This document is an excerpt from the EUR-Lex website
Document 02014R0910-20241018
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
Consolidated text: Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
02014R0910 — EN — 18.10.2024 — 002.001
This text is meant purely as a documentation tool and has no legal effect. The Union's institutions do not assume any liability for its contents. The authentic versions of the relevant acts, including their preambles, are those published in the Official Journal of the European Union and available in EUR-Lex. Those official texts are directly accessible through the links embedded in this document
REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 23 July 2014 (OJ L 257 28.8.2014, p. 73) |
Amended by:
|
|
Official Journal |
||
No |
page |
date |
||
DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 14 December 2022 |
L 333 |
80 |
27.12.2022 |
|
REGULATION (EU) 2024/1183 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 11 April 2024 |
L 1183 |
1 |
30.4.2024 |
REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 23 July 2014
on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC
CHAPTER I
GENERAL PROVISIONS
Article 1
Subject matter
This Regulation aims to ensure the proper functioning of the internal market and the provision of an adequate level of security of electronic identification means and trust services used across the Union, in order to enable and facilitate the exercise by natural and legal persons of the right to participate in digital society safely and to access online public and private services throughout the Union. For those purposes, this Regulation:
lays down the conditions under which Member States are to recognise natural and legal persons’ electronic identification means falling under a notified electronic identification scheme of another Member State and provide and recognise European Digital Identity Wallets;
lays down rules for trust services, in particular for electronic transactions;
establishes a legal framework for electronic signatures, electronic seals, electronic time stamps, electronic documents, electronic registered delivery services, certificate services for website authentication, electronic archiving, electronic attestation of attributes, electronic signature creation devices, electronic seal creation devices, and electronic ledgers.
Article 2
Scope
Article 3
Definitions
For the purposes of this Regulation, the following definitions apply:
‘electronic identification’ means the process of using person identification data in electronic form uniquely representing either a natural or legal person, or a natural person representing another natural person or a legal person;
‘electronic identification means’ means a material and/or immaterial unit containing person identification data and which is used for authentication for an online service or, where appropriate, for an offline service;
‘person identification data’ means a set of data that is issued in accordance with Union or national law and that enables the establishment of the identity of a natural or legal person, or of a natural person representing another natural person or a legal person.
‘electronic identification scheme’ means a system for electronic identification under which electronic identification means are issued to natural or legal persons or natural persons representing other natural persons or legal persons;
‘authentication’ means an electronic process that enables the confirmation of the electronic identification of a natural or legal person or the confirmation of the origin and integrity of data in electronic form;
‘user’ means a natural or legal person, or a natural person representing another natural person or a legal person, that uses trust services or electronic identification means provided in accordance with this Regulation;
‘relying party’ means a natural or legal person that relies upon electronic identification, European Digital Identity Wallets or other electronic identification means, or upon a trust service;
‘public sector body’ means a state, regional or local authority, a body governed by public law or an association formed by one or several such authorities or one or several such bodies governed by public law, or a private entity mandated by at least one of those authorities, bodies or associations to provide public services, when acting under such a mandate;
‘body governed by public law’ means a body defined in point (4) of Article 2(1) of Directive 2014/24/EU of the European Parliament and of the Council ( 2 );
‘signatory’ means a natural person who creates an electronic signature;
‘electronic signature’ means data in electronic form which is attached to or logically associated with other data in electronic form and which is used by the signatory to sign;
‘advanced electronic signature’ means an electronic signature which meets the requirements set out in Article 26;
‘qualified electronic signature’ means an advanced electronic signature that is created by a qualified electronic signature creation device, and which is based on a qualified certificate for electronic signatures;
‘electronic signature creation data’ means unique data which is used by the signatory to create an electronic signature;
‘certificate for electronic signature’ means an electronic attestation which links electronic signature validation data to a natural person and confirms at least the name or the pseudonym of that person;
‘qualified certificate for electronic signature’ means a certificate for electronic signatures, that is issued by a qualified trust service provider and meets the requirements laid down in Annex I;
‘trust service’ means an electronic service normally provided for remuneration which consists of any of the following:
the issuance of certificates for electronic signatures, certificates for electronic seals, certificates for website authentication or certificates for the provision of other trust services;
the validation of certificates for electronic signatures, certificates for electronic seals, certificates for website authentication or certificates for the provision of other trust services;
the creation of electronic signatures or electronic seals;
the validation of electronic signatures or electronic seals;
the preservation of electronic signatures, electronic seals, certificates for electronic signatures or certificates for electronic seals;
the management of remote electronic signature creation devices or remote electronic seal creation devices;
the issuance of electronic attestations of attributes;
the validation of electronic attestation of attributes;
the creation of electronic timestamps;
the validation of electronic timestamps;
the provision of electronic registered delivery services;
the validation of data transmitted through electronic registered delivery services and related evidence;
the electronic archiving of electronic data and electronic documents;
the recording of electronic data in an electronic ledger;
‘qualified trust service’ means a trust service that meets the applicable requirements laid down in this Regulation;
‘conformity assessment body’ means a conformity assessment body as defined in Article 2, point 13, of Regulation (EC) No 765/2008, which is accredited in accordance with that Regulation as competent to carry out conformity assessment of a qualified trust service provider and the qualified trust services it provides, or as competent to carry out certification of European Digital Identity Wallets or electronic identification means;
‘trust service provider’ means a natural or a legal person who provides one or more trust services either as a qualified or as a non-qualified trust service provider;
‘qualified trust service provider’ means a trust service provider who provides one or more qualified trust services and is granted the qualified status by the supervisory body;
‘product’ means hardware or software, or relevant components of hardware or software, which are intended to be used for the provision of electronic identification and trust services;
‘electronic signature creation device’ means configured software or hardware used to create an electronic signature;
‘qualified electronic signature creation device’ means an electronic signature creation device that meets the requirements laid down in Annex II;
‘remote qualified electronic signature creation device’ means a qualified electronic signature creation device that is managed by a qualified trust service provider in accordance with Article 29a on behalf of a signatory;
‘remote qualified electronic seal creation device’ means a qualified electronic seal creation device that is managed by a qualified trust service provider in accordance with Article 39a on behalf of a seal creator;
‘creator of a seal’ means a legal person who creates an electronic seal;
‘electronic seal’ means data in electronic form, which is attached to or logically associated with other data in electronic form to ensure the latter’s origin and integrity;
‘advanced electronic seal’ means an electronic seal, which meets the requirements set out in Article 36;
‘qualified electronic seal’ means an advanced electronic seal, which is created by a qualified electronic seal creation device, and that is based on a qualified certificate for electronic seal;
‘electronic seal creation data’ means unique data, which is used by the creator of the electronic seal to create an electronic seal;
‘certificate for electronic seal’ means an electronic attestation that links electronic seal validation data to a legal person and confirms the name of that person;
‘qualified certificate for electronic seal’ means a certificate for an electronic seal, that is issued by a qualified trust service provider and meets the requirements laid down in Annex III;
‘electronic seal creation device’ means configured software or hardware used to create an electronic seal;
‘qualified electronic seal creation device’ means an electronic seal creation device that meets mutatis mutandis the requirements laid down in Annex II;
‘electronic time stamp’ means data in electronic form which binds other data in electronic form to a particular time establishing evidence that the latter data existed at that time;
‘qualified electronic time stamp’ means an electronic time stamp which meets the requirements laid down in Article 42;
‘electronic document’ means any content stored in electronic form, in particular text or sound, visual or audiovisual recording;
‘electronic registered delivery service’ means a service that makes it possible to transmit data between third parties by electronic means and provides evidence relating to the handling of the transmitted data, including proof of sending and receiving the data, and that protects transmitted data against the risk of loss, theft, damage or any unauthorised alterations;
‘qualified electronic registered delivery service’ means an electronic registered delivery service which meets the requirements laid down in Article 44;
‘certificate for website authentication’ means an electronic attestation that makes it possible to authenticate a website and links the website to the natural or legal person to whom the certificate is issued;
‘qualified certificate for website authentication’ means a certificate for website authentication, which is issued by a qualified trust service provider and meets the requirements laid down in Annex IV;
‘validation data’ means data that is used to validate an electronic signature or an electronic seal;
‘validation’ means the process of verifying and confirming that data in electronic form are valid in accordance with this Regulation;
‘European Digital Identity Wallet’ means an electronic identification means which allows the user to securely store, manage and validate person identification data and electronic attestations of attributes for the purpose of providing them to relying parties and other users of European Digital Identity Wallets, and to sign by means of qualified electronic signatures or to seal by means of qualified electronic seals;
‘attribute’ means a characteristic, quality, right or permission of a natural or legal person or of an object;
‘electronic attestation of attributes’ means an attestation in electronic form that allows attributes to be authenticated;
‘qualified electronic attestation of attributes’ means an electronic attestation of attributes which is issued by a qualified trust service provider and meets the requirements laid down in Annex V;
‘electronic attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source’ means an electronic attestation of attributes issued by a public sector body that is responsible for an authentic source or by a public sector body that is designated by the Member State to issue such attestations of attributes on behalf of the public sector bodies responsible for authentic sources in accordance with Article 45f and with Annex VII;
‘authentic source’ means a repository or system, held under the responsibility of a public sector body or private entity, that contains and provides attributes about a natural or legal person or object and that is considered to be a primary source of that information or recognised as authentic in accordance with Union or national law, including administrative practice;
‘electronic archiving’ means a service ensuring the receipt, storage, retrieval and deletion of electronic data and electronic documents in order to ensure their durability and legibility as well as to preserve their integrity, confidentiality and proof of origin throughout the preservation period;
‘qualified electronic archiving service’ means an electronic archiving service which is provided by a qualified trust service provider and which meets the requirements laid down in Article 45j;
‘EU Digital Identity Wallet Trust Mark’ means a verifiable, simple and recognisable indication which is communicated in a clear manner that a European Digital Identity Wallet has been provided in accordance with this Regulation;
‘strong user authentication’ means an authentication based on the use of at least two authentication factors from different categories of either knowledge, something only the user knows, possession, something only the user possesses or inherence, something the user is, that are independent, in that the breach of one does not compromise the reliability of the others, and is designed in such a way as to protect the confidentiality of the authentication data;
‘electronic ledger’ means a sequence of electronic data records, ensuring the integrity of those records and the accuracy of the chronological ordering of those records;
‘qualified electronic ledger’ means an electronic ledger which is provided by a qualified trust service provider and which meets the requirements laid down in Article 45l;
‘personal data’ means any information as defined in Article 4, point (1), of Regulation (EU) 2016/679;
‘identity matching’ means a process where person identification data, or electronic identification means are matched with or linked to an existing account belonging to the same person;
‘data record’ means electronic data recorded with related meta-data supporting the processing of the data;
‘offline mode’ means, as regards the use of European Digital Identity Wallets, an interaction between a user and a third party at a physical location using close proximity technologies, whereby the European Digital Identity Wallet is not required to access remote systems via electronic communication networks for the purpose of the interaction.
Article 4
Internal market principle
Article 5
Pseudonyms in electronic transaction
Without prejudice to specific rules of Union or national law requiring users to identify themselves or to the legal effect given to pseudonyms under national law, the use of pseudonyms that are chosen by the user shall not be prohibited.
CHAPTER II
ELECTRONIC IDENTIFICATION
SECTION 1
european digital identity wallet
Article 5a
European Digital Identity Wallets
European Digital Identity Wallets shall be provided in one or more of the following ways:
directly by a Member State;
under a mandate from a Member State;
independently of a Member State but recognised by that Member State.
European Digital Identity Wallets shall enable the user, in a manner that is user-friendly, transparent, and traceable by the user, to:
securely request, obtain, select, combine, store, delete, share and present, under the sole control of the user, person identification data and, where applicable, in combination with electronic attestations of attributes, to authenticate to relying parties online and, where appropriate, in offline mode, in order to access public and private services, while ensuring that selective disclosure of data is possible;
generate pseudonyms and store them encrypted and locally within the European Digital Identity Wallet;
securely authenticate another person’s European Digital Identity Wallet, and receive and share person identification data and electronic attestations of attributes in a secured way between the two European Digital Identity Wallets;
access a log of all transactions carried out through the European Digital Identity Wallet via a common dashboard enabling the user to:
view an up-to-date list of relying parties with which the user has established a connection and, where applicable, all data exchanged;
easily request the erasure by a relying party of personal data pursuant to Article 17 of the Regulation (EU) 2016/679;
easily report a relying party to the competent national data protection authority, where an allegedly unlawful or suspicious request for data is received;
sign by means of qualified electronic signatures or seal by means of qualified electronic seals;
download, to the extent technically feasible, the user’s data, electronic attestation of attributes and configurations;
exercise the user’s rights to data portability.
European Digital Identity Wallets shall, in particular:
support common protocols and interfaces:
for issuance of person identification data, qualified and non-qualified electronic attestations of attributes or qualified and non-qualified certificates to the European Digital Identity Wallet;
for relying parties to request and validate person identification data and electronic attestations of attributes;
for the sharing and presentation to relying parties of person identification data, electronic attestation of attributes or of selectively disclosed related data online and, where appropriate, in offline mode;
for the user to allow interaction with the European Digital Identity Wallet and display an EU Digital Identity Wallet Trust Mark;
to securely onboard the user by using an electronic identification means in accordance with Article 5a(24);
for interaction between two persons’ European Digital Identity Wallets for the purpose of receiving, validating and sharing person identification data and electronic attestations of attributes in a secure manner;
for authenticating and identifying relying parties by implementing authentication mechanisms in accordance with Article 5b;
for relying parties to verify the authenticity and validity of European Digital Identity Wallets;
for requesting a relying party the erasure of personal data pursuant to Article 17 of Regulation (EU) 2016/679;
for reporting a relying party to the competent national data protection authority where an allegedly unlawful or suspicious request for data is received;
for the creation of qualified electronic signatures or electronic seals by means of qualified electronic signature or electronic seal creation devices;
not provide any information to trust service providers of electronic attestations of attributes about the use of those electronic attestations;
ensure that the relying parties can be authenticated and identified by implementing authentication mechanisms in accordance with Article 5b;
meet the requirements set out in Article 8 with regard to assurance level high, in particular as applied to the requirements for identity proofing and verification, and electronic identification means management and authentication;
in the case of the electronic attestation of attributes with embedded disclosure policies, implement the appropriate mechanism to inform the user that the relying party or the user of the European Digital Identity Wallet requesting that electronic attestation of attributes has the permission to access such attestation;
ensure that the person identification data, which is available from the electronic identification scheme under which the European Digital Identity Wallet is provided, uniquely represents the natural person, legal person or the natural person representing the natural or legal person, and is associated with that European Digital Identity Wallet;
offer all natural persons the ability to sign by means of qualified electronic signatures by default and free of charge.
Notwithstanding point (g) of the first subparagraph, Member States may provide for proportionate measures to ensure that the use of qualified electronic signatures free-of-charge by natural persons is limited to non-professional purposes.
Member States shall provide validation mechanisms free-of-charge, in order to:
ensure that the authenticity and validity of European Digital Identity Wallets can be verified;
allow users to verify the authenticity and validity of the identity of relying parties registered in accordance with Article 5b.
Member States shall ensure that the validity of the European Digital Identity Wallet can be revoked in the following circumstances:
upon the explicit request of the user;
where the security of the European Digital Identity Wallet has been compromised;
upon the death of the user or cease of activity of the legal person.
The technical framework of the European Digital Identity Wallet shall:
not allow providers of electronic attestations of attributes or any other party, after the issuance of the attestation of attributes, to obtain data that allows transactions or user behaviour to be tracked, linked or correlated, or knowledge of transactions or user behaviour to be otherwise obtained, unless explicitly authorised by the user;
enable privacy preserving techniques which ensure unlikeability, where the attestation of attributes does not require the identification of the user.
Member States shall, without undue delay, notify the Commission of information about:
the body responsible for establishing and maintaining the list of registered relying parties that rely on European Digital Identity Wallets in accordance with Article 5b(5) and the location of that list;
the bodies responsible for the provision of European Digital Identity Wallets in accordance with Article 5a(1);
the bodies responsible for ensuring that the person identification data is associated with the European Digital Identity Wallet in accordance with Article 5a(5), point (f);
the mechanism allowing for the validation of the person identification data referred to in Article 5a(5), point (f), and of the identity of the relying parties;
the mechanism by which to validate the authenticity and validity of European Digital Identity Wallets.
The Commission shall make available the information notified pursuant to the first subparagraph to the public through a secure channel, in electronically signed or sealed form suitable for automated processing.
Article 5b
European Digital Identity Wallet-Relying Parties
The registration process shall be cost-effective and proportionate-to-risk. The relying party shall provide at least:
the information necessary to authenticate to European Digital Identity Wallets, which as a minimum includes:
the Member State in which the relying party is established; and
the name of the relying party and, where applicable, its registration number as stated in an official record together with identification data of that official record;
the contact details of the relying party;
the intended use of European Digital Identity Wallets, including an indication of the data to be requested by the relying party from users.
Article 5c
Certification of European Digital Identity Wallets
Article 5d
Publication of a list of certified European Digital Identity Wallets
Without prejudice to Article 5a(18), the information provided by Member States referred to in paragraph 1 of this Article shall include at least:
the certificate and certification assessment report of the certified European Digital Identity Wallet;
a description of the electronic identification scheme under which the European Digital Identity Wallet is provided;
the applicable supervisory regime and information on the liability regime with respect to the party providing the European Digital Identity Wallet;
the authority or authorities responsible for the electronic identification scheme;
arrangements for suspension or revocation of the electronic identification scheme or authentication or of the compromised parts concerned.
Article 5e
Security breach of European Digital Identity Wallets
Where justified by the severity of the security breach or compromise referred to in the first subparagraph, the Member State shall withdraw European Digital Identity Wallets without undue delay.
The Member State shall inform the users affected, the single points of contact designated pursuant to Article 46c(1), the relying parties and the Commission accordingly.
Article 5f
Cross-border reliance on European Digital Identity Wallets
SECTION 2
electronic identification schemes
Article 6
Mutual recognition
When an electronic identification using an electronic identification means and authentication is required under national law or by administrative practice to access a service provided by a public sector body online in one Member State, the electronic identification means issued in another Member State shall be recognised in the first Member State for the purposes of cross-border authentication for that service online, provided that the following conditions are met:
the electronic identification means is issued under an electronic identification scheme that is included in the list published by the Commission pursuant to Article 9;
the assurance level of the electronic identification means corresponds to an assurance level equal to or higher than the assurance level required by the relevant public sector body to access that service online in the first Member State, provided that the assurance level of that electronic identification means corresponds to the assurance level substantial or high;
the relevant public sector body uses the assurance level substantial or high in relation to accessing that service online.
Such recognition shall take place no later than 12 months after the Commission publishes the list referred to in point (a) of the first subparagraph.
Article 7
Eligibility for notification of electronic identification schemes
An electronic identification scheme shall be eligible for notification pursuant to Article 9(1) provided that all of the following conditions are met:
the electronic identification means under the electronic identification scheme are issued:
by the notifying Member State;
under a mandate from the notifying Member State; or
independently of the notifying Member State and are recognised by that Member State;
the electronic identification means under the electronic identification scheme can be used to access at least one service which is provided by a public sector body and which requires electronic identification in the notifying Member State;
the electronic identification scheme and the electronic identification means issued thereunder meet the requirements of at least one of the assurance levels set out in the implementing act referred to in Article 8(3);
the notifying Member State ensures that the person identification data uniquely representing the person in question is attributed, in accordance with the technical specifications, standards and procedures for the relevant assurance level set out in the implementing act referred to in Article 8(3), to the natural or legal person referred to in point 1 of Article 3 at the time the electronic identification means under that scheme is issued;
the party issuing the electronic identification means under that scheme ensures that the electronic identification means is attributed to the person referred to in point (d) of this Article in accordance with the technical specifications, standards and procedures for the relevant assurance level set out in the implementing act referred to in Article 8(3);
the notifying Member State ensures the availability of authentication online, so that any relying party established in the territory of another Member State is able to confirm the person identification data received in electronic form.
For relying parties other than public sector bodies the notifying Member State may define terms of access to that authentication. The cross-border authentication shall be provided free of charge when it is carried out in relation to a service online provided by a public sector body.
Member States shall not impose any specific disproportionate technical requirements on relying parties intending to carry out such authentication, where such requirements prevent or significantly impede the interoperability of the notified electronic identification schemes;
at least six months prior to notification pursuant to Article 9(1), the notifying Member State provides the other Member States, for the purposes of Article 12(5), with a description of that scheme in accordance with the procedural arrangements established by the implementing acts adopted pursuant to Article 12(6);
the electronic identification scheme meets the requirements set out in the implementing act referred to in Article 12(8).
Article 8
Assurance levels of electronic identification schemes
The assurance levels low, substantial and high shall meet respectively the following criteria:
assurance level low shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a limited degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease the risk of misuse or alteration of the identity;
assurance level substantial shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a substantial degree of confidence in the claimed or asserted identity of a person, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to decrease substantially the risk of misuse or alteration of the identity;
assurance level high shall refer to an electronic identification means in the context of an electronic identification scheme, which provides a higher degree of confidence in the claimed or asserted identity of a person than electronic identification means with the assurance level substantial, and is characterised with reference to technical specifications, standards and procedures related thereto, including technical controls, the purpose of which is to prevent misuse or alteration of the identity.
Those minimum technical specifications, standards and procedures shall be set out by reference to the reliability and quality of the following elements:
the procedure to prove and verify the identity of natural or legal persons applying for the issuance of electronic identification means;
the procedure for the issuance of the requested electronic identification means;
the authentication mechanism, through which the natural or legal person uses the electronic identification means to confirm its identity to a relying party;
the entity issuing the electronic identification means;
any other body involved in the application for the issuance of the electronic identification means; and
the technical and security specifications of the issued electronic identification means.
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
Article 9
Notification
The notifying Member State shall notify to the Commission the following information and, without undue delay, any subsequent changes thereto:
a description of the electronic identification scheme, including its assurance levels and the issuer or issuers of electronic identification means under the scheme;
the applicable supervisory regime and information on the liability regime with respect to the following:
the party issuing the electronic identification means; and
the party operating the authentication procedure;
the authority or authorities responsible for the electronic identification scheme;
information on the entity or entities which manage the registration of the unique person identification data;
a description of how the requirements set out in the implementing acts referred to in Article 12(8) are met;
a description of the authentication referred to in point (f) of Article 7;
arrangements for suspension or revocation of either the notified electronic identification scheme or authentication or the compromised parts concerned.
Article 10
Security breach of electronic identification schemes
The Commission shall publish in the Official Journal of the European Union the corresponding amendments to the list referred to in Article 9(2) without undue delay.
Article 11
Liability
Article 11a
Cross-border identity matching
Article 12
Interoperability
The interoperability framework shall meet the following criteria:
it aims to be technology neutral and does not discriminate between any specific national technical solutions for electronic identification within a Member State;
it follows European and international standards, where possible;
it facilitates the implementation of privacy and security by design.
▼M2 —————
The interoperability framework shall consist of:
a reference to minimum technical requirements related to the assurance levels under Article 8;
a mapping of national assurance levels of notified electronic identification schemes to the assurance levels under Article 8;
a reference to minimum technical requirements for interoperability;
a reference to a minimum set of person identification data necessary to uniquely represent a natural or legal person, or a natural person representing another natural person or a legal person, which is available from electronic identification schemes;
rules of procedure;
arrangements for dispute resolution; and
common operational security standards.
▼M2 —————
Article 12a
Certification of electronic identification schemes
Article 12b
Access to hardware and software features
Where providers of European Digital Identity Wallets and issuers of notified electronic identification means that act in a commercial or professional capacity and use core platform services as defined in Article 2, point (2), of Regulation (EU) 2022/1925 of the European Parliament and of the Council ( 7 ) for the purpose or in the course of providing European Digital Identity Wallet services and electronic identification means to end-users are business users as defined in Article 2, point (21), of that Regulation, gatekeepers shall in particular allow them effective interoperability with, and, for the purposes of interoperability, access to, the same operating system, hardware or software features. Such effective interoperability and access shall be allowed free of charge and regardless of whether the hardware or software features are part of the operating system, are available to, or are used by, that gatekeeper when providing such services, within the meaning of Article 6(7) of Regulation (EU) 2022/1925. This Article is without prejudice to Article 5a(14) of this Regulation.
CHAPTER III
TRUST SERVICES
SECTION 1
General provisions
Article 13
Liability and burden of proof
The burden of proving the intention or negligence of a non-qualified trust service provider shall lie with the natural or legal person claiming the damage referred to in the first subparagraph.
The intention or negligence of a qualified trust service provider shall be presumed unless that qualified trust service provider proves that the damage referred to in the first subparagraph occurred without the intention or negligence of that qualified trust service provider.
Article 14
International aspects
The implementing acts referred to in the first subparagraph shall be adopted in accordance with the examination procedure referred to in Article 48(2).
Article 15
Accessibility for persons with disabilities and special needs
The provision of electronic identification means, trust services and end-user products that are used in the provision of those services shall be made available in plain and intelligible language, in accordance with the United Nations Convention on the Rights of Persons with Disabilities and with the accessibility requirements of Directive (EU) 2019/882, thus also benefiting persons who experience functional limitations, such as elderly people, and persons with limited access to digital technologies.
Article 16
Penalties
Member States shall ensure that infringements of this Regulation by qualified and non-qualified trust service providers be subject to administrative fines of a maximum of at least:
EUR 5 000 000 where the trust service provider is a natural person; or
where the trust service provider is a legal person, EUR 5 000 000 or 1 % of the total worldwide annual turnover of the undertaking to which the trust service provider belonged in the financial year preceding the year in which the infringement occurred, whichever is higher.
SECTION 2
Non-qualified trust services
▼M2 —————
▼M1 —————
Article 19a
Requirements for non-qualified trust service providers
A non-qualified trust service provider providing non-qualified trust services shall:
have appropriate policies and take corresponding measures to manage legal, business, operational and other direct or indirect risks to the provision of the non-qualified trust service, which shall, notwithstanding Article 21 of Directive (EU) 2022/2555, include at least measures relating to:
registration and onboarding procedures for a trust service;
procedural or administrative checks needed to provide trust services;
the management and implementation of trust services;
notifying the supervisory body, the identifiable affected individuals, the public if it is of public interest and, where applicable, other relevant competent authorities, of any security breaches or disruptions in the provision of the service or the implementation of the measures referred to in point (a) (i), (ii) or (iii), that have a significant impact on the trust service provided or on the personal data maintained therein, without undue delay and in any case no later than 24 hours of having become aware of any security breaches or disruptions.
SECTION 3
Qualified trust services
Article 20
Supervision of qualified trust service providers
Where that provider does not provide a remedy and, where applicable within the time limit set by the supervisory body, the supervisory body, where justified in particular by the extent, duration and consequences of that failure, shall withdraw the qualified status of that provider or of the affected service it provides.
By 21 May 2025, the Commission shall, by means of implementing acts, establish a list of reference standards and, where necessary, establish specifications and procedures for the following:
the accreditation of the conformity assessment bodies and for the conformity assessment report referred to in paragraph 1;
the auditing requirements for the conformity assessment bodies to carry out their conformity assessment, including composite assessment, of the qualified trust service providers as referred to in paragraph 1;
the conformity assessment schemes for carrying out the conformity assessment of the qualified trust service providers by the conformity assessment bodies and for the provision of the report referred to in paragraph 1.
Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
Article 21
Initiation of a qualified trust service
In order to verify the compliance of the trust service provider with the requirements laid down in Article 21 of Directive (EU) 2022/2555, the supervisory body shall request the competent authorities designated or established pursuant to Article 8(1) of that Directive to carry out supervisory actions in that regard and to provide information about the outcome without undue delay and in any event within two months of receipt of that request. If the verification is not concluded within two months of the notification, those competent authorities shall inform the supervisory body specifying the reasons for the delay and the period within which the verification is to be concluded.
Where the supervisory body concludes that the trust service provider and the trust services provided by it comply with the requirements laid down in this Regulation, the supervisory body shall grant qualified status to the trust service provider and the trust services it provides and inform the body referred to in Article 22(3) for the purposes of updating the trusted lists referred to in Article 22(1), not later than three months after notification in accordance with paragraph 1 of this Article.
Where the verification is not concluded within three months of notification, the supervisory body shall inform the trust service provider specifying the reasons for the delay and the period within which the verification is to be concluded.
Article 22
Trusted lists
Article 23
EU trust mark for qualified trust services
Article 24
Requirements for qualified trust service providers
The verification of the identity referred to in paragraph 1 shall be performed, by appropriate means, by the qualified trust service provider, either directly or by means of a third party, on the basis of one of the following methods or, when needed, on a combination thereof in accordance with the implementing acts referred to in paragraph 1c:
by means of the European Digital Identity Wallet or a notified electronic identification means which meets the requirements set out in Article 8 with regard to assurance level high;
by means of a certificate of a qualified electronic signature or of a qualified electronic seal, issued in compliance with point (a), (c) or (d);
by using other identification methods which ensure the identification of the person with a high level of confidence, the conformity of which shall be confirmed by a conformity assessment body;
through the physical presence of the natural person or of an authorised representative of the legal person, by means of appropriate evidence and procedures, in accordance with national law.
The verification of the attributes referred to in paragraph 1 shall be performed, by appropriate means, by the qualified trust service provider, either directly or by means of a third party, on the basis of one of the following methods or, where necessary, on a combination thereof, in accordance with the implementing acts referred to in paragraph 1c:
by means of the European Digital Identity Wallet or a notified electronic identification means which meets the requirements set out in Article 8 with regard to assurance level high;
by means of a certificate of a qualified electronic signature or of a qualified electronic seal, issued in accordance with paragraph 1a, point (a), (c) or (d);
by means of a qualified electronic attestation of attributes;
by using other methods, which ensure the verification of the attributes with a high level of confidence, the conformity of which shall be confirmed by a conformity assessment body;
by means of the physical presence of the natural person or of an authorised representative of the legal person, by means of appropriate evidence and procedures, in accordance with national law.
A qualified trust service provider providing qualified trust services shall:
inform the supervisory body at least one month before implementing any change in the provision of its qualified trust services or at least three months in case of an intention to cease those activities;
employ staff and, if applicable, subcontractors who possess the necessary expertise, reliability, experience, and qualifications and who have received appropriate training regarding security and personal data protection rules and shall apply administrative and management procedures which correspond to European or international standards;
with regard to the risk of liability for damages in accordance with Article 13, maintain sufficient financial resources and/or obtain appropriate liability insurance, in accordance with national law;
before entering into a contractual relationship, inform, in a clear, comprehensive and easily accessible manner, in a publicly accessible space and individually any person seeking to use a qualified trust service of the precise terms and conditions regarding the use of that service, including any limitations on its use;
use trustworthy systems and products that are protected against modification and ensure the technical security and reliability of the processes supported by them, including using suitable cryptographic techniques;
use trustworthy systems to store data provided to it, in a verifiable form so that:
they are publicly available for retrieval only where the consent of the person to whom the data relates has been obtained,
only authorised persons can make entries and changes to the stored data,
the data can be checked for authenticity;
notwithstanding Article 21 of Directive (EU) 2022/2555, have appropriate policies and take corresponding measures to manage legal, business, operational and other direct or indirect risks to the provision of the qualified trust service, including at least measures related to the following:
registration and onboarding procedures for a service;
procedural or administrative checks;
the management and implementation of services;
notify the supervisory body, the identifiable affected individuals, other relevant competent bodies where applicable and, at the request of the supervisory body, the public if it is of public interest, of any security breaches or disruptions in the provision of the service or the implementation of the measures referred to in point (fa)(i), (ii) or (iii) that have a significant impact on the trust service provided or on the personal data maintained therein, without undue delay and in any event within 24 hours of the incident;
take appropriate measures against forgery, theft or misappropriation of data or, without right, deleting, altering or rendering data inaccessible;
record and keep accessible for as long as necessary after the activities of the qualified trust service provider have ceased, all relevant information concerning data issued and received by the qualified trust service provider, for the purpose of providing evidence in legal proceedings and for the purpose of ensuring continuity of the service. Such recording may be done electronically;
have an up-to-date termination plan to ensure the continuity of service in accordance with provisions that are verified by the supervisory body pursuant to Article 46b(4), point (i);
▼M2 —————
in case of qualified trust service providers issuing qualified certificates, establish and keep updated a certificate database.
The supervisory body may request information in addition to the information notified pursuant to point (a) of the first subparagraph or the result of a conformity assessment and may condition the granting of the permission to implement the intended changes to the qualified trust services. If the verification is not concluded within three months of notification, the supervisory body shall inform the trust service provider, specifying the reasons for the delay and the period within which the verification is to be concluded.
Article 24a
Recognition of qualified trust services
SECTION 4
Electronic signatures
Article 25
Legal effects of electronic signatures
▼M2 —————
Article 26
Requirements for advanced electronic signatures
An advanced electronic signature shall meet the following requirements:
it is uniquely linked to the signatory;
it is capable of identifying the signatory;
it is created using electronic signature creation data that the signatory can, with a high level of confidence, use under his sole control; and
it is linked to the data signed therewith in such a way that any subsequent change in the data is detectable.
Article 27
Electronic signatures in public services
▼M2 —————
Article 28
Qualified certificates for electronic signatures
Subject to the following conditions, Member States may lay down national rules on temporary suspension of a qualified certificate for electronic signature:
if a qualified certificate for electronic signature has been temporarily suspended that certificate shall lose its validity for the period of suspension;
the period of suspension shall be clearly indicated in the certificate database and the suspension status shall be visible, during the period of suspension, from the service providing information on the status of the certificate.
Article 29
Requirements for qualified electronic signature creation devices
Article 29a
Requirements for a qualified service for the management of remote qualified electronic signature creation devices
The management of remote qualified electronic signature creation devices as a qualified service shall be carried out only by a qualified trust service provider that:
generates or manages electronic signature creation data on behalf of the signatory;
notwithstanding point (1)(d) of Annex II, duplicates the electronic signature creation data for back-up purposes only, provided that the following requirements are met:
the security of the duplicated datasets must be at the same level as for the original datasets;
the number of duplicated datasets must not exceed the minimum needed to ensure continuity of the service;
complies with any requirements identified in the certification report of the specific remote qualified electronic signature creation device issued pursuant to Article 30.
Article 30
Certification of qualified electronic signature creation devices
The certification referred to in paragraph 1 shall be based on one of the following:
a security evaluation process carried out in accordance with one of the standards for the security assessment of information technology products included in the list established in accordance with the second subparagraph; or
a process other than the process referred to in point (a), provided that it uses comparable security levels and provided that the public or private body referred to in paragraph 1 notifies that process to the Commission. That process may be used only in the absence of standards referred to in point (a) or when a security evaluation process referred to in point (a) is ongoing.
The Commission shall, by means of implementing acts, establish a list of standards for the security assessment of information technology products referred to in point (a). Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).
Article 31
Publication of a list of certified qualified electronic signature creation devices
Article 32
Requirements for the validation of qualified electronic signatures
The process for the validation of a qualified electronic signature shall confirm the validity of a qualified electronic signature provided that:
the certificate that supports the signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I;
the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing;
the signature validation data corresponds to the data provided to the relying party;
the unique set of data representing the signatory in the certificate is correctly provided to the relying party;
the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;
the electronic signature was created by a qualified electronic signature creation device;
the integrity of the signed data has not been compromised;
the requirements provided for in Article 26 were met at the time of signing.
Compliance with the requirements laid down in the first subparagraph of this paragraph shall be presumed where the validation of qualified electronic signatures complies with the standards, specifications and procedures referred to in paragraph 3.
Article 32a
Requirements for the validation of advanced electronic signatures based on qualified certificates
The process for the validation of an advanced electronic signature based on a qualified certificate shall confirm the validity of an advanced electronic signature based on a qualified certificate, provided that:
the certificate that supports the signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I;
the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing;
the signature validation data corresponds to the data provided to the relying party;
the unique set of data representing the signatory in the certificate is correctly provided to the relying party;
the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;
the integrity of the signed data has not been compromised;
the requirements provided for in Article 26 were met at the time of signing.
Article 33
Qualified validation service for qualified electronic signatures
A qualified validation service for qualified electronic signatures may only be provided by a qualified trust service provider who:
provides validation in compliance with Article 32(1); and
allows relying parties to receive the result of the validation process in an automated manner, which is reliable, efficient and bears the advanced electronic signature or advanced electronic seal of the provider of the qualified validation service.
Article 34
Qualified preservation service for qualified electronic signatures
SECTION 5
Electronic seals
Article 35
Legal effects of electronic seals
▼M2 —————
Article 36
Requirements for advanced electronic seals
An advanced electronic seal shall meet the following requirements:
it is uniquely linked to the creator of the seal;
it is capable of identifying the creator of the seal;
it is created using electronic seal creation data that the creator of the seal can, with a high level of confidence under its control, use for electronic seal creation; and
it is linked to the data to which it relates in such a way that any subsequent change in the data is detectable.
Article 37
Electronic seals in public services
▼M2 —————
Article 38
Qualified certificates for electronic seals
Subject to the following conditions, Member States may lay down national rules on temporary suspension of qualified certificates for electronic seals:
if a qualified certificate for electronic seal has been temporarily suspended, that certificate shall lose its validity for the period of suspension;
the period of suspension shall be clearly indicated in the certificate database and the suspension status shall be visible, during the period of suspension, from the service providing information on the status of the certificate.
Article 39
Qualified electronic seal creation devices
Article 39a
Requirements for a qualified service for the management of remote qualified electronic seal creation devices
Article 29a shall apply mutatis mutandis to a qualified service for the management of remote qualified electronic seal creation devices.
Article 40
Validation and preservation of qualified electronic seals
Articles 32, 33 and 34 shall apply mutatis mutandis to the validation and preservation of qualified electronic seals.
Article 40a
Requirements for the validation of advanced electronic seals based on qualified certificates
Article 32a shall apply mutatis mutandis to the validation of advanced electronic seals based on qualified certificates.
SECTION 6
Electronic time stamps
Article 41
Legal effect of electronic time stamps
▼M2 —————
Article 42
Requirements for qualified electronic time stamps
A qualified electronic time stamp shall meet the following requirements:
it binds the date and time to data in such a manner as to reasonably preclude the possibility of the data being changed undetectably;
it is based on an accurate time source linked to Coordinated Universal Time; and
it is signed using an advanced electronic signature or sealed with an advanced electronic seal of the qualified trust service provider, or by some equivalent method.
SECTION 7
Electronic registered delivery services
Article 43
Legal effect of an electronic registered delivery service
Article 44
Requirements for qualified electronic registered delivery services
Qualified electronic registered delivery services shall meet the following requirements:
they are provided by one or more qualified trust service provider(s);
they ensure with a high level of confidence the identification of the sender;
they ensure the identification of the addressee before the delivery of the data;
the sending and receiving of data is secured by an advanced electronic signature or an advanced electronic seal of a qualified trust service provider in such a manner as to preclude the possibility of the data being changed undetectably;
any change of the data needed for the purpose of sending or receiving the data is clearly indicated to the sender and addressee of the data;
the date and time of sending, receiving and any change of data are indicated by a qualified electronic time stamp.
In the event of the data being transferred between two or more qualified trust service providers, the requirements in points (a) to (f) shall apply to all the qualified trust service providers.
SECTION 8
Website authentication
Article 45
Requirements for qualified certificates for website authentication
Article 45a
Cybersecurity precautionary measures
SECTION 9
electronic attestation of attributes
Article 45b
Legal effects of electronic attestation of attributes
Article 45c
Electronic attestation of attributes in public services
Where an electronic identification using an electronic identification means and authentication is required under national law to access an online service provided by a public sector body, person identification data in the electronic attestation of attributes shall not substitute electronic identification using an electronic identification means and authentication for electronic identification unless specifically allowed by the Member State. In such a case, qualified electronic attestation of attributes from other Member States shall also be accepted.
Article 45d
Requirements for qualified electronic attestation of attributes
Article 45e
Verification of attributes against authentic sources
Article 45f
Requirements for electronic attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source
An electronic attestation of attributes issued by or on behalf of a public sector body responsible for an authentic source shall meet the following requirements:
those set out in Annex VII;
the qualified certificate supporting the qualified electronic signature or qualified electronic seal of the public sector body referred to in Article 3, point (46), identified as the issuer referred to in point (b), of Annex VII, containing a specific set of certified attributes in a form suitable for automated processing and:
indicating that the issuing body is established in accordance with Union or national law as the responsible for the authentic source on the basis of which the electronic attestation of attributes is issued or as the body designated to act on its behalf;
providing a set of data unambiguously representing the authentic source referred to in point (i); and
identifying the Union or national law referred to in point (i).
Article 45g
Issuing of electronic attestation of attributes to European Digital Identity Wallets
Article 45h
Additional rules for the provision of electronic attestation of attributes services
SECTION 10
electronic archiving services
Article 45i
Legal effect of electronic archiving services
Article 45j
Requirements for qualified electronic archiving services
Qualified electronic archive services shall meet the following requirements:
they are provided by qualified trust service providers;
they use procedures and technologies capable of ensuring the durability and legibility of electronic data and electronic documents beyond the technological validity period and at least throughout the legal or contractual preservation period, while maintaining their integrity and the accuracy of their origin;
they ensure that those electronic data and those electronic documents are preserved in such a way that they are safeguarded against loss and alteration, except for changes concerning their medium or electronic format;
they shall allow authorised relying parties to receive a report in an automated manner that confirms that electronic data and electronic documents retrieved from a qualified electronic archive enjoy the presumption of integrity of the data from the beginning of the preservation period to the moment of retrieval.
The report referred to in point (d) of the first subparagraph shall be provided in a reliable and efficient way and shall bear the qualified electronic signature or qualified electronic seal of the provider of the qualified electronic archiving service.
SECTION 11
electronic ledgers
Article 45k
Legal effects of electronic ledgers
Article 45l
Requirements for qualified electronic ledgers
Qualified electronic ledgers shall meet the following requirements:
they are created and managed by one or more qualified trust service providers;
they establish the origin of data records in the ledger;
they ensure the unique sequential chronological ordering of data records in the ledger;
they record data in such a way that any subsequent change to the data is immediately detectable, ensuring their integrity over time.
CHAPTER IV
ELECTRONIC DOCUMENTS
Article 46
Legal effects of electronic documents
An electronic document shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in electronic form.
CHAPTER IVa
GOVERNANCE FRAMEWORK
Article 46a
Supervision of the European Digital Identity Wallet Framework
The supervisory bodies designated pursuant to the first subparagraph shall be given the necessary powers and adequate resources for the exercise of their tasks in an effective, efficient and independent manner.
The role of the supervisory bodies designated pursuant to paragraph 1 shall be:
to supervise providers of European Digital Identity Wallets established in the designating Member State and to ensure, by means of ex ante and ex post supervisory activities, that those providers and European Digital Identity Wallets they provide meet the requirements laid down in this Regulation;
to take action, if necessary, in relation to providers of European Digital Identity Wallets established in the territory of the designating Member State, by means of ex post supervisory activities, when informed that providers or European Digital Identity Wallets that they provide infringe this Regulation.
The tasks of the supervisory bodies designated pursuant to paragraph 1 shall include, in particular, the following:
to cooperate with other supervisory bodies and to provide them with assistance in accordance with Articles 46c and 46e;
to request information necessary to monitor compliance with this Regulation;
to inform the relevant competent authorities designated or established pursuant to Article 8(1) of Directive (EU) 2022/2555 of the Member States concerned of any significant security breaches or loss of integrity of which they become aware in the performance of their tasks and, in the case of a significant security breach or loss of integrity which concerns other Member States, to inform the single point of contact designated or established pursuant to Article 8(3) of Directive (EU) 2022/2555 of the Member State concerned and the single points of contact designated pursuant to Article 46c(1) of this Regulation in the other Member States concerned, and to inform the public or require providers of European Digital Identity Wallet to do so where the supervisory body determines that disclosure of the security breach or of the loss of integrity would be in the public interest;
to carry out on-site inspections and off-site supervision;
to require that providers of European Digital Identity Wallets remedy any failure to fulfil the requirements laid down in this Regulation;
to suspend or cancel the registration and inclusion of relying parties in the mechanism referred to in Article 5b(7) in the case of illegal or fraudulent use of the European Digital Identity Wallet;
to cooperate with competent supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679, in particular, by informing them without undue delay, where personal data protection rules appear to have been infringed and about security breaches which appear to constitute personal data breaches.
Article 46b
Supervision of trust services
The supervisory bodies designated pursuant to the first subparagraph shall be given the necessary powers and adequate resources for the exercise of their tasks.
The role of the supervisory bodies designated pursuant to paragraph 1 shall be:
to supervise qualified trust service providers established in the territory of the designating Member State and to ensure, by means of ex ante and ex post supervisory activities, that those qualified trust service providers and the qualified trust services that they provide meet the requirements laid down in this Regulation;
to take action, if necessary, in relation to non-qualified trust service providers established in the territory of the designating Member State, by means of ex post supervisory activities, when informed that those non-qualified trust service providers or the trust services they provide allegedly do not meet the requirements laid down in this Regulation.
The tasks of the supervisory body designated pursuant to paragraph 1 shall include in particular the following:
to inform the relevant competent authorities designated or established pursuant to Article 8(1) of Directive (EU) 2022/2555 of the Member States concerned of any significant security breach or loss of integrity of which it becomes aware in the performance of its tasks and, in the case of a significant security breach or loss of integrity which concerns other Member States, to inform the single point of contact designated or established pursuant to Article 8(3) Directive (EU) 2022/2555 of the Member State concerned and the single points of contact designated pursuant to Article 46c(1) of this Regulation in the other Member States concerned, and to inform the public or require the trust service provider to do so where the supervisory body determines that disclosure of the breach of security or loss of integrity would be in the public interest;
to cooperate with other supervisory bodies and to provide them with assistance in accordance with Articles 46c and 46e;
to analyse the conformity assessment reports referred to in Article 20(1) and Article 21(1);
to report to the Commission about its main activities in accordance with paragraph 6 of this Article;
to carry out audits or request a conformity assessment body to perform a conformity assessment of the qualified trust service providers in accordance with Article 20(2);
to cooperate with competent supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679, in particular, by informing them, without undue delay, where personal data protection rules appear to have been breached and about security breaches which appear to constitute personal data breaches;
to grant qualified status to trust service providers and to the services they provide, and to withdraw that status in accordance with Articles 20 and 21;
to inform the body responsible for the national trusted list referred to in Article 22(3) of its decisions to grant or withdraw qualified status, unless that body is also the supervisory body designated pursuant to paragraph 1 of this Article;
to verify the existence and correct application of provisions on termination plans where the qualified trust service provider ceases its activities, including how information is kept accessible in accordance with Article 24(2), point (h);
to require that trust service providers remedy any failure to fulfil the requirements laid down in this Regulation;
to investigate claims made by providers of web-browsers pursuant to Article 45a and to take action if necessary.
Article 46c
Single points of contact
Article 46d
Mutual assistance
The mutual assistance shall at least entail that:
the supervisory body applying supervisory and enforcement measures in one Member State shall inform and consult the supervisory body from the other Member State concerned;
a supervisory body may request the supervisory body of another Member State concerned to take supervisory or enforcement measures, including, for instance, requests to carry out inspections related to the conformity assessment reports as referred to in Articles 20 and 21 regarding the provision of trust services;
where appropriate, supervisory bodies may carry out joint investigations with the supervisory bodies of other Member States.
The arrangements and procedures for joint actions under the first subparagraph shall be agreed upon and established by the Member States concerned in accordance with their national law.
A supervisory body to which a request for assistance is addressed may refuse that request on any of the following grounds:
the assistance requested is not proportionate to the supervisory activities of the supervisory body carried out in accordance with Articles 46a and 46b;
the supervisory body is not competent to provide the requested assistance;
providing the requested assistance would be incompatible with this Regulation.
Article 46e
The European Digital Identity Cooperation Group
The Cooperation Group shall have the following tasks:
exchange advice and cooperate with the Commission on emerging policy initiatives in the field of digital identity wallets, electronic identification means and trust services;
advise the Commission, as appropriate, in the early preparation of draft implementing and delegated acts to be adopted pursuant to this Regulation;
in order to support the supervisory bodies in the implementation of the provisions of this Regulation:
exchange best practices and information regarding the implementation of the provisions of this Regulation;
assess the relevant developments in the digital identity wallet, electronic identification and trust services sectors;
organise joint meetings with relevant interested parties from across the Union to discuss activities carried out by the cooperation group and gather input on emerging policy challenges;
with the support of ENISA, exchange views, best practices and information on relevant cybersecurity aspects concerning European Digital Identity Wallets, electronic identification schemes and trust services;
exchange best practices in relation to the development and implementation of policies on the notification of security breaches, and common measures as referred to in Articles 5e and 10;
organise joint meetings with the NIS Cooperation Group established pursuant to Article 14(1) of Directive (EU) 2022/2555 to exchange relevant information in relation to trust services and electronic identification related cyber threats, incidents, vulnerabilities, awareness raising initiatives, trainings, exercises and skills, capacity building, standards and technical specifications capacity as well as standards and technical specifications;
discuss, upon a request of a supervisory body, specific requests for mutual assistance as referred to in Article 46d;
facilitate the exchange of information between the supervisory bodies by providing guidance on the organisational aspects and procedures for the mutual assistance referred to in Article 46d;
organise peer reviews of electronic identification schemes to be notified under this Regulation.
CHAPTER V
DELEGATIONS OF POWER AND IMPLEMENTING PROVISIONS
Article 47
Exercise of the delegation
Article 48
Committee procedure
CHAPTER VI
FINAL PROVISIONS
Article 48a
Reporting requirements
The statistics collected in accordance with paragraph 1 shall include the following:
the number of natural and legal persons having a valid European Digital Identity Wallet;
the type and number of services accepting the use of the European Digital Identity Wallet;
the number of user complaints and consumer protection or data protection incidents relating to relying parties and qualified trust services;
a summary report including data on incidents preventing the use of the European Digital Identity Wallet;
a summary of significant security incidents, data breaches and affected users of European Digital Identity Wallets or of qualified trust services.
Article 49
Review
Article 50
Repeal
Article 51
Transitional measures
Article 52
Entry into force
This Regulation shall apply from 1 July 2016, except for the following:
Articles 8(3), 9(5), 12(2) to (9), 17(8), 19(4), 20(4), 21(4), 22(5), 23(3), 24(5), 27(4) and (5), 28(6), 29(2), 30(3) and (4), 31(3), 32(3), 33(2), 34(2), 37(4) and (5), 38(6), 42(2), 44(2), 45(2), and Articles 47 and 48 shall apply from 17 September 2014;
Article 7, Article 8(1) and (2), Articles 9, 10, 11 and Article 12(1) shall apply from the date of application of the implementing acts referred to in Articles 8(3) and 12(8);
Article 6 shall apply from three years as from the date of application of the implementing acts referred to in Articles 8(3) and 12(8).
This Regulation shall be binding in its entirety and directly applicable in all Member States.
ANNEX I
REQUIREMENTS FOR QUALIFIED CERTIFICATES FOR ELECTRONIC SIGNATURES
Qualified certificates for electronic signatures shall contain:
an indication, at least in a form suitable for automated processing, that the certificate has been issued as a qualified certificate for electronic signature;
a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including at least, the Member State in which that provider is established and:
at least the name of the signatory, or a pseudonym; if a pseudonym is used, it shall be clearly indicated;
electronic signature validation data that corresponds to the electronic signature creation data;
details of the beginning and end of the certificate’s period of validity;
the certificate identity code, which must be unique for the qualified trust service provider;
the advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider;
the location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (g) is available free of charge;
the information or the location of the services that can be used to enquire about the validity status of the qualified certificate;
where the electronic signature creation data related to the electronic signature validation data is located in a qualified electronic signature creation device, an appropriate indication of this, at least in a form suitable for automated processing.
ANNEX II
REQUIREMENTS FOR QUALIFIED ELECTRONIC SIGNATURE CREATION DEVICES
1. Qualified electronic signature creation devices shall ensure, by appropriate technical and procedural means, that at least:
the confidentiality of the electronic signature creation data used for electronic signature creation is reasonably assured;
the electronic signature creation data used for electronic signature creation can practically occur only once;
the electronic signature creation data used for electronic signature creation cannot, with reasonable assurance, be derived and the electronic signature is reliably protected against forgery using currently available technology;
the electronic signature creation data used for electronic signature creation can be reliably protected by the legitimate signatory against use by others.
2. Qualified electronic signature creation devices shall not alter the data to be signed or prevent such data from being presented to the signatory prior to signing.
▼M2 —————
ANNEX III
REQUIREMENTS FOR QUALIFIED CERTIFICATES FOR ELECTRONIC SEALS
Qualified certificates for electronic seals shall contain:
an indication, at least in a form suitable for automated processing, that the certificate has been issued as a qualified certificate for electronic seal;
a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including at least the Member State in which that provider is established and:
at least the name of the creator of the seal and, where applicable, registration number as stated in the official records;
electronic seal validation data, which corresponds to the electronic seal creation data;
details of the beginning and end of the certificate’s period of validity;
the certificate identity code, which must be unique for the qualified trust service provider;
the advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider;
the location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (g) is available free of charge;
the information or the location of the services that can be used to enquire about the validity status of the qualified certificate;
where the electronic seal creation data related to the electronic seal validation data is located in a qualified electronic seal creation device, an appropriate indication of this, at least in a form suitable for automated processing.
ANNEX IV
REQUIREMENTS FOR QUALIFIED CERTIFICATES FOR WEBSITE AUTHENTICATION
Qualified certificates for website authentication shall contain:
an indication, at least in a form suitable for automated processing, that the certificate has been issued as a qualified certificate for website authentication;
a set of data unambiguously representing the qualified trust service provider issuing the qualified certificates including at least the Member State in which that provider is established and:
for natural persons: at least the name of the person to whom the certificate has been issued, or a pseudonym; if a pseudonym is used, it shall be clearly indicated;
for legal persons: a unique set of data unambiguously representing the legal person to whom the certificate is issued, with at least the name of the legal person to whom the certificate is issued and, where applicable, the registration number as stated in the official records;
elements of the address, including at least city and State, of the natural or legal person to whom the certificate is issued and, where applicable, as stated in the official records;
the domain name(s) operated by the natural or legal person to whom the certificate is issued;
details of the beginning and end of the certificate’s period of validity;
the certificate identity code, which must be unique for the qualified trust service provider;
the advanced electronic signature or advanced electronic seal of the issuing qualified trust service provider;
the location where the certificate supporting the advanced electronic signature or advanced electronic seal referred to in point (h) is available free of charge;
the information or the location of the certificate validity status services that can be used to enquire about the validity status of the qualified certificate.
ANNEX V
REQUIREMENTS FOR QUALIFIED ELECTRONIC ATTESTATION OF ATTRIBUTES
Qualified electronic attestation of attributes shall contain:
an indication, at least in a form suitable for automated processing, that the attestation has been issued as a qualified electronic attestation of attributes;
a set of data unambiguously representing the qualified trust service provider issuing the qualified electronic attestation of attributes including at least, the Member State in which that provider is established and:
for a legal person: the name and, where applicable, registration number as stated in the official records;
for a natural person: the person’s name;
a set of data unambiguously representing the entity to which the attested attributes refer; if a pseudonym is used, it shall be clearly indicated;
the attested attribute or attributes, including, where applicable, the information necessary to identify the scope of those attributes;
details of the beginning and end of the attestation’s period of validity;
the attestation identity code, which must be unique for the qualified trust service provider and, if applicable, the indication of the scheme of attestations that the attestation of attributes is part of;
the qualified electronic signature or qualified electronic seal of the issuing qualified trust service provider;
the location where the certificate supporting the qualified electronic signature or qualified electronic seal referred to in point (g) is available free of charge;
the information or location of the services that can be used to enquire about the validity status of the qualified attestation..
ANNEX VI
MINIMUM LIST OF ATTRIBUTES
Pursuant to Article 45e, Member States shall ensure that measures are taken to allow qualified trust service providers of electronic attestations of attributes to verify by electronic means at the request of the user, the authenticity of the following attributes against the relevant authentic source at national level or via designated intermediaries recognised at national level, in accordance with Union or national law and where these attributes rely on authentic sources within the public sector:
Address;
Age;
Gender;
Civil status;
Family composition;
Nationality or citizenship;
Educational qualifications, titles and licences;
Professional qualifications, titles and licences;
Powers and mandates to represent natural or legal persons;
Public permits and licences;
For legal persons, financial and company data.
ANNEX VII
REQUIREMENTS FOR ELECTRONIC ATTESTATION OF ATTRIBUTES ISSUED BY OR ON BEHALF OF A PUBLIC BODY RESPONSIBLE FOR AN AUTHENTIC SOURCE
An electronic attestation of attributes issued by or on behalf of a public body responsible for an authentic source shall contain:
an indication, at least in a form suitable for automated processing, that the attestation has been issued as an electronic attestation of attributes issued by or on behalf of a public body responsible for an authentic source;
a set of data unambiguously representing the public body issuing the electronic attestation of attributes, including at least, the Member State in which that public body is established and its name and, where applicable, its registration number as stated in the official records;
a set of data unambiguously representing the entity to which the attested attributes refer; if a pseudonym is used, it shall be clearly indicated;
the attested attribute or attributes, including, where applicable, the information necessary to identify the scope of those attributes;
details of the beginning and end of the attestation’s period of validity;
the attestation identity code, which must be unique for the issuing public body and, if applicable, an indication of the scheme of attestations that the attestation of attributes is part of;
the qualified electronic signature or qualified electronic seal of the issuing body;
the location where the certificate supporting the qualified electronic signature or qualified electronic seal referred to in point (g) is available free of charge;
the information or location of the services that can be used to enquire about the validity status of the attestation.
( 1 ) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).
( 2 ) Directive 2014/24/EU of the European Parliament and of the Council of 26 February 2014 on public procurement and repealing Directive 2004/18/EC (OJ L 94, 28.3.2014, p. 65).
( 3 ) Directive (EU) 2019/882 of the European Parliament and of the Council of 17 April 2019on the accessibility requirements for products and services (OJ L 151, 7.6.2019, p. 70).
( 4 ) Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act) (OJ L 151, 7.6.2019, p. 15).
( 5 ) Commission Recommendation 2003/361/EC of 6 May 2003concerning the definition of micro, small and medium-sized enterprises (OJ L 124, 20.5.2003, p. 36).
( 6 ) Regulation (EU) 2022/2065 of the European Parliament and of the Council of 19 October 2022on a Single Market For Digital Services and amending Directive 2000/31/EC (Digital Services Act) (OJ L 277, 27.10.2022, p. 1).
( 7 ) Regulation (EU) 2022/1925 of the European Parliament and of the Council of 14 September 2022on contestable and fair markets in the digital sector and amending Directives (EU) 2019/1937 and (EU) 2020/1828 (Digital Markets Act) (OJ L 265, 12.10.2022, p. 1).
( 8 ) Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80).