Marvell’s LiquidSecurity HSMs have taken a meaningful step into Europe after Microsoft expanded the use of Marvell-powered hardware security across Azure’s European cloud footprint — a move underpinned by recent eIDAS and Common Criteria EAL4+ certifications that materially broaden Azure’s ability to offer regulated, sovereign-grade cryptographic services.
Background / Overview
Microsoft’s Azure Key Vault, Azure Key Vault Managed HSM and Azure Cloud HSM services already relied on Marvell’s LiquidSecurity adapters in parts of Asia and North America. The new announcement confirms expanded use cases in Europe, notably enabling Azure to present
certifiable services for cross-border contract signing, identity verification, trusted timestamping and other regulated transactions that require legally accepted digital signature creation and key custody. This isn’t a simple OEM supply win. It pairs three separate dynamics that matter to enterprise and government buyers:
- The rollout of cloud-based HSM-as-a-service offering, which reduces operational overhead vs. running on-prem appliances.
- The attainment of eIDAS (European electronic ID/Trust Services) and Common Criteria EAL4+ certifications, which unlock specific trust-service use cases in EU member states.
- The use of a modern, PCIe form-factor HSM architecture powered by Marvell’s OCTEON DPUs, offering a compact, low-power alternative to traditional rack-mounted HSM appliances.
What Marvell and Microsoft announced
The core elements of the expansion
- Microsoft has expanded the set of Azure cloud security services that use Marvell LiquidSecurity HSM adapters to cover additional European capabilities and regulatory use cases.
- The certificates that make this possible include eIDAS compliance under an applicable national scheme (allowing LiquidSecurity to be used where Qualified Signature Creation Device — QSCD — status is required) and Common Criteria EAL4+ evaluation, which is a baseline for many EU public-sector and trust-service uses.
The product facts verified
- LiquidSecurity HSMs are delivered as PCIe-based adapters intended for dense cloud racks rather than 1U/2U standalone HSM appliances. They are engineered for cloud-scale multi-tenant or single-tenant HSM-as-a-service deployments.
- These adapters rely on OCTEON DPUs as the processing substrate, pairing cryptographic acceleration, partitioning and DPU-managed I/O for a compact, low-power implementation.
- Marvell and Microsoft previously certified LiquidSecurity to FIPS 140-3 Level 3 and have continued certification work to meet European protection profiles and Common Criteria expectations.
Why this matters: business and technical implications
For regulated services and trust providers
The combination of eIDAS and Common Criteria EAL4+ is more than a compliance checkbox — it is an enabler for cloud-hosted qualified trust services:
- Qualified electronic signatures and seals (QSCD-qualified) can be produced and legally upheld in many EU contexts when HSMs meet the required protection profiles.
- Trust Service Providers (TSPs) and public sector bodies can now consider Azure-managed HSM offerings for workflows that historically required on-prem QSCD appliances or expensive appliance-as-a-service models.
For enterprise IT and cloud architects
- Cloud-based HSMs reduce operational burdens — patching, clustering, redundancy and physical tamper evidence — by shifting responsibility to the cloud provider while keeping cryptographic operations inside a hardware root of trust.
- The PCIe adapter form factor and DPU integration lower rack space and power per HSM instance compared with classic 1U HSM appliances, which helps hyperscalers and cloud tenants scale key services at a lower TCO.
For sovereign cloud and confidential computing strategies
- Azure’s sovereign-cloud initiatives — local processing, operator-governed access controls, and local personnel commitments — pair naturally with certified HSM hardware. Combining confidential compute with certified HSMs gives regulated buyers a layered model for protecting data in use and the keys that unlock it.
Technical verification: what is certified and what to validate
The announcements and product pages confirm the following technical claims; procurement teams should still
validate each item for their own risk profile.
- FIPS 140-3 Level 3: LiquidSecurity models were certified to FIPS 140-3 Level 3, a US/NIST standard many regulated customers require for cryptographic modules. This certification has been publicized and referenced in vendor materials.
- eIDAS / QSCD: Azure Managed HSM and Key Vault Premium devices using Marvell adapters have been validated for eIDAS in at least one national scheme, enabling QSCD-capable services for certain trust workflows. Customers dependent on national differences should validate the specific scheme and scope with Microsoft for their jurisdiction.
- Common Criteria EAL4+: Marvell reports Common Criteria EAL4+ certification for LiquidSecurity under relevant protection profiles, which aligns with expectations for many EU public-sector procurements. Confirm the certificate numbers, protection profile (EN 419221-5 or similar), and the testing lab used for independent assurance.
What to validate in procurement:
- Confirm the exact certificate artifacts (certificate IDs, evaluation lab, date of issue, protection profiles) and request copies.
- Confirm the operational model — whether keys reside exclusively in a dedicated HSM partition, whether Microsoft manages key escrow, and precisely how BYOK (Bring Your Own Key) and key-revocation events are handled.
- Request attestation and audit artifacts demonstrating that the deployed HSM firmware and adapter models used in the Azure region match the certified hardware/firmware combination.
Strengths — what is notable and valuable
- Regulatory reach: eIDAS and Common Criteria EAL4+ matter. They unlock legally-sensitive use cases such as cross-border contract signing and national ID verification services that previously forced workloads to remain on-prem or in local QSCD appliances.
- Hyperscaler integration: Microsoft’s adoption across Key Vault, Managed HSM and Cloud HSM services reduces the integration effort for enterprises wanting a cloud-native key-management posture. This is a meaningful convenience and accelerates time-to-value.
- Form-factor and efficiency: PCIe HSM adapters powered by DPUs can reduce space, power and management costs in cloud racks compared with legacy 1U/2U HSM appliances — a practical advantage for both hyperscalers and cloud tenants.
- Ecosystem momentum: This win is part of a broader trend where hyperscalers embed hardware roots of trust (HSMs, DPUs, SoC-level security) into cloud services to meet high-assurance workloads — a shift that increases options for regulated buyers while preserving cloud-scale economics.
Risks and limitations — what the headlines omit
- Certification scope and geographic variance: eIDAS is a European framework but implemented through national schemes and protection profiles. A device certified for one scheme does not automatically guarantee identical legal acceptance in every EU country — legal acceptance depends on national implementation and specific service contracts. Procurement teams must confirm exactly which national scheme and legal use cases the certificate covers.
- Jurisdictional and legal exposure: Certificates and local operational controls reduce risk but do not eliminate jurisdictional legal risk (e.g., cross-border legal process or law-enforcement requests). Operational localization is a governance improvement, not a legal panacea.
- Vendor lock-in and portability: Moving from appliance-based models to cloud-managed HSMs can increase vendor coupling — portability of key materials and migration/exit plans must be contractual obligations, not just best-effort statements.
- Supply-chain and firmware lifecycle: Certified hardware is certified with a specific firmware/bitstream. Firmware updates, supply-chain substitutions, or replacement part sourcing can affect the continued applicability of a certification; customers must insist on change-control notifications and re-attestation rights in contracts.
- Performance and operational transparency: Hyperscaler-managed HSMs often abstract details about throughput, latency, and partitioning semantics. High-throughput signing services (e.g., massive Certificate Authorities, time-stamping services) should validate performance and SLAs under realistic loads before migration.
- Investor and market risks for Marvell: While this security traction is strategically important, Marvell’s stock performance and investor concerns about custom AI chip timelines create an overlay of market risk for customers and partners assessing Marvell’s long-term supply and R&D continuity. Analysts have projected strong AI revenue growth, but that outlook coexists with volatility and skepticism in some quarters.
Market and strategic context
Marvell’s LiquidSecurity expansion into Europe should be read alongside several industry trends:
- Hyperscalers are increasingly embedding hardware security into platform stacks and offering managed HSM services that claim parity with on-prem QSCD devices — a strategic move to win regulated workloads.
- Certified HSMs that meet both FIPS and eIDAS/Common Criteria requirements create a competitive advantage for public-cloud providers courting government, fintech and identity industries.
- For chip vendors, wins like this support a narrative of being infrastructure enablers for sovereign and regulated cloud services; however, the broader commercial story depends on design-win follow-through and long-term supply commitments.
Practical guidance for security, compliance, and procurement teams
Adopt a staged validation and contractual approach before moving mission-critical eIDAS or QSCD workloads to a cloud-managed HSM.
- Step 1: Request and verify certificates
- Obtain the full certification artifacts for FIPS, eIDAS and Common Criteria (certificate numbers, protection profiles, lab/test reports).
- Confirm the firmware and hardware models listed on the certificates match what will run in the target Azure region.
- Step 2: Define key custody and recovery semantics
- Clarify BYOK, key import/export, escrow and backup expectations.
- Validate HSM partitioning semantics and ensure separation/sole-control requirements are enforced where mandated.
- Step 3: Performance and availability testing
- Run production-like signing and key-operation load tests to validate latencies, throughput and failover behavior.
- Validate SLAs for HSM availability, recovery times, and multi-zone redundancy.
- Step 4: Contractual and audit rights
- Negotiate independent audit rights, tamper-evident logging access, and notification timelines for cross-border legal requests.
- Insist on change-control clauses for firmware/part substitutions and re-certification requirements.
- Step 5: Exit and portability
- Define specific escape hatches — how keys and cryptographic workflows migrate off Azure HSM if required.
- Consider escrow strategies and offline recovery procedures for critical long-term archives.
This approach reduces surprises and turns a marketing badge into operational assurance.
The investor angle: traction vs. skepticism
Marvell’s Azure collaboration is strategically valuable and gives the company an expanded commercial footprint into regulated European markets. Analysts at major firms have highlighted significant AI and cloud-related growth opportunities for Marvell, projecting that AI-related revenues could more than double in coming quarters — a bullish narrative that supports long-term upside potential. At the same time, investor skepticism has appeared around custom-chip delivery timelines and cyclical weaknesses in non-data-center verticals, creating visible share-price volatility in 2025. That market context matters for customers that plan multi-year, strategic procurements — supplier stability, long-term support and R&D continuity are part of vendor risk assessments.
How this changes the cloud HSM landscape
- Cloud providers now have a stronger, certified HSM story for European trust services, narrowing the gap between on-prem QSCD appliances and cloud-managed HSM-as-a-service.
- Smaller TSPs and national trust providers gain alternative deployment modes: rather than procuring, hosting and operating on-prem appliances, they can outsource cryptographic infrastructure while preserving legal and cryptographic assurances — but only after careful certification and contractual verification.
- The physical efficiency of PCIe adapter HSMs and DPU-driven offloads lowers unit cost for cloud operators and could accelerate wider availability and competitive pricing for certified HSM services.
Conclusion
The expansion of Marvell’s LiquidSecurity HSMs into Microsoft Azure’s European services is an important practical step toward making cloud-hosted, legally recognized trust services a mainstream option for enterprises and governments. The twin certifications —
eIDAS and
Common Criteria EAL4+ — materially widen the range of regulated workloads that can plausibly move to a cloud-managed HSM model. The technical approach —
PCIe-based adapters driven by OCTEON DPUs — offers hyperscalers a denser, lower-power path to scale HSM services and lowers the total-cost-of-ownership for certain trust-service workloads. That said, the practical value for any organization will depend on careful verification: confirm certificate scopes and artifacts, test performance and failover under load, demand contractual audit and change-control rights, and build clear portability plans. These are the steps that turn a headline security “win” into a workable, durable option for legally and regulatorily sensitive cloud services.
Source: Benzinga
Marvell Technology Scores Major Security Win with Microsoft Azure in Europe - Marvell Tech (NASDAQ:MRVL)