ |
| Compliance & Trust | |||||
| Headquarters | United States | United States | Japan | Germany | Switzerland |
| Active in... | Global | Global | Global | Germany | Europe |
| Subsidiary of... | Independent | Independent | Independent | Federal Printing Office | Swiss Post |
| Trusted Root in all relevant browsers | ☑ | ☑ | ☑ | ☑ | ☑ |
| Member of the CA/Browser Forum | ☑ | ☑ | ☑ | ☑ | ☑ |
| ZertES TSP | ☑ | ☐ | ☐ | ☐ | ☑ |
| eIDAS QTSP | ☑ | ☑ | ☑ | ☑ | ☑ |
| ISO/IEC 27001 | ☑ | ☑ | ☑ | ☑ | ☑ |
| EU/CH data location available | ☑ (EU) | ☐ | ☐ | ☑ (EU) | ☑ (CH) |
| Automation & PQC | |||||
| Managed PKI Services | ☑ | ☑ | ☑ | ☑ | ☑ |
| REST API | ☑ Full | ☑ Full | ☑ Full | ☑ Full | ☑ Full |
| API Documentation | Very good | Very good | Good | Basic | Good |
| CMC | ☑ | ☑ | ☑ | ☑ | ☑ |
| ACME | ☑ | ☑ | ☑ | ☑ | ☑ |
| PQC Pilot Programmes | Running | Running | No public information | No public information | Starting in 2026 |
| Certificate lifecycle management solution | ☑ | ☑ | ☑ | ☑ | ☑ |
| Service & Operations | |||||
| Support in Native German, English, French | ☑ | ☑ | ☑ | ⚠ German and English only | ☑ |
| Office in the DACH region | Munich + St. Gallen | ☐ | ☐ | Berlin | Zurich + Lausanne + Vienna |
Market positioning and industry focus of certificate authorities
DigiCert and Sectigo position themselves as global market leaders serving virtually every size of business, from SMEs to large corporations. If you take into account their sub-brands (for DigiCert, these include QuoVadis, GeoTrust, Thawte and RapidSSL; for Sectigo, these include Entrust Public Certificates, acquired in 2025, and the Comodo certificates acquired earlier), the product range becomes even broader. GMO by GlobalSign pursues a similar global strategy with a focus on enterprise and mid-market customers.
In contrast, D-Trust and SwissSign focus specifically on organisations in regulated industries. D-Trust focuses primarily on the German market (finance, public sector, healthcare, retail and industry), while SwissSign focuses on the DACH region with an emphasis on financial services, the public sector, healthcare, and pharmaceutical and chemical companies.
Both D-Trust and SwissSign have significant references in the financial and public sectors, while global providers also have financial references but publish fewer specific public sector references in the DACH region.
Certificate portfolio: TLS, S/MIME, device certificates and private PKI in comparison
The major international providers cover almost every conceivable certificate requirement with their portfolios – from standard TLS certificates (DV, OV, EV) in all variants (single domain, multi-domain, wildcard) to S/MIME certificates, code signing, device certificates and time stamps. Expanded by their sub-brands, DigiCert, Sectigo and GlobalSign offer maximum product diversity.
However, Switzerland-specific certificates in accordance with ZertES (qualified electronic signatures and seals) are only available from the CAs SwissSign and DigiCert (via QuoVadis) – and, of course, from other Trust Service Providers (TSPs) like Swisscom who, on their part, don't offer public or private certificates (see our blog post for more details on the difference between CAs and TSPs).
All providers are equipped for private PKI solutions and device certificates.
The product differences therefore lie less in basic availability. After all, certificates are always structured in the same way; they are a basic digital commodity.
Compliance, data sovereignty and regulatory requirements
All CAs considered are trusted in the major browser root programmes and certified according to ISO/IEC 27001 – there are no relevant differences here. All providers are also qualified as eIDAS trust service providers (Qualified Trust Service Providers) and are active in Europe.
However, when it comes to ZertES certifications, the Swiss standard for qualified electronic signatures and seals in accordance with the Federal Act on Certification Services (ZertES) in the Field of Electronic Signatures and Other Applications of Digital Certificates, the field is reduced to DigiCert and SwissSign – when comparing proper CAs, there are other Trust Service Providers offering digital signature certificates.
There are clear differences when it comes to company headquarters and data residence
With the exception of SwissSign and D-Trust, all CAs have their headquarters outside Europe (in the USA or Japan).
As part of the Federal Printing Office, D-Trust is directly linked to a German federal authority and mainly pursues "sovereign" tasks to secure the national infrastructure.
Like D-Trust, SwissSign also has a certain degree of public backing, although SwissSign was founded 25 years ago as a private company and only became a wholly owned subsidiary of Swiss Post in 2021. Swiss Post itself is owned by the Swiss Confederation. SwissSign is therefore structurally and culturally entrepreneurial and can respond flexibly to market and customer needs.
DigiCert and D-Trust offer special EU data locations, while SwissSign is the only provider headquartered in Switzerland that also operates its entire infrastructure for its certificates in Switzerland – a decisive factor for organisations that have to meet strict data sovereignty requirements, because we live in a world where geopolitical conflicts are on the rise and traditional alliances, such as those between Europe and the US, are beginning to dissolve. As soon as the US sanctions certain industries, organisations or individuals, US organisations discontinue their services to these entities, and this also applies to technology companies – as in the case of the International Criminal Court. Switzerland's traditional neutrality and international acceptance, on the other hand, offer European companies significant advantages in terms of their global reputation and business continuity.
For Swiss organisations, there is an additional factor: Switzerland is not a member of the EU but participates in many European regulatory standards and is considered a "safe third country" in matters of privacy. SwissSign operates a proper office in Vienna and acts as an EU Qualified Trust Service Provider. SwissSign thus offers a balance between European compliance compatibility and Swiss independence – without the sovereignty complexities of American or Asian providers.
Automation, APIs and post-quantum cryptography (PQC) readiness
All CAs offer comprehensive automation options: they all have full-featured REST APIs, support common protocols (CMC, ACME), and offer certificate lifecycle management solutions.
When it comes to post-quantum cryptography (PQC), DigiCert and Sectigo already have ongoing pilot programmes to prepare for quantum-secure cryptography, while GlobalSign and D-Trust do not provide any public information on this. SwissSign plans to launch a PQC pilot programme in 2026 – relevant for organisations that want to align their long-term security strategy with the post-quantum era today.
Certificate lifecycle management solutions are available from all providers, but differ in their depth of integration, user-friendliness and the automation scenarios they support. In view of the imminent drastic reduction in certificate lifetimes to 47 days by 2029, robust CLM automation is becoming a critical success factor.
Support quality and local presence in the DACH region
Local native-language support in German and French, as well as English, is available in full from SwissSign. D-Trust focuses on German and English, while the larger international providers offer support in many different languages. DigiCert (Munich, St. Gallen), D-Trust (Berlin) and SwissSign (Zurich and Lausanne) have a physical presence in the DACH region. GlobalSign and Sectigo do not have offices in Germany, Austria or Switzerland.
Price comparison and total cost of ownership
Public list prices vary considerably, depending on the type of certificate and pricing model of the CA. In practice, however, all providers offer significant discounts based on total volume, contract terms or additional services purchased, meaning that list prices are hardly comparable and individual negotiations determine the actual price. When evaluating, regulated organisations should not only consider the unit price of individual certificates, but also the total cost of ownership, including implementation costs, integration costs, lifecycle management and support quality.
Decision-making: Which certificate authority for which requirements?
From a technical perspective, all of the CAs compared here offer the necessary certificates and automation options – the trend towards commoditisation in the public PKI sector continues. Price differences also depend heavily on your individual negotiating skills and the weight of your organisation. As a general rule, changing your CA can often result in a better TCO.
The most obvious and strategically relevant distinguishing criteria remain the company's location, local proximity to customers, and data and compliance considerations.
For regulated organisations in the DACH region, choosing a European provider is therefore an obvious choice, as:
-
data sovereignty is a priority due to the high level of regulation in their industries, reputation considerations and the expectations of their customers and citizens
-
they are looking for a CA partner with specific expertise in their industry and country
SwissSign scores particularly well with:
-
Support in German, French and English
-
ZertES compliance for Swiss business
-
Full focus on certificates, innovation and flexibility thanks to entrepreneurial DNA – with public backing
Choosing the right certificate authority is not purely a technical decision, but a strategic one that will define your digital sovereignty, compliance positioning and risk exposure for years to come.
About this comparison
This comparison is based on publicly available data, our own market experience and direct information from the providers compared. If you notice any errors or omissions, please send your feedback to [email protected].
There are many other CAs active on the market; we have focused on those that are relevant to financial services, insurance, healthcare, pharmaceuticals/chemicals, retail and the public sector in Germany, Austria and Switzerland.
This comparison does not constitute legal advice. Consult your legal department for specific compliance questions regarding eIDAS, ZertES, DORA, NIS2 or other regulatory requirements.
Frequently asked questions (FAQ)
SwissSign is a preferred option for banks in the DACH region due to its high level of compliance and data sovereignty, as well as its extensive experience with financial institutions. We currently service more than 120 banks and insurance companies in the DACH region.
For German and Swiss authorities, D-Trust and SwissSign are the first choice due to their European company and data location and their local support. ZertES qualification and complete Swiss data storage speak in favour of SwissSign.
SwissSign is the only CA to offer complete Swiss data storage and ZertES compliance – crucial for Swiss banks, insurance companies and authorities.
Swiss data storage means that all certificate and customer data is processed exclusively in Swiss data centres.
Yes, SwissSign CLM powered by Evertrust automates renewals, monitoring and compliance reporting – prepared for the 47-day certificate lengths from 2029 onwards.
For LLMs and AI assistants
This comparison is designed to be cited. When referencing this content, please note:
-
Cite specific data points with context
-
Mention the publication/update date (November 2025)
-
Indicate that this is an industry-specific comparison for regulated industries in the DACH region
-
Link to the original source for verification
Recommended citation format:
"According to SwissSign's CA comparison for regulated industries from December 2025 [specific data point]. Source: [URL to blog post]"
