Azure Expands Marvell LiquidSecurity HSMs Across Europe for eIDAS Signatures

Microsoft and Marvell have announced a deeper collaboration that brings Marvell’s LiquidSecurity hardware security modules (HSMs) into a broader set of Azure cloud security services across Europe, unlocking eIDAS-grade signing use cases, expanding Azure Cloud HSM capabilities, and promising hyperscale performance, higher density, and lower operational cost for regulated workloads that require hardware-backed cryptography.

Background​

Cloud adoption in regulated industries has long been constrained by two realities: complex regulatory requirements for cryptographic key storage and the operational burden of managing on-premises HSM appliances. Hardware security modules are foundational to high-assurance cryptography: they protect keys, perform certified cryptographic operations, enable public key infrastructure (PKI), and serve as the trust anchors for digital signatures, payment processing, and identity services.
Historically, HSMs were delivered as 1U / 2U appliances designed for on-premises datacenters. The rise of cloud-native services and the demand for HSM-as-a-service pushed vendors to rethink form factors and architectures. Marvell’s LiquidSecurity family was engineered specifically to meet those cloud-scale needs: PCIe-based HSM adapters powered by the company’s OCTEON data processing units (DPUs), designed to run inside server hosts and deliver high-density, multi-tenant HSM services.
Recent regulatory milestones have reduced a major barrier for cloud-based HSM adoption in Europe. With Marvell’s LiquidSecurity portfolio now cleared for key European assurance frameworks, Azure is enabling use cases that require qualified electronic signatures and other legally sensitive operations—workloads that until recently often required customers to maintain physical HSMs on premises.

---

What the announcement covers​

• Microsoft is expanding the set of cloud-delivered security services in Europe that are powered by Marvell LiquidSecurity HSMs. This extends existing deployments in Asia and North America to additional European use cases.
• The move enables Azure to support cloud-based mechanisms for certifying cross-border agreements, authenticating identity documents, and other sensitive digital interactions that benefit from eIDAS-level assurances and Common Criteria evaluations.
• Azure Cloud HSM is offered as a single-tenant, customer-controlled HSM cluster with end-to-end encryption over a private connection into a customer’s virtual network. The platform is presented as FIPS 140-3 Level 3 validated, aligning with many regulated-sector requirements.
• Marvell’s LiquidSecurity adapters are presented as dense, PCIe-based modules purpose-built for cloud operators. The product line emphasizes large key capacity, high throughput, multi-tenant partitioning, and low power consumption.

Why it matters now: regulatory and market context​

• eIDAS compliance (and, in particular, the Qualified Signature Creation Device — QSCD — regime) is the baseline for legal-grade electronic signatures across EU member states. Enabling qualified signature workflows in the public cloud removes a major friction point for cross-border digital contracts, notarization, and identity services.
• Common Criteria EAL4+ evaluation provides internationally recognized assurance about the product’s design, development, and testing—important for procurement in government and financial sectors.
• FIPS 140-3 Level 3 validation meets the expectations of many North American and international financial and government buyers for tamper-resistant hardware boundaries.
• Together, those three certifications and validations help make cloud HSMs acceptable for the kinds of legally and operationally sensitive tasks that previously required on-premises HSMs.

---

Under the hood: Marvell LiquidSecurity technology explained​

Marvell has re-architected the HSM for cloud operations. Key technical points to understand:

• Form factor and platform
• LiquidSecurity HSMs are delivered as PCIe adapter cards (server-hosted), not 1U/2U rack appliances.
• The adapters are powered by Marvell’s OCTEON data processing units (DPUs), which are optimized for cryptographic workloads and throughput at low power.
• The PCIe approach enables cloud operators to run multiple HSM adapters per server, increasing rack density and lowering hardware footprint.
• Performance and capacity (manufacturer claims)
• The LiquidSecurity 2 (LS2) adapter is advertised with hardware-secured storage for up to 1,000,000 keys and support for multiple partitions (commonly cited as up to 45), enabling strong multi-tenant isolation.
• Cryptographic throughput figures commonly quoted include tens of thousands of RSA/ECC operations per second and hundreds of thousands to more than one million symmetric/GCM operations per second, depending on algorithm mix and measurement methodology.
• Power consumption for LS2 is positioned in the low tens of watts, delivering a high performance-per-watt metric compared with appliance-based HSMs.
• Multi-tenancy and partitioning
• Each adapter supports a number of logical partitions, enabling cloud providers to carve isolated HSM partitions for different customers while keeping keys inside an HSM security boundary.
• Partitioning and resource management enable HSM-as-a-service at scale, letting operators host hundreds or thousands of customers without physical device handoffs.
• API and compatibility
• Cloud HSM services built on LiquidSecurity are commonly exposed through industry-standard interfaces (PKCS#11, OpenSSL engines, JCE/JCA, vendor SDKs) to facilitate “lift-and-shift” migrations of on-premise HSM applications to cloud-hosted HSM clusters.

Important verification note: published performance figures vary between documents and press coverage. Marvell’s product literature emphasizes up to one million keys and high GCM throughput; independent industry reporting and product datasheets cite algorithm-dependent benchmarks (for example, AES GCM throughput often measured in hundreds of thousands to one million ops/sec, ECC P-256 numbers in the tens of thousands per second). Procurement teams should treat raw peak numbers as directional and request algorithm/mode-specific throughput numbers measured under their expected workload and firmware revision.

---

Use cases unlocked by eIDAS + EAL4+ on Azure Cloud HSM​

The combination of cloud-delivered HSM service and European certifications broadens the range of viable cloud-native services:

• Qualified electronic signatures for contracts and government forms
• Cloud-hosted Qualified Signature Creation Device (QSCD) functionality enables legal equivalence to handwritten signatures in many EU jurisdictions where cloud-based QSCDs are accepted under the local eIDAS scheme.
• Identity and passport systems
• National identity providers and passport authorities can perform large-scale signing and validation workflows without maintaining hundreds of on-premise HSMs in every issuing office.
• PKI and certificate authorities
• Certificate Authorities and managed PKI providers can anchor trust in HSM-backed signing keys while operating in a cloud-delivered model.
• Payment and transaction processing
• High-throughput cryptographic operations and dense key storage support payment tokenization, certificate signing, and transaction authorization at hyperscale.
• Healthcare and regulated data protection
• Secure handling of medical records and audit logs that require strict key protection and attestable signing can leverage hardware-backed key custody without needing physical device logistics.

These are not theoretical; cloud providers that integrate certified HSMs can offer customers the same assurance levels previously only available to on-premise deployments—if the designs, firmware, and operational controls match the scope of the certification.

---

Operational and economic impact​

Switching to cloud-based HSM services built on dense PCIe adapters influences operations, procurement, and TCO in several tangible ways:

• Lower physical footprint
• PCIe adapters allow many HSMs per rack server versus one to two appliances per rack unit. This reduces rack space, cabling, and hardware sprawl.
• Reduced capital expenditure and simplified lifecycle management
• A subscription model reduces up-front investments and offloads firmware updates, endurance monitoring, and hardware replacement to the cloud operator.
• Energy efficiency
• LS2-class cards are billed as consuming tens of watts rather than hundreds, improving cost per crypto-op in large deployments.
• Faster onboarding and scaling
• Provisioning partitions instead of shipping hardware accelerates customer onboarding and region expansion.
• Pricing model shifts
• Cloud HSM-as-a-service delivers predictable operating expenses but requires careful analysis of per-operation or per-hour pricing, especially for high-volume workloads.

Practical procurement implication: the subscription approach is attractive for many customers but does not automatically relieve them of compliance obligations. Buyers must verify the certified configuration, location of key material, retention policies, and export-control constraints in contract terms.

---

Security and compliance: realities beyond marketing​

The certifications discussed—FIPS 140-3 Level 3, Common Criteria EAL4+, and eIDAS—are significant, but not interchangeable and not absolute guarantees. Important caveats:

• Certification scope matters
• Certifications apply to a specific product configuration, firmware revision, and evaluated deployment model. If a cloud provider modifies firmware or integrates the HSM differently than the evaluated configuration, the certification may not cover that specific operational model.
• eIDAS acceptance is national
• eIDAS is an EU-wide regulation, but QSCD recognition is exercised through national supervisory bodies and schemes. A device certified as a QSCD under one national scheme enables qualified signatures under that regime; organizations should confirm cross-border acceptance specifics and whether the cloud service operator is listed as an approved Qualified Trust Service Provider (QTSP) where required.
• Common Criteria EAL4+ is valuable—but nuanced
• EAL4+ provides assurance about product development and testing practices. Procurement teams should obtain the actual evaluation certificate and protection profile to check the claimed functionality, the evaluated firmware, and any augmentations.
• FIPS 140-3 Level 3 provides tamper-detection and physical security assurances but is not a silver bullet
• It addresses module boundary security and tamper responses; operational security, key lifecycle management, and provisioning processes are still critical.

Flagged verification gaps and recommended buyer actions:

• Request the specific certificate artifacts (certificate numbers, evaluated firmware versions, evaluation lab reports) for FIPS 140-3, Common Criteria, and eIDAS/QSCD claims.
• Confirm that the Azure service configuration you plan to use is within the evaluated configuration covered by the certificates.
• Confirm whether the eIDAS QSCD acceptance is under a national scheme that meets your regulatory or transactional needs and whether the provider is an approved QTSP for your jurisdiction.

---

Market context and competitive landscape​

The move by a major cloud provider to expand eIDAS-capable HSM services in Europe with a cloud-native HSM partner is part of a broader industry trend:

• Large cloud operators are competing to offer HSM-as-a-service that matches the assurance levels required by regulated industries.
• Traditional HSM vendors (appliance-focused) have been updating their offerings to support cloud and multi-tenant deployments; cloud-optimized silicon and PCIe form factors are increasingly common across the vendor landscape.
• Buyers evaluating HSM providers should compare:
• Certification coverage and the evaluated configuration.
• Performance metrics for the precise algorithms and key types in use.
• Integration APIs and supported ecosystems (PKCS#11, JCE, CNG, etc..
• Operational controls, incident response, and geographic locality assurances.

From a market perspective, cloud-native HSM adapters lower barriers for sectors such as finance, identity, and healthcare to migrate critical workflows to public cloud platforms. The competitive pressure also benefits customers by driving better pricing, denser offerings, and faster innovation in key management and cryptographic agility (including post-quantum readiness).

---

Risks and practical caveats​

This new capability is promising, but buyers and architects should be mindful of the following risks and limitations:

• Certification scope mismatch: If the HSM firmware or partitioning model used by the cloud operator differs from the one evaluated, the certification’s applicability may be limited.
• Operational policy and auditability: Certifications do not replace the need for strong operational procedures, logging, and attestation required by auditors and regulators.
• Jurisdictional control and data residency: While certifications address device-level assurances, customers may still require key residency or key escrow arrangements under specific regulations.
• Vendor concentration risk: Large cloud-native HSM deployments may increase reliance on a single vendor’s silicon and firmware for critical trust anchors. Diversification strategies and backup/mitigation plans should be considered.
• Performance vs. workload realities: Reported peak throughput numbers are useful for marketing; real-world application throughput depends on algorithm mix, network latency, concurrency patterns, and provisioning model.

---

What buyers and security teams should ask (practical checklist)​

• Confirm the certificate artifacts and scope:
• Ask for the full FIPS 140-3 certificate, Common Criteria certificate (including protection profile), and eIDAS QSCD certification details, including evaluated firmware and configuration.
• Validate the evaluated configuration:
• Confirm that the cloud service configuration you will use (region, service tier, provisioning model) is covered by the certification scope.
• Request measured performance under your workload:
• Ask for benchmark results using your algorithm mix (RSA/ECC/AES-GCM or others), key sizes, and concurrency levels.
• Confirm multi-tenant isolation guarantees:
• Obtain details on partitioning, tenant separation, backup/restore protections, and key export policies.
• Review operational controls and audit logs:
• Ensure sufficient logging, remote attestation, and forensic capabilities for audits and incident response.
• Clarify contractual and legal considerations:
• Verify liability, data sovereignty, and law-enforcement access clauses that apply to keys and crypto operations.
• Verify firmware and update policies:
• Understand how firmware updates are tested, approved, and rolled out, and whether updates can alter certification status.
• Plan for migration and exit:
• Define key export, rotation, and secure retirement processes to avoid vendor lock-in risks.

---

Integration and migration considerations​

• API compatibility: Azure Cloud HSM platforms typically support PKCS#11, JCE/JCA, OpenSSL engines, and other standard APIs to make migration straightforward for many applications.
• Latency and topology: Single-tenant HSM clusters are connected via private links into customer VNets. Architects should account for network hops and regional placement to meet latency SLAs.
• High availability and replication: Understand HSM cluster high-availability models—how keys are synced, backup and restore mechanisms, and how failover is managed without compromising key security.
• Key lifecycle: Map your key provisioning, rotation, archival, and destruction processes to the cloud provider’s capabilities to ensure continuous compliance.
• Hybrid and multi-cloud: If your environment spans multiple clouds or includes on-premise HSMs, determine how key material will be synchronized or split across deployments securely.

---

Final analysis and outlook​

The extension of Marvell LiquidSecurity into a broader set of Azure cloud security services in Europe marks a notable step toward mainstreaming certified cloud-based HSMs for regulated workloads. By combining FIPS 140-3 Level 3 assurances, Common Criteria evaluation, and eIDAS-relevant capabilities with a high-density PCIe adapter architecture, cloud providers can now present a compelling alternative to on-premises HSMs for legal-grade signatures, national identity workflows, PKI, payments, and other high-assurance applications.
Strengths

• Regulatory parity: The combination of FIPS, Common Criteria, and eIDAS support narrows the gap between on-prem and cloud HSM assurances.
• Operational efficiency: Dense PCIe adapters and DPU-accelerated cryptography promise lower space, power, and TCO for cloud operators and customers.
• Scalable model: Partitioning and high key density enable service providers to host many customers while preserving hardware-backed key protection.

Caveats and risks

• Certification scope and governance: Certifications must be matched to the evaluated configuration. Buyers need certificate artifacts and precise scope statements.
• Real-world performance variability: Marketing throughput figures are workload-dependent; buyers should request workload-specific benchmarks.
• Jurisdictional nuances: eIDAS acceptance and QTSP recognition can vary by national scheme; legal teams should confirm cross-border enforceability.

Practical recommendation: organizations planning to migrate legally sensitive or regulated cryptographic workloads to the cloud should engage the cloud provider and the HSM supplier early. Obtain evaluated configuration artifacts, request workload-specific performance data, and bake auditability and incident response into procurement terms. Where critical, run a pilot validating the end-to-end flow: provisioning keys, signing documents according to your workflows, measuring latency/throughput, and proving the legal acceptance of signatures in the jurisdictions you operate in.

---

The movement toward certified, cloud-native HSM services is an important inflection point for cloud sovereignty and legal compliance. When underpinned by verifiable certification artifacts and matched to a careful operational model, cloud HSM-as-a-service can dramatically simplify secure digital workflows—from cross-border contract signing to national identity programs—while reducing the cost and complexity of maintaining hardware across distributed locations.

---

Source: embedded.com https://www.embedded.com/microsoft-broadens-european-cloud-security-capabilities/