32025R2530

Šis dokumentas gautas iš interneto svetainės „EUR-Lex“

EUROPA
„EUR-Lex“ pradžios puslapis
Implementing regulation - EU - 2025/2530 - LT - EUR-Lex

Pagalba

Paieškos patarimai

Reikia daugiau paieškos galimybių? Pasinaudokite šia paieškos galimybe – Išplėstinė paieška

Dokumentas 32025R2530

Pagalba

Commission Implementing Regulation (EU) 2025/2530 of 16 December 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards requirements for qualified trust service providers providing qualified trust services

C/2025/8660

OJ L, 2025/2530, 17.12.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/2530/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Dokumento teisinis statusas Galioja

ELI: http://data.europa.eu/eli/reg_impl/2025/2530/oj

Dokumento data:: 16/12/2025; Date of adoption
Įsigaliojimo data:: 06/01/2026; Entry into force Date pub. +20 See Art 5
Galiojimo pabaigos data:: pabaigos datos nėra

Autorius:: European Commission, Directorate-General for Communications Networks, Content and Technology
Atsakingas padalinys:: CNECT
Forma:: Implementing regulation

Sutartis:

Treaty on the Functioning of the European Union

Teisinis pagrindas:

32014R0910 - A24P5

Nuoroda

Atrinkti visus dokumentus, kuriuose paminėtas šis dokumentas

Minimos priemonės:

EUROVOC deskriptorius:

Tema:

Rodyklės kodas:

13.20.60.00 Industrial policy and internal market / Industrial policy: sectoral operations / Information technology, telecommunications and data-processing

HTML

PDF – autentiškas OL

e. parašas

Kaip patikrinti, ar Oficialusis leidinys autentiškas

Official Journal
of the European Union

L series

2025/2530

17.12.2025

COMMISSION IMPLEMENTING REGULATION (EU) 2025/2530

of 16 December 2025

laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards requirements for qualified trust service providers providing qualified trust services

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 24(5) thereof,

Whereas:

(1)	Qualified trust service providers play a crucial role in ensuring secure and reliable digital interactions by delivering qualified trust services in compliance with Regulation (EU) No 910/2014.

(2)

The presumption of compliance laid down in Article 24(5) of Regulation (EU) No 910/2014 should only apply where qualified trust services comply with the requirements, reference standards and specifications set out in this Regulation. These requirements, reference standards and specifications should reflect established practices and be widely recognised within the relevant sectors. The reference standards should be adapted to include additional controls ensuring the security and trustworthiness of the qualified trust service and of the qualified trust service providers providing that service.

(3)

If a trust service provider adheres to the requirements, reference standards and specifications set out in this Regulation, supervisory bodies should presume compliance with the relevant requirements of Regulation (EU) No 910/2014 and duly consider such presumption for granting or confirming the qualified status of the trust service. However, a qualified trust service provider may still rely on other practices to demonstrate compliance with the requirements of Regulation (EU) No 910/2014.

(4)

The Commission regularly assesses new technologies, practices, standards or technical specifications. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (2), the Commission should review and, if necessary, update this Implementing Regulation, to keep it in line with global developments, new technologies, practices, standards or technical specifications and to follow the best practices on the internal market.

(5)

Qualified trust service providers are to notify supervisory bodies prior to making any changes to the provision of their qualified trust services. These notifications should enable supervisory bodies to require qualified trust service providers to take appropriate measures mitigating potential negative impacts of the notified changes as regards the fulfilment of the requirements of Regulation (EU) No 910/2014 and as regards the grant of the qualified status. To provide clarity and guidance to qualified trust service providers regarding the changes that are to be notified to supervisory bodies, this Regulation should include a non-exhaustive list of such changes.

(6)

Notwithstanding Article 21 of Directive (EU) 2022/2555 of the European Parliament and of the Council (3), Article 24(2) of Regulation (EU) No 910/2014 provides for additional requirements as regards to the risk management procedures concerning legal, business, operational and other direct or indirect risks to the provision of the qualified trust service, which are not addressed by Commission Implementing Regulation (EU) 2024/2690 (4). To ensure that qualified trust service providers structurally and systematically evaluate and document these risks to the reliability of their qualified trust services, they should implement a risk management framework tailored to the qualified trust services they provide. To ensure consistency of risk management policies implemented by non-qualified trust service providers and qualified trust service providers, that framework should comply with the requirements set out in Commission Implementing Regulation (EU) 2025/2160 (5).

(7)

Continuity of qualified trust services, or appropriate termination of qualified trust services where their continuity cannot be ensured, is a critical element to support the trustworthiness of qualified trust services. Sufficiently detailed termination plans are an important tool for ensuring that the outputs of qualified trust services can be relied upon by subscribers and relying parties in case of termination of qualified trust services. The termination plans should cover both the anticipated termination of a qualified trust service, such as the sale of a qualified trust service to another qualified trust service provider and unanticipated termination, such as bankruptcy or other cases of insolvency. The termination plans should contain appropriate provisions to ensure that the effects of termination can be managed without any negative impact on the validity or value of the outputs generated by the qualified trust service prior to its termination. Moreover, the termination plans should ensure that no new outputs can be obtained from a terminated qualified trust service which no longer meets the relevant requirements for qualified trust services or qualified trust service providers set out in Regulation (EU) No 910/2014. Qualified trust service providers should keep the termination plans up to date and should analyse the impact of any changes to the qualified trust service provider or to the qualified trust services it provides, such as changes of name, mergers, acquisitions, bankruptcies, receivership, forced administration, or technical changes, on the termination plans before implementing those changes.

(8)

The Commission has adopted Implementing Regulations referencing technical standards and specifications applicable to qualified trust services. Those Implementing Regulations, referred to in the Annex to this Regulation, specify how the requirements for qualified trust service providers set out in Article 24(2) of Regulation (EU) No 910/2014 are to be applied and interpreted considering the specific aspects of those qualified trust services. For the presumption of compliance laid down in Article 24(5) of Regulation (EU) No 910/2014 to apply to the qualified service provider, all requirements referenced by the Annex should be implemented as applicable to the specific qualified trust service.

(9)	Regulation (EU) 2016/679 of the European Parliament and of the Council (6) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (7) apply to the personal data processing activities under this Regulation.

(10)	The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (8) and delivered its opinion on 21 October 2025 (9).

(11)	The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

Notifications to the supervisory body

1. In notifications referred to in Article 24(2), point (a), of Regulation (EU) No 910/2014, qualified trust service providers shall cover at least significant changes to all of the following elements:

(a)	the service descriptions, policies, practice statements or associated terms and conditions;

(b)	the technical architecture of the qualified trust services, or any trustworthy systems or products referred to in Article 24(2), points (e) and (f), of Regulation (EU) No 910/2014;

(c)	the hosting of any technical components required for the provision of the qualified trust services, or the technical services pertaining to these technical components;

(d)	the use of cryptographic techniques or cryptographic materials in the provision of the qualified trust services;

(e)	the registration and identification procedures;

(f)	the organisational structure or governance of the trust service provider;

(g)	the termination plan;

(h)	financial resources and liability insurance referred to in Article 24(2), point (c) of Regulation (EU) No 910/2014;

(i)	elements with an impact on the content of the corresponding national trusted list;

(j)	third parties involved in the provision of the qualified trust services, including subcontractors or service providers, or to contractual terms with these third parties.

2. Notifications referred to in paragraph 1 shall include:

(a)	description of the change;

(b)	planned date and time of the change;

(c)	reasons for the change and, where applicable, evidence for the reasons;

(d)	where applicable, updated documents.

Article 2

Risk management framework

The requirements laid down in Article 2, Article 3 and Article 4 of Commission Implementing Regulation 2025/2160 shall apply mutatis mutandis to qualified trust service providers with regard to the requirement to have a risk management framework laid down in Article 24(2), point (fa), of Regulation (EU) No 910/2014.

Article 3

Termination plan

1. Qualified trust service providers shall establish a termination plan for each qualified trust service they provide, that establishes the necessary provisions for the effective and correct application of the termination of the service or parts thereof, for the purposes of ensuring continuity of the service and of providing evidence in legal proceedings, including how information is kept accessible in accordance with Article 24(2), point (h) of Regulation (EU) No 910/2014.

2. Qualified trust service providers shall set up controls and procedures to ensure the availability for internal use of documented policies, practices, procedures, third party arrangements and any other documents required to ensure the effectiveness of the termination plan.

3. Qualified trust service providers shall set up controls and procedures to ensure that their termination plan and any document associated with it are up to date.

4. Qualified trust service providers shall review the termination plan, and any associated documents, at least every two years and as part of the implementation of any changes to the qualified trust service provider or to the qualified trust services it provides and update the termination plan accordingly.

5. Qualified trust service providers shall manage the risks that are specific to the termination of the provision of their qualified trust services as part of the risk management framework referred to in Article 2.

6. Qualified trust service providers shall ensure maintenance of sufficient financial resources or obtain appropriate insurance to cover the costs required to effectively execute the termination plan, including in case of unanticipated termination.

7. Qualified trust service providers shall ensure that the termination plan specifies appropriate procedures and arrangements for at least the following:

(a)	the termination of the qualified trust services, including, where relevant, in relation to the decommissioning of any technical components or services used to provide the concerned qualified trust service;

(b)	a timely update of the related service entries as listed in the corresponding national trusted list;

(c)

the revocation of any existing and unrevoked qualified certificates issued by them before concluding the termination of the qualified trust service for the issuance of qualified certificates, unless all relevant obligations of the terminated qualified trust services are transferred to another qualified trust service provider in a manner that ensures that the qualified certificates and all related services continue to meet the requirements of Regulation (EU) No 910/2014 in an uninterrupted manner;

(d)	ensuring that after the termination of the provision of qualified trust services, no further qualified trust service output can be created or enabled through the use of the signature or seal creation data of the qualified trust service provider;

(e)	ensuring the accessibility and usability of all relevant records held by the qualified trust service provider;

(f)	addressing scenarios of anticipated, unanticipated, partial and complete termination;

(g)	ensuring that the interests of the subscribers of the terminated qualified trust services are safeguarded upon termination, including continued maintenance of information required for the subscribers to verify the legal validity of the outputs of the qualified trust services;

(h)	where applicable, specifying any arrangements made to allow provision of alternative qualified trust services by other qualified trust service providers for the purpose of minimising disruptions for the subscribers;

(i)	providing notices to parties known to the qualified trust service provider that will be directly or indirectly affected by the termination.

8. The procedures and arrangements referred to in paragraph 7, point (e) shall ensure the accessibility and usability of the records necessary to:

(a)	provide evidence in relation to the compliance of the qualified trust services with Regulation (EU) No 910/2014 and Regulation (EU) 2016/679;

(b)	ensure continuity of the qualified trust services, as regards the signature or seal validation data of the qualified trust service provider and as regards enabling continued maintenance of information required to verify the correctness of previously created trust service outputs.

9. Qualified trust service providers shall ensure that the termination plan and records associated with it include at least the following documentation:

(a)	procedures for the termination of qualified trust services;

(b)	procedures for and records of regular review of the termination plan referred to in paragraph 4;

(c)	audit reports relating to the termination plan;

(d)	termination arrangements with third parties involved in the provision of the qualified trust services that are to be terminated;

(e)	terms and conditions, practices and policy documents relating to the qualified trust services.

Article 4

Reference standards and specifications for qualified trust services

1. In addition to the requirements set out in Article 1, Article 2 and Article 3, the reference standards and specifications referred to in Article 24(5) of Regulation (EU) No 910/2014 are set out in the Annex to this Regulation.

2. Where there are discrepancies between the reference standards and specifications established by the Implementing Regulations and as set out in the Annex to this Regulation and the requirements set out in Article 1, Article 2 and Article 3 of this Regulation, the requirements set out in Article 1, Article 2 and Article 3 of this Regulation shall prevail.

Article 5

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 16 December 2025.

For the Commission

The President

Ursula VON DER LEYEN

(1) OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj.

(2) Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework (OJ L, 2024/1183, 30.4.2024, ELI: http://data.europa.eu/eli/reg/2024/1183/oj).

(3) Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80, ELI: http://data.europa.eu/eli/dir/2022/2555/oj).

(4) Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 laying down rules for the application of Directive (EU) 2022/2555 as regards technical and methodological requirements of cybersecurity risk-management measures and further specification of the cases in which an incident is considered to be significant with regard to DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online market places, of online search engines and of social networking services platforms, and trust service providers (OJ L, 2024/2690, 18.10.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/2690/oj).

(5) Commission Implementing Regulation (EU) 2025/2160 of 27 October 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards, specifications and procedures for the management of risks to the provision of non-qualified trust services (OJ L, 2025/2160, 28.10.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/2160/oj).

(6) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(7) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37, ELI: http://data.europa.eu/eli/dir/2002/58/oj).

(8) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

(9) EDPS Formal comments on the draft Implementing Regulation laying down rules for the application of Regulation (EU) No 910/2014 as regards requirements for qualified trust service providers providing qualified trust services.

ANNEX

List of reference standards and specifications referred to in Article 4

(1)	For qualified trust services for the issuance of qualified certificates for electronic signatures: clauses 5.2, 6.1, 6.4, 6.5, 6.8 and 6.9 of the standard as referenced and adapted in point 1 of Annex I to Commission Implementing Regulation (EU) 2025/1943 (1).

(2)	For qualified trust services for the issuance of qualified certificates for electronic seals: clauses 5.2, 6.1, 6.4, 6.5, 6.8 and 6.9 of the standard as referenced and adapted in point 1 of Annex II to Implementing Regulation (EU) 2025/1943.

(3)	For qualified trust services for the issuance of qualified certificates for website authentication: clauses 5.2, 6.1, 6.4, 6.5, 6.8 and 6.9 of the standard as referenced and adapted in Annex to Implementing Regulation (EU) 2025/1943.

(4)	For qualified validation services for qualified electronic signatures: clauses 5, 6 and 7 of the standard as referenced and adapted in point 1 of the Annex to Commission Implementing Regulation (EU) 2025/1942 (2).

(5)	For qualified validation services for qualified electronic seals: clauses 5, 6 and 7 of the standard as referenced and adapted in point 1 of the Annex to Implementing Regulation (EU) 2025/1942.

(6)	For qualified preservation services for qualified electronic signatures: clauses 5, 6 and 7 of the standard as referenced and adapted in point 1 of the Annex to Commission Implementing Regulation (EU) 2025/1946 (3).

(7)	For qualified preservation services for qualified electronic seals: clauses 5, 6 and 7 of the standard as referenced and adapted in point 1 of the Annex to Implementing Regulation (EU) 2025/1946.

(8)	For qualified trust services for the creation of qualified electronic timestamps: clauses 5, 6 and 7 of the standard as referenced and adapted in point 1 of the Annex to Commission Implementing Regulation (EU) 2025/1929 (4).

(9)	For qualified electronic registered delivery services: clauses 4, 6 and 7 of the standard as referenced and adapted in Annex I to Commission Implementing Regulation (EU) 2025/1944 (5).

(10)	For qualified services for the management of remote qualified electronic signature creation devices: clauses 5, 6.1, 6.4, 6.5, 6.7 and 6.8 of the standard as referenced and adapted in the Annex to Implementing Regulation (EU) 2025/1567 (6).

(11)	For qualified services for the management of remote qualified electronic seal creation devices: clauses 5, 6.1, 6.4, 6.5, 6.7 and 6.8 of the standard as referenced and adapted in the Annex to Implementing Regulation (EU) 2025/1567.

(12)	For qualified electronic archiving services: clauses 6 and 7 of the standard as referenced and adapted in the Annex to Commission Implementing Regulation (EU) 2025/2532 (7).

(13)	For qualified trust services for the issuance of qualified electronic attestation of attributes: the standard referenced in Annex I to Commission Implementing Regulation (EU) 2025/1569 (8).

(14)	For qualified trust services for the recording of electronic data in a qualified electronic ledger: the standard as referenced and adapted in point 3(a) of Annex to Commission Implementing Regulation (EU) 2025/2531 (9).

(1) Commission Implementing Regulation (EU) 2025/1943 of 29 September 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards for qualified certificates for electronic signatures and qualified certificates for electronic seals(OJ L, 2025/1943, 30.9.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1943/oj).

(2) Commission Implementing Regulation (EU) 2025/1942 of 29 September 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards qualified validation services for qualified electronic signatures and qualified validation services for qualified electronic seals (OJ L, 2025/1942, 30.9.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1942/oj).

(3) Commission Implementing Regulation (EU) 2025/1946 of 29 September 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards qualified preservation services for qualified electronic signatures and for qualified electronic seals (OJ L, 2025/1946, 30.9.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1946/oj).

(4) Commission Implementing Regulation (EU) 2025/1929 of 29 September 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the binding of date and time to data and establishing the accuracy of the time sources for the provision of qualified electronic time stamps (OJ L, 2025/1929, 30.9.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1929/oj).

(5) Commission Implementing Regulation (EU) 2025/1944 of 29 September 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards for processes for sending and receiving data in qualified electronic registered delivery services and as regards interoperability of those services (OJ L, 2025/1944, 30.9.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1944/oj).

(6) Commission Implementing Regulation (EU) 2025/1567 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the management of remote qualified electronic signature creation devices and of remote qualified electronic seal creation devices as qualified trust services (OJ L, 2025/1567, 30.7.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1567/oj).

(7) Commission Implementing Regulation (EU) 2025/2532 of 16 December 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards and specifications for qualified electronic archiving services (OJ L, 2025/2532, 17.12.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/2532/oj).

(8) Commission Implementing Regulation (EU) 2025/1569 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards qualified electronic attestations of attributes and electronic attestations of attributes provided by or on behalf of a public sector body responsible for an authentic source (OJ L, 2025/1569, 30.7.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1569/oj).

(9) Commission Implementing Regulation (EU) 2025/2531 of 16 December 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards and specifications for qualified electronic ledgers (OJ L, 2025/2531, 17.12.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/2531/oj).

ELI: http://data.europa.eu/eli/reg_impl/2025/2530/oj

ISSN 1977-0677 (electronic edition)

Į viršų

Viskas

Pasirinkite eksperimentines funkcijas, kurias norite išbandyti