Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document 32025R1566

Commission Implementing Regulation (EU) 2025/1566 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards for the verification of the identity and attributes of the person to whom the qualified certificate or the qualified electronic attestation of attributes is to be issued

C/2025/5048

OJ L, 2025/1566, 30.7.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1566/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_impl/2025/1566/oj

European flag

Official Journal
of the European Union

EN

L series

2025/1566

30.7.2025

COMMISSION IMPLEMENTING REGULATION (EU) 2025/1566

of 29 July 2025

laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards for the verification of the identity and attributes of the person to whom the qualified certificate or the qualified electronic attestation of attributes is to be issued

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 24(1c) thereof,

Whereas:

(1)

Article 24 of Regulation (EU) No 910/2014 requires that qualified trust service providers verify the identity and, if applicable, any specific attributes of a natural or legal person when issuing qualified certificates or qualified electronic attestations of attributes to that person.

(2)

In order to ensure equal treatment and ability to trust the result of the verification process, verifications should be carried out in an equivalent manner by all qualified trust service providers when issuing a qualified certificate or a qualified electronic attestation of attributes. In accordance with the objectives of Regulation (EU) No 910/2014, a number of standards have been selected to meet these specific requirements. These standards should reflect established practices and be widely recognised within the relevant sectors. These standards should be adapted to include additional controls ensuring the security and trustworthiness of the qualified trust service, while facilitating cross-border interoperability and the effective functioning of the internal market.

(3)

An adequate transitional period for qualified trust service providers should be provided for them to be able to comply with the requirements of Regulation (EU) No 910/2014. With a view to ensuring a sufficient timeframe for the audit of trust service providers as regards compliance with the requirements of this Regulation, this Regulation should apply from 24 months as of its entry into force.

(4)

The Commission regularly assesses new technologies, practices, standards or technical specifications. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (2), the Commission should review and update this Regulation, if necessary, to keep it in line with global developments, new technologies, standards or technical specifications and to follow the best practices on the internal market.

(5)

Regulation (EU) 2016/679 of the European Parliament and of the Council (3) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (4) apply to the personal data processing activities under this Regulation.

(6)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (5), and delivered its opinion on 06 June 2025.

(7)

The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

The reference standards and specifications referred to in Article 24(1c) of Regulation (EU) No 910/2014 are set out in the Annex to this Regulation.

Article 2

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall apply from 19 August 2027.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 29 July 2025.

For the Commission

The President

Ursula VON DER LEYEN

(1)   OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj.

(2)  Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework (OJ L, 2024/1183, 30.4.2024, ELI: http://data.europa.eu/eli/reg/2024/1183/oj).

(3)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(4)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37, ELI: http://data.europa.eu/eli/dir/2002/58/oj).

(5)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

ANNEX

Reference standard for the verification of the identity and attributes of persons to whom a qualified certificate or qualified electronic attestation of attributes is to be issued

The standard ETSI TS 119 461 V2.1.1 (2025-02) for conformance with Annex C clause C.3 applies, with the following adaptations:

(1)

2.1 Normative references

[1] ETSI EN 319 401 V3.1.1 (2024-06): ‘Electronic Signatures and Trust Infrastructures (ESI); General Policy Requirements for Trust Service Providers’.

(2)

C.3 Use cases for issuance of qualified certificate or qualified electronic attestations of attributes in accordance with Article 24(1), (1a) and (1b) of Regulation (EU) No 910/2014

[CONDITIONAL] QTS-C3-01: If identity verification for qualified certificate or a qualified electronic attestation is done in conjunction with identity verification to issue authoritative evidence, that identity verification process shall:

have been peer reviewed or certified by an accredited conformity assessment body to comply with assurance level high in accordance with Regulation (EU) No 910/2014, or

comply with the requirements set out in clauses C3.1 to C3.6.

(3)

C.3.4 Use case for identity proofing by other identification means

QTS-C.3.4-06A: The independent conformity assessment body referred to in [CONDITIONAL] QTS-C.3.4-06, point c) shall be accredited as per Article 3 (18) of Regulation (EU) No 910/2014, and, if all applicable requirements are fulfilled, the assessment should result in a certificate of compliance based on a certification audit. This formal certification process shall be based on a security evaluation process that refers to the levels of assurance defined for notified electronic identification means or certified European Digital Identity Wallets under Regulation (EU) No 910/2014 and shall include rigorous testing to evaluate resistance against potential security threats. These evaluations shall employ pertinent technical standards to demonstrate robustness against such attacks.

(4)

9.2.3.4 Use case for automated operation

USE-9.2.3.4-04: The IPSP shall establish target values for the FAR and FRR, based on a risk analysis and its threats intelligence procedure, by following the methodology established in the ENISA report ‘Methodology for sectoral cybersecurity assessments’ [i.28] or an equivalent methodology, in fully automated identity proofing processes. These target values shall be equal to or lower than those set for hybrid use cases, when they exist. The IPSP shall maintain these target values for FAR and FRR consistently, supported by a risk analysis and its threats intelligence procedure.

(5)

8.3.3 Validation of physical identity document

VAL-8.3.3-21: The effectiveness of the measures for complying with the requirements VAL-8.3.3-05X, VAL-8.3.3-05A, VAL-8.3.3-05B, VAL-8.3.3-05C, VAL-8.3.3-07A and VAL-8.3.3-07X, shall be tested by an accredited laboratory or a national competent authority, whenever they are designated, at the latest by 19 August 2027 and then be repeated every second year.

(6)

7.12. Termination and termination plans

OVR-7.12-02: The termination plan shall comply with the requirements set out in the implementing acts adopted pursuant to Article 24(5) of Regulation (EU) No 910/2014 [i.1]

ELI: http://data.europa.eu/eli/reg_impl/2025/1566/oj

ISSN 1977-0677 (electronic edition)

Top