Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document 32025R1571

Commission Implementing Regulation (EU) 2025/1571 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the formats and procedures for annual reports by supervisory bodies

C/2025/5050

OJ L, 2025/1571, 30.7.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1571/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_impl/2025/1571/oj

European flag

Official Journal
of the European Union

EN

L series

2025/1571

30.7.2025

COMMISSION IMPLEMENTING REGULATION (EU) 2025/1571

of 29 July 2025

laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the formats and procedures for annual reports by supervisory bodies

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 46a(7) and Article 46b(7) thereof,

Whereas:

(1)

Supervisory bodies for the European Digital Identity Wallets designated pursuant to Article 46a(1) of Regulation (EU) No 910/2014 and supervisory bodies for trust services designated pursuant to Article 46b(1) of that Regulation (‘supervisory bodies’) are to provide relevant information on their supervisory activities to the Commission pursuant to Article 46a(6) and Article 46b(6) of that Regulation.

(2)

To establish a transparent and reliable source of information regarding the supervisory activities of the supervisory bodies, to ensure that data exchanges with the Commission are secure and verifiable, and to reduce administrative complexity, supervisory bodies should submit the annual reports in a specified format which is machine-readable and suitable for automated processing.

(3)

To facilitate the exchange of good practices between supervisory bodies and to ensure consistent and efficient supervision in all Member States, it is essential that the annual reports of supervisory bodies contain comprehensive and relevant information. In particular, supervisory bodies should report on their activities entailing elements that could enhance cooperation, including, among others, details on conducted and intended supervisory activities, identified challenges, inspections, any significant security breach or loss of integrity notifications made by the supervisory body to the competent authorities of the Member State concerned pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council (2), and assistance among supervisory bodies pursuant to Articles 46c and 46d of Regulation (EU) No 910/2014. Moreover, since this information in the annual reports is to be made available to the European Parliament and the Council pursuant to Articles 46a(6) and 46b(6) of Regulation (EU) No 910/2014, the information to be provided would serve the purpose of transparency and accessibility of information. Therefore, all supervisory bodies should submit the information as set out in Annexes I and II to this Regulation.

(4)

Regulation (EU) 2016/679 of the European Parliament and of the Council (3) and, where relevant, Regulation (EU) 2018/1725 of the European Parliament and of the Council (4) and Directive 2002/58/EC of the European Parliament and of the Council (5) apply to all personal data processing activities under this Regulation.

(5)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered its opinion on 28 May 2025.

(6)

The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

Format and procedures of annual reports

1.   Supervisory bodies shall submit their annual reports referred to in Article 46a(6) and Article 46b(6) of Regulation (EU) No 910/2014 to the Commission, through a secure electronic channel made available by the Commission.

2.   Supervisory bodies shall submit the information in their annual reports only once, by re-using previously submitted information where appropriate.

3.   Supervisory bodies for the European Digital Identity Wallets referred to in Article 46a(1) of Regulation (EU) No 910/2014 shall ensure that their annual reports include at least the information set out in Annex I to this Regulation.

4.   Supervisory bodies for trust services referred to in Article 46b(1) of Regulation (EU) No 910/2014 shall ensure that their annual reports include at least the information set out in Annex II to this Regulation.

Article 2

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 29 July 2025.

For the Commission

The President

Ursula VON DER LEYEN

(1)   OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj.

(2)  Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80, ELI: http://data.europa.eu/eli/dir/2022/2555/oj).

(3)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(4)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

(5)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37, ELI: http://data.europa.eu/eli/dir/2002/58/oj).

ANNEX I

Information to be included in the annual reports of supervisory bodies for the European Digital Identity Wallets

The annual reports of supervisory bodies for the European Digital Identity Wallets shall include at least the following information:

(1)

the name, address and contact details of the supervisory body submitting the annual report;

(2)

where more than one supervisory body has been designated in accordance with Article 46a(1) of Regulation (EU) No 910/2014, the scope of the supervisory activities of the supervisory body submitting the annual report;

(3)

a description of the organisation, structure, resources and capabilities of the supervisory body;

(4)

a description of ex post and ex ante supervisory activities for each wallet provider carried out during the previous calendar year pursuant to Article 46a(3), point (a), including cases of suspected or potential infringements of Regulation (EU) No 910/2014 and a summary of main challenges identified;

(5)

a summary of on-site inspections and off-site supervision activities carried out by the supervisory body, including at least the following information:

(a)

the identification of the wallet provider or providers;

(b)

the affected wallet solution or solutions;

(c)

a summary of the outcome;

(d)

any measures imposed;

(e)

any actions undertaken by the supervisory body;

(6)

a description of ex post supervisory activities carried out pursuant to Article 46a(3), point (b), of Regulation (EU) No 910/2014 and a summary of main challenges identified;

(7)

a description of any significant security breach or loss of integrity notifications made by the supervisory body to the competent authorities of the Member State concerned, designated or established pursuant to Article 8(1) of Directive (EU) 2022/2555 to the single points of contact of the Member State concerned designated or established pursuant to Article 8(3) of Directive (EU) 2022/2555, to the single points of contact of the other Member State or Member States concerned designated pursuant to Article 46c(1) of Regulation (EU) No 910/2014, or to the public;

(8)

information on requests to wallet providers to remedy any failure to fulfil the requirements laid down in Regulation (EU) No 910/2014;

(9)

a description of cases where the registration of relying parties in the mechanism referred to in Article 5b(7) of Regulation (EU) No 910/2014 was cancelled for reasons of illegal or fraudulent use of the European Digital Identity Wallet;

(10)

a description of any cooperation with, or provision of assistance to, other supervisory bodies established in other Member States, in accordance with Articles 46c and 46e of Regulation (EU) No 910/2014 and an overview of outcomes of such cooperation;

(11)

the frequency and nature of cooperation with competent supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679 of the European Parliament and of the Council;

(12)

an outlook on supervisory activities and priorities that the supervisory body intends to focus on in the following year.

ANNEX II

Information to be included in the annual reports of supervisory bodies of trust services

The annual reports of supervisory bodies shall include at least the following information:

(1)

the name, address and contact details of the supervisory body submitting the annual report;

(2)

where more than one supervisory body has been designated in accordance with Article 46b(1) of Regulation (EU) No 910/2014, the scope of the supervisory activities of the supervisory body submitting the annual report;

(3)

a description of the organisation, structure, resources and capabilities of the supervisory authority submitting the annual report;

(4)

a description of supervisory activities carried out pursuant to Article 46b(3), point (a) and point (b), during the reported calendar year in relation to non-qualified and qualified trust service providers established in the territory of the designating Member State and the trust services they provide, including cases of suspected or potential infringements of Regulation (EU) No 910/2014 and a summary of main challenges identified;

(5)

a summary of on-site inspections and off-site supervision activities carried out by the supervisory body submitting the annual report, including at least the following information:

(a)

the identification of the qualified trust service provider or providers;

(b)

the affected trust service or services;

(c)

a description of the supervision activity;

(d)

a summary of the outcome;

(e)

any measures imposed;

(f)

actions undertaken by the supervisory body.

(6)

a description of any additional action taken by the supervisory body pursuant to Article 46b(3), of Regulation (EU) No 910/2014;

(7)

a description of any significant security breach or loss of integrity notifications made by the supervisory body submitting the annual report to the competent authorities of the Member State or Member States concerned designated or established pursuant to Article 8(1) of Directive (EU) 2022/2555, to the single points of contact of the Member State or Member States concerned designated or established pursuant to Article 8(3) of Directive (EU) 2022/2555, to the single points of contact in the other Member States concerned designated pursuant to Article 46c(1) of Regulation (EU) No 910/2014, or to the public;

(8)

a description of the scope of cooperation with other supervisory bodies established in other Member States and a description of assistance provided in accordance with Article 46c and Article 46e of Regulation (EU) No 910/2014 and an overview of outcomes of such cooperation;

(9)

a description of the frequency and nature of cooperation of the supervisory bodies for trust services with competent supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679 where personal data protection rules appear to have been breached and about security breaches which appear to constitute personal data breaches as regards trust service providers and the trust services they provide;

(10)

a summary of the result of verifying the existence of provisions on termination plans and of verifying their correct application where a supervised qualified trust service provider ceases its activities, including an indication on how information is kept accessible in accordance with Article 24(2), point (h) of Regulation (EU) No 910/2014;

(11)

a description of any investigations of claims made by providers of web browsers that they were investigating during the reporting period pursuant to Article 45a of Regulation (EU) No 910/2014 and on any other consequential actions taken in that context;

(12)

a description of activities relating to trusted lists referred to in Article 22 of Regulation (EU) No 910/2014, including noticeable updates following supervisory activities, relevant experience or compliance issues with Commission Implementing Decision (EU) 2015/1505 (1), in particular with availability requirements;

(13)

information about national accreditation schemes of conformity assessment bodies, national conformity assessment schemes or related guidance to conformity assessment schemes, or information about related initiatives;

(14)

a description, where applicable, of any trust infrastructure established, maintained and updated by a supervisory body at a Member State’s request and in accordance with national law.

(1)  Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (OJ L 235, 9.9.2015, p. 26, ELI: http://data.europa.eu/eli/dec_impl/2015/1505/oj).

ELI: http://data.europa.eu/eli/reg_impl/2025/1571/oj

ISSN 1977-0677 (electronic edition)

Top