Marvell LiquidSecurity HSMs Earn eIDAS and EAL4+ Certs, Azure Expands Europe

Marvell’s LiquidSecurity HSMs have cleared two major European security hurdles—eIDAS and Common Criteria EAL4+—and Microsoft has expanded the range of Azure cloud services that use those HSMs in Europe, a move that tightens the bridge between custom security silicon and sovereign cloud compliance while reshaping how organizations think about key management, digital signatures and high‑assurance identity services in the public cloud.

Background​

Why this matters now​

Hardware Security Modules (HSMs) are the root of trust for cryptographic systems: they generate, store and use private keys inside tamper‑resistant hardware so sensitive operations—digital signing, PKI root key custody, payment‑card cryptography and identity issuance—can be performed without exposing keys to software. The EU’s eIDAS framework and Common Criteria evaluations are critical gatekeepers for any cloud service that wants to support legally binding electronic signatures, passport-level identity verification, or qualified trust services for European public sector and regulated industries. Marvell’s announcement and Microsoft’s subsequent expansion together lower a practical barrier: cloud tenants can consume high‑assurance key services without owning the physical HSMs.

What was announced​

• Marvell said Microsoft has expanded Azure’s use of Marvell LiquidSecurity HSMs in Europe, enabling new cloud use cases such as cross‑border contract certification and identity document verification.
• Marvell states LiquidSecurity achieved both eIDAS and Common Criteria EAL4+ certifications earlier in the year; Microsoft confirmed it uses Marvell LiquidSecurity hardware for Azure Key Vault, Azure Key Vault Managed HSM and Cloud HSM services.

---

Overview: LiquidSecurity, Azure Key Vault and the changing HSM landscape​

What is Marvell LiquidSecurity?​

Marvell’s LiquidSecurity family are cloud‑optimized HSM adapters built as PCIe cards (and adapters) that use Marvell’s OCTEON DPUs for cryptographic offload. They’re designed for dense, multi‑tenant data center deployments rather than the classic 1U/2U dedicated HSM appliances still common in on‑premise datacenters. Marvell markets LiquidSecurity 2 as able to manage up to 1 million encryption keys and to process more than 1 million operations per second per adapter, with multi‑partition isolation for tenant separation.

Where Azure fits in​

Microsoft has long offered multiple HSM‑backed key management options—Azure Key Vault (Standard and Premium tiers), Azure Key Vault Managed HSM (multi‑tenant, managed), and Azure Cloud HSM (single‑tenant HSM clusters). Microsoft’s documentation and product pages explicitly identify Marvell LiquidSecurity as the hardware used in Azure’s managed HSM pools and cite FIPS 140‑3 Level 3 validation for the firmware and hardware backing those services. That integration lets Microsoft expose HSM functionality as a service while acting as the operational owner of the HSM fleet and firmware lifecycle.

---

Technical snapshot: performance, density, and design trade‑offs​

Key hardware characteristics​

• Form factor: PCIe‑based HSM adapters, enabling high density and rack efficiency compared with networked appliance HSMs.
• Compute substrate: OCTEON Data Processing Units (DPUs) optimized for cryptographic offload.
• Scalability claims: Up to 1 million keys per adapter and >1M operations/sec at the adapter level—figures Marvell uses to explain how cloud providers can offer HSM functions at hyperscale with lower power and space impact.

What this design buys the cloud provider​

• Density and efficiency: PCIe adapters permit many HSMs per rack server or blade, reducing rack units and cooling and improving cost per key operation.
• Multi‑tenant partitions: Software and partitioning within the HSM boundary enable providers to carve isolated partitions for customers, offering the operational flexibility of cloud services.

What this means for customers​

• Customers who previously needed to host their own HSMs (and manage hardware lifecycle) can shift to subscription HSM models with a provider‑managed fleet while still benefiting from hardware‑backed cryptography and, crucially for some, certified assurances under eIDAS or Common Criteria. Microsoft’s product documentation now lists Marvell LiquidSecurity hardware in the chain of trust for Azure Key Vault’s Premium tier and Managed HSM services.

---

Certifications: eIDAS, Common Criteria EAL4+ and FIPS 140‑3 — what they cover and what they don’t​

The three pillars​

• FIPS 140‑3 Level 3: U.S./NIST standard for cryptographic modules; Level 3 implies tamper response and physical protections stronger than Level 1/2. Microsoft and Marvell have already announced LiquidSecurity FIPS 140‑3 Level‑3 validation and use in Azure.
• Common Criteria EAL4+: An international evaluation level (often used for commercial products) that provides assurance about the development process and testing of the product; the “+” denotes augmentation with certain protection profile requirements. Marvell states LiquidSecurity has achieved EAL4+.
• eIDAS (QSCD): The EU eIDAS regime requires Qualified Signature Creation Devices (QSCDs) for certain qualified electronic signature use cases; Microsoft and Marvell say Azure’s Managed HSM/Key Vault premium devices have the eIDAS QSCD certification under the Austrian scheme, enabling eIDAS‑grade signing in the cloud.

Why multiple certifications matter​

Each certification addresses different audiences and legal/regulatory needs: FIPS is broadly required by U.S. federal and some financial clients; Common Criteria/EAL4+ and the eIDAS QSCD designation speak directly to EU trust‑service providers, qualified signatures, and cross‑border legal recognition. For cloud vendors trying to enable identity and signature services at scale in Europe, having hardware that fits the eIDAS protection profile and Common Criteria expectations is a necessary condition to support qualified signatures from a cloud platform.

Verification and limits — what the public record does and doesn’t show​

• Microsoft public documentation and the Microsoft Community Hub post explicitly state that Azure Managed HSM and Azure Key Vault Premium devices are now eIDAS compliant and that Microsoft worked with Marvell to validate LiquidSecurity. That confirmation from the cloud operator is an important independent corroboration of Marvell’s claim.
• Marvell’s press release and product pages list Common Criteria EAL4+ among LiquidSecurity’s certifications. However, detailed Common Criteria certificate artifacts—such as the certificate number, evaluation lab, protection profile references or the evaluator’s assurance report—are not always published in the marketing announcement. Procurement teams should request the formal certificate and scope statement when relying on these claims in a formal compliance assessment. This article flags that as a verification gap.

---

Use cases unlocked by eIDAS + EAL4+ in cloud HSMs​

• Qualified electronic signatures for cross‑border contracts: Cloud‑hosted qualified signing services become practical where HSMs meet the QSCD and Common Criteria profiles the regulator expects, enabling legal‑grade signatures without per‑customer on‑prem HSM appliances.
• Identity document verification & passport services: Trust services that need to sign or validate identity assertions at scale can integrate with Azure’s HSM‑backed key‑management to reduce operational overhead.
• Government, sovereign and regulated industry workloads: Banking, payments (PCI), healthcare and government can use cloud‑based HSM services while meeting common certification baselines—provided the full scope and contractual terms align with their procurement rules.

---

What enterprises and procurement teams should verify before relying on these claims​

Even when vendors and cloud providers publish certifications, responsible IT buyers should validate at procurement time. Key checks include:

• Request the formal certificate PDF(s), including the certificate number, issuing national scheme or certification body, protection profiles referenced, issue and expiry dates, and the evaluated configuration scope.
• Confirm the certification scope: which firmware versions, HSM adapter SKUs, and which physical data centers / Azure regions are included. Certificates may apply to hardware in specific configurations only.
• Validate the auditor or evaluation laboratory (which national IT security authority or accredited lab performed the CC evaluation) and request the evaluation summary or assurance reports where available.
• Insist on contractual protections for key sovereignty: customer‑managed keys (BYOK/CMEK), clear key‑escrow and revocation procedures, and the right to audit.
• Check service‑level documentation on firmware lifecycle, firmware signing, and the cloud provider’s process for deploying firmware updates across the HSM fleet.

Microsoft’s own support and product pages make clear that the cloud operator controls firmware lifecycle and that hardware/firmware identity is not surfaced at tenant API level—meaning verification often requires documentation from the provider, not just API calls. Procurement should get that evidence in writing.

---

Benefits and strengths of the Marvell + Microsoft combination​

• Scale and economic efficiency: Marvell’s adapter approach promises higher key density and lower power/space footprint than classical HSM appliances, which matters at hyperscaler volumes and for customers seeking pay‑as‑you‑consume economics.
• Regulatory reach: Achieving eIDAS QSCD readiness and Common Criteria EAL4+ opens European legal use cases to cloud HSMs—especially relevant for identity, trust services and public sector contracts. Microsoft’s public confirmation broadens confidence for Azure customers.
• Operational simplicity: Moving from hardware ownership to a managed HSM model reduces the buyer’s operational burden (hardware refreshes, HA clustering, firmware management) and accelerates adoption.

---

Risks, caveats and the legal/jurisdictional context​

No certification or engineering feat eliminates risk. Here are the most material caveats:

• Certification is scope‑limited and point‑in‑time: Certifications commonly apply to specific firmware versions, hardware SKUs and defined deployment models. Marketing copy can overgeneralize; the certificate’s scope determines actual legal usability. Buyers should obtain the certificate and scope statement. Flagged: Marvell’s and Microsoft’s announcements confirm certification in public statements, but formal certificate artifacts should be requested for procurement evidence.
• Jurisdictional complexity and extraterritorial law: Technical residency and device certification reduce risk for data sovereignty but do not always eliminate legal exposure under extraterritorial orders (e.g., foreign lawful‑access statutes). Key control mechanisms (CMEK/BYOK, encryption where only the customer controls decryption) remain essential mitigations. Independent legal advice remains necessary for sensitive sovereign workloads.
• Shared responsibility models: The cloud provider can supply certified HSMs, but tenants retain responsibility for configuration, access control, identity lifecycle and how keys are used. Improper tenant configuration can nullify the value of underlying certified hardware. Microsoft and Marvell’s marketing do not change the operational reality: certifications help but do not replace governance, logging and operational controls.
• Transparency and auditable evidence: Some cloud services do not expose low‑level HSM identifiers to tenants; while this centralization simplifies operations, it reduces per‑tenant visibility. Procurement should demand attestation letters, SOC/ISO reports and the right to audit key custody processes. Microsoft’s public guidance acknowledges firmware and hardware management is centralized by the provider—plan accordingly.

---

Practical recommendations for WindowsForum readers and IT buyers​

• Treat the certification announcements as necessary but not sufficient evidence for compliance: always obtain the certificate PDFs, auditor names, scope statements and firmware‑version bindings.
• If eIDAS qualified signatures are a must, require explicit proof that the HSM configuration you will use is in the certified configuration and that the signature creation and QA procedures map to the eIDAS QSCD requirements. Ask vendors for a mapping matrix tied to EN 419221‑5 and related protection profiles.
• Favor contractual controls that preserve key sovereignty where legal risk is material: CMEK or BYOK, robust key rotation and revocation processes, and express DPA clauses about jurisdiction and data residency.
• Use cloud HSMs for scale and cost efficiency but retain a hybrid option for extreme threat models: on‑prem QSCD devices or split‑key architectures mitigate some legal and operational exposures that a fully managed service cannot.

---

Market implications and vendor dynamics​

Marvell’s progress underscores a broader industry trend: hyperscalers and silicon vendors are converging to design purpose‑built, high‑density HSM silicon that meets both performance and assurance requirements. Cloud providers win by being able to offer certified, high‑assurance services at scale; hardware vendors win by embedding into that cloud supply chain. Analysts cited in the Marvell release frame this as a growth path for cloud HSM market share and an enabler for new trust‑service offerings in the EU and beyond. The competitive space will remain dynamic, with incumbent HSM appliance vendors (e.g., Thales, Utimaco and others) also pursuing EAL/eIDAS certifications and managed‑HSM integrations.

---

Conclusion​

Marvell’s LiquidSecurity certifications and Microsoft’s expanded Azure use cases mark a meaningful step toward making certified HSM capabilities available as a cloud service across Europe. For organizations that need eIDAS‑grade qualified signing and high‑assurance identity services, this reduces the operational and capital friction of deploying on‑prem HSM appliances and opens paths to scale.
That said, the certifications do not obviate the need for due diligence: certificates are configuration‑ and firmware‑specific, providers control firmware lifecycles and legal jurisdiction issues remain. Buyers should treat these announcements as a practical enabler—and an invitation to verify certificates, scope and contractual protections—before migrating legally sensitive signing, identity issuance or sovereign workloads to any managed HSM service.

---

---

Source: Stock Titan Marvell (NASDAQ: MRVL) gains eIDAS, CC EAL4+ for LiquidSecurity in Azure Europe