BSI Compliance

Substitute Scanning with BSI TR-RESISCAN — legally compliant with Docuflair.

Docuflair TR-RESISCAN — the software for TR-03138-compliant scanning

Digitise paper originals and dispose of them safely: BSI-compliant transfer note, digital signature and process documentation — all from one software. Meets the requirements of BSI TR-03138 (RESISCAN) Version 1.5.

See It Live View Pricing
Docuflair TR-RESISCAN - User Interface

Substitute Scanning with Legal Certainty

With Docuflair TR-RESISCAN, your digital copy receives the same legal evidential value as the paper original.

BSI Conformity

Full compliance with the Technical Guideline TR-RESISCAN from the German Federal Office for Information Security.

Legal Evidential Value

Digital documents receive the same legal standing as the paper original through substitute scanning.

Complete Traceability

Comprehensive audit trail documents every step of the scanning process for maximum transparency.

Quick Setup

A single software installation is all it takes. No complex infrastructure required.

Docuflair TR-RESISCAN in Action

See how simple legally compliant scanning can be

The TR-RESISCAN-Compliant Scanning Process

From authentication to digital signature

1. User Authentication

Login at the device before scanning for clear identification

2. Document Capture

Scanning with preview directly at the multifunction device

3. Web-Based Visual Inspection

Visual verification and quality control in the browser

4. Transfer Note

Automatic documentation of the scanning process with all relevant metadata

5. Digital Signature

Legally binding signature of the PDF/A document

Legal Certainty from the First Scan

Everything for legally compliant and BSI TR-03138 compliant scanning

Automatic Transfer Note

  • Documentation of scan time and date
  • Recording of device data and scan parameters
  • Logging of the performing person
  • Storage of all processing results

Web-Based Visual Inspection

  • Visual quality verification in the browser
  • Comparison with original document
  • Approval or rejection of the scan
  • Documented confirmation of verification

Digital Signature

  • Legally binding digital signing
  • PDF/A format for long-term archiving
  • Tamper protection through cryptography
  • Customer certificate deployable
  • Integration with certificate infrastructure

Timestamp Function

  • Tamper-evident time proof per document
  • External TSA server configurable
  • Compatible with RFC 3161 services
  • Qualified timestamps (QTS) per eIDAS supported

Additional Compliance Benefits

User Authentication

Secure login at the device before each scan for unambiguous attribution.

Preview at Device

Immediate verification of scan results directly at the multifunction device.

Metadata Capture

Automatic logging of scan time, device data and processing results.

PDF/A Format

Archive-ready format for long-term storage and readability.

Complete Audit Trail

Comprehensive documentation of all steps for compliance and auditing.

Easy Installation

One software, quick setup, no complex infrastructure required.

BSI Technical Guideline

What is BSI TR-03138 (TR-RESISCAN)?

The Technical Guideline from the German Federal Office for Information Security for substitute scanning

Definition & Purpose

BSI TR-03138 (Technical Guideline for Substitute Scanning - RESISCAN) defines security-relevant technical and organisational measures for scanning processes where the paper original is to be destroyed after digitisation.

The aim is to ensure the evidential value of the scan product is as close as possible to that of the original.

  • Current version: 1.5 (December 2024)
  • Publisher: German Federal Office for Information Security (BSI)
  • Legal references: Section 7 EGovG, Section 371b ZPO

Structure of the Guideline

TR-RESISCAN consists of the main document and several annexes:

  • Main document: All requirements and measures
  • Annex P: Normative test specification for conformity assessment
  • Annex A: Results of risk analysis
  • Annex R: Non-binding legal notes
  • Annex V: Sample procedure instruction
  • Annex F: Frequently asked questions (FAQ)

NEW in Version 1.5: Mobile Substitute Scanning

Version 1.5 extends TR-RESISCAN to include the option of mobile substitute scanning. You can now substitute-digitise paper originals using mobile devices (smartphone, tablet) with a suitable scanning app.

Module Concept

Modular Requirements Structure

TR-RESISCAN uses a modular system of base and extension modules

Base Module

Basic requirements for all protection categories

  • Basic process requirements
  • Minimum scanner requirements
  • Documentation and logging
  • Quality assurance and visual inspection
  • Transfer note creation
Mandatory for all protection levels

Extension Module Integrity

Additional measures for high protection needs

  • Extended integrity protection
  • Cryptographic hash values
  • Digital signatures
  • Tamper protection
  • Four-eyes principle for approval
When integrity is "high" or "very high"

Extension Module Confidentiality

Measures to protect sensitive data

  • Encrypted transmission
  • Access controls
  • Secure storage
  • Authorisation concept
  • Audit logging
When confidentiality is "high" or "very high"
Protection Needs Assessment

Protection Requirement Categories

The protection requirement determines the necessary modules and measures

Normal

Standard

The damage impact is limited and manageable. Standard business documents without special requirements.

Base module sufficient

High

Extended

The damage impact can be considerable. Documents with legal relevance or personal data.

+ Extension modules required

Very High

Critical

The damage impact can be existential. Highly sensitive documents, critical infrastructure records.

All modules + extended measures

Protection Goals

Assessment

You determine the protection requirement separately for each of the three protection goals:

  • Integrity: Protection against manipulation
  • Confidentiality: Protection against unauthorised access
  • Availability: Permanent access
Legal Basis

Legal Framework References

TR-RESISCAN as "state of the art" in German legislation

Section 7 EGovG

Federal Law

The E-Government Act requires German federal agencies to maintain electronic records. Section 7 references TR-RESISCAN as the state of the art for substitute scanning.

Mandatory for federal agencies

Section 371b ZPO

Civil Procedure Code

The Code of Civil Procedure governs the evidential value of scanned public documents. Courts recognise TR-RESISCAN-compliant scans as evidence.

Evidential value in court

GoBD

Tax Law

The Principles of Proper Accounting and Record-Keeping govern digital bookkeeping. TR-RESISCAN complements the tax law requirements.

Tax recognition

E-Justice

Legal System

Courts accept substitute-scanned documents as evidence via electronic legal communication, in accordance with TR-RESISCAN.

Electronic legal communication
Conformity Evidence

Paths to TR-RESISCAN Conformity

Various options for demonstrating guideline conformity

BSI Certification

Official confirmation by the BSI

Comprehensive assessment of all requirements in Annex P by accredited test centres. Highest level of evidence.

  • Complete conformity assessment
  • On-site audit required
  • Regular recertification
Highest level of evidence

TR-RESISCAN Ready

Practice-oriented VOI-CERT certification

Alternative to BSI certification with reduced effort. Assessment based on Annex P of TR-RESISCAN.

  • More cost-effective than BSI certification
  • Practice-oriented assessment
  • Suitable for SMEs and mid-market
Ideal for enterprises

Self-Declaration

Self-responsible conformity declaration

The organisation declares TR-RESISCAN compliance on its own responsibility. Sufficient for many tenders.

Sufficient for many cases

No Certification Obligation

TR-RESISCAN serves as a practice-oriented guideline for proper scanning processes - without mandatory certification. Docuflair supports you on all three paths to conformity.

Required Document

Process Documentation: The Foundation of TR-RESISCAN

No legally compliant substitute scanning without process documentation (Verfahrensdokumentation, VDU) — regardless of the chosen conformity path

What belongs in a VDU?

The process documentation describes all workflows, roles and controls of your scanning process. It is a mandatory component of BSI TR-03138 and proves to auditors, courts and tax authorities that your digitisations were created with full legal certainty.

  • Organisational: responsibilities, roles, training records
  • Technical: scanner configuration, software version, protection measures
  • Procedural: intake, scanning, visual inspection, release, destruction
  • Protection needs: classification of integrity, confidentiality, availability
  • Contingency: error, exception and recovery procedures

How does Docuflair help with the VDU?

Docuflair TR-RESISCAN delivers the technical and procedural building blocks of your VDU as automated evidence: transfer note, audit trail, user and protection-needs logs are preconfigured and aligned with Annex V (sample procedure instruction) of TR-RESISCAN.

  • All mandatory metadata documented in the transfer note
  • Complete audit trail for the audit process
  • Compatible with Annex V (sample procedure instruction)
  • Exportable for your compliance documentation

Practical Guide: Process Documentation Step by Step

Our free practical guide walks you through protection-needs analysis, scanner qualification, VDU creation and audit protocol — with a worked example.

Download the guide for free
Docuflair Solution

How Docuflair Fulfils TR-RESISCAN Requirements

Automated compliance for all modules of the technical guideline

Base Module Requirements

  • User authentication before each scan
  • Automatic capture of all scan parameters
  • Web-based visual inspection with approval workflow
  • Complete transfer note according to BSI specification
  • Logging and audit trail

Extension Module Integrity

  • Cryptographic hash calculation (SHA-256)
  • Digital signature for PDF/A documents
  • Tamper protection through integrity verification
  • Four-eyes principle for approvals configurable
  • Timestamp function with configurable external TSA server

Extension Module Confidentiality

  • TLS-encrypted transmission of all data
  • Granular authorisation concept
  • Active Directory integration
  • On-premises operation without cloud dependency
  • Complete audit logging

Legal Certainty According to BSI Standard

The Technical Guideline RESISCAN defines binding standards for substitute scanning

BSI TR-RESISCAN Requirements

Full compliance with all requirements of the Technical Guideline for substitute scanning.

Tamper-Proof Digitisation

Cryptographically secured document capture prevents subsequent modifications.

Evidential Digital Copies

Digital documents receive the same legal evidential value as the paper original.

Audit-Proof Long-Term Archiving

PDF/A format and digital signature ensure permanent storage.

Complete Traceability

Comprehensive audit trail documents every step of the scanning process.

Digital Signing

Legally binding digital signature guarantees integrity and authenticity.

What is TR-RESISCAN?

Understanding the German standard for legally compliant substitute scanning

German BSI Standard

TR-RESISCAN is a Technical Guideline issued by the German Federal Office for Information Security (BSI). It establishes requirements for the legally compliant digitisation of paper documents.

Substitute Scanning

The guideline enables "substitute scanning" - a process where you digitise paper documents with full legal evidential value, allowing you to safely destroy the original.

International Recognition

While originating in Germany, TR-RESISCAN represents best practice for legally compliant document digitisation applicable to organisations handling German documents or operating in German-speaking markets.

Who is TR-RESISCAN For?

Organisations with high compliance requirements

Government Agencies

Public administrations implementing eAkte and digital services programmes under Section 7 EGovG and BSI specifications.

Law Firms & Notaries

Lawyers and notaries digitising client files and deeds in line with Annex R of TR-RESISCAN for full legal evidential value.

Tax Advisors & Auditors

Practices archiving client records and audit documents in a GoBD- and TR-RESISCAN-compliant manner.

Enterprises & Archives

Companies, clinics and archives with high compliance requirements that need to digitise paper holdings legally.

Measurable Results

Average improvements our customers achieve after implementing Docuflair TR-RESISCAN

100%
BSI TR-RESISCAN Compliant

certified implementation of substitute scanning

0
Paper Archive Needed

digital documents replace originals with full evidential value

Faster Retrieval

of documents compared to the physical archive

100%
Full Traceability

through complete transfer notes and digital signatures

Further Reading

Deepen your knowledge on TR-RESISCAN

What is TR-RESISCAN?

Compliant substitute scanning explained.

Read more

Process Documentation

VDU under Annex V: template, required content and practical checklist.

Read more

TR-RESISCAN Checklist

10 requirements for compliant scanning.

Read more

Destroy Originals

When can you destroy paper originals?

Read more

Relevant for these industries

Docuflair TR-RESISCAN is particularly valuable for the following audiences

Government

Substitutive scanning per BSI TR-03138, OZG-ready and eAkte-compatible.

View industry page

Police

BSI-compliant migration of paper investigation files per TR-03138.

View industry page

Municipalities

Migrate 80-year construction files digitally and destroy paper legally.

View industry page

Rehabilitation

Legally secure migration of decades of patient files to digital archive.

View industry page

Frequently Asked Questions

Answers to the most important questions about Docuflair TR-RESISCAN

What is TR-RESISCAN and why is it important?

TR-RESISCAN is a Technical Guideline from the German Federal Office for Information Security (BSI). It defines requirements for legally compliant substitute scanning, where paper documents are digitised and the originals can subsequently be destroyed while maintaining full legal evidential value.

For which organisations is TR-RESISCAN particularly relevant?

TR-RESISCAN is particularly relevant for government agencies, public institutions, companies with high compliance requirements, and all organisations that wish to legally destroy paper documents after scanning while retaining full evidential value.

What is a transfer note and what is it used for?

The transfer note documents the scanning process and confirms the correspondence between original and digital copy. It contains information such as scan date, scan operator, settings used and verification results - essential for the evidential value of the digital document.

How does visual inspection work with TR-RESISCAN?

Visual inspection is an essential part of the TR-RESISCAN process. After scanning, the digital document is compared with the original on screen. The inspector confirms completeness and legibility - this is documented in the transfer note.

What technical requirements are needed?

For TR-RESISCAN-compliant scanning, you need a suitable scanner, the Docuflair TR-RESISCAN software, and optionally a screen for visual inspection at the device. The software guides you through the entire process and ensures compliance with all requirements.

Can the original document be destroyed after the TR-RESISCAN process?

Yes, when the TR-RESISCAN process is carried out correctly, the original document can subsequently be destroyed. The digital document with transfer note then has the same evidential value as the original.

How is long-term document availability ensured?

The system stores all documents in PDF/A format, an ISO standard for long-term archiving. Additionally, it digitally signs and tags them with metadata. This ensures that documents remain readable and verifiable for many years to come.

How quickly can Docuflair TR-RESISCAN be implemented?

Implementation is very quick: by installing a single piece of software, legally compliant scanning according to TR-RESISCAN is available to you within minutes. Integration with existing systems is seamless through standardised interfaces.

What is the difference between the base module and extension modules?

The base module contains the minimum requirements for all protection categories - from user authentication to the transfer note. The extension modules (Integrity and Confidentiality) apply when there is increased protection need and define additional measures such as digital signatures, encryption and extended access controls.

How do I create process documentation for TR-RESISCAN?

A process documentation (Verfahrensdokumentation, VDU) describes all organisational, technical and procedural workflows of your scanning process. TR-RESISCAN recommends the structure from Annex V (sample procedure instruction): scope, responsibilities, protection-needs analysis, scanner and software configuration, process flow (intake to destruction), and error and contingency procedures. Docuflair TR-RESISCAN delivers transfer note, audit trail and logs as automated evidence that feeds directly into the VDU. You can download the full practical guide with worked example free of charge.

Is BSI certification mandatory for TR-RESISCAN?

No, certification is generally not mandatory. TR-RESISCAN serves as a practice-oriented guideline for proper scanning processes. There are three paths to conformity: official BSI certification, the "TR-RESISCAN ready" certificate (VOI-CERT), or a self-declaration with process documentation.

What is new in TR-RESISCAN Version 1.5?

Version 1.5 (December 2024) introduces mobile substitute scanning. You can now digitise TR-RESISCAN-compliantly using mobile devices such as smartphones or tablets with a suitable scanning app. Particularly relevant for field service and decentralised locations.

Which legal frameworks reference TR-RESISCAN?

The German E-Government Act (Section 7 EGovG) requires federal agencies to maintain electronic records and references TR-RESISCAN as state of the art. The Code of Civil Procedure (Section 371b ZPO) governs the evidential value of scanned public documents. The GoBD (principles of proper accounting) also complements TR-RESISCAN for tax-relevant documents.

How is the protection requirement for documents determined?

The protection requirement is assessed separately for the three protection goals: Integrity, Confidentiality, and Availability. The categories are: Normal (limited damage impact), High (considerable impact), and Very High (existential impact). Depending on the classification, the base module and/or extension modules are required.

Complementary Products

Discover additional solutions that pair perfectly with Docuflair TR-RESISCAN

Docuflair Scan

High-quality document digitization as the foundation for legally compliant scanning.

Learn more

Docuflair Archive

Archive TR-RESISCAN-compliant scans in PDF/A format for revision-proof long-term storage.

Learn more

Docuflair Sign

Secure scanned documents with qualified electronic signatures for legal validity.

Learn more

Docuflair Normalize

Standardize scanned documents into a uniform PDF/A format before archiving.

Learn more

See TR-RESISCAN in Action

See in 15 minutes how you can digitise paper originals in BSI-compliant fashion and dispose of them with confidence.

See It Live View Pricing

See it live in 15 min

Free & no obligation
Get Demo