Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document 32025R1572

Commission Implementing Regulation (EU) 2025/1572 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the format and procedures for notification of intention and verification with regard to the initiation of qualified trust services

C/2025/5051

OJ L, 2025/1572, 30.7.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1572/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_impl/2025/1572/oj

European flag

Official Journal
of the European Union

EN

L series

2025/1572

30.7.2025

COMMISSION IMPLEMENTING REGULATION (EU) 2025/1572

of 29 July 2025

laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the format and procedures for notification of intention and verification with regard to the initiation of qualified trust services

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 21(4) thereof,

Whereas:

(1)

Where trust service providers intend to start providing a qualified trust service, they are to notify the supervisory body of their intention together with a conformity assessment report issued by a conformity assessment body confirming the fulfilment of the requirements laid down in Regulation (EU) No 910/2014. The supervisory body is to verify whether the trust service provider and the trust services provided by it comply with the requirements laid down in that Regulation. Where the supervisory body concludes that the trust service provider and the trust services provided by it comply with those requirements, the supervisory body is to grant qualified status to the trust service provider and the trust services it provides. To that end, supervisory bodies should make publicly available information about how trust service providers are to notify their intention of becoming a qualified trust service provider. To ensure that qualified trust service providers operate on equal terms in the Union, it is necessary that supervisory bodies verify the same type of information about trust service providers and in the same way.

(2)

Supervisory bodies should be transparent about how they process the information that trust service providers include in their notifications. The supervisory bodies should therefore draw up and make publicly available a description outlining how they verify whether the trust service provider complies with the relevant requirements.

(3)

The Regulation should apply from 12 months after its entry into force to ensure an adequate transitional period for Member States to be able to comply with the requirements of this Regulation by making the necessary adjustments as regards notifications to the supervisory bodies. Such adjustments may include updating national laws, organisational guidelines, and national information systems.

(4)

Regulation (EU) 2016/679 of the European Parliament and of the Council (2) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (3) apply to the personal data processing activities under this Regulation.

(5)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (4) and delivered its opinion on 6 June 2025.

(6)

The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

Verification methodology

1.   Supervisory bodies shall establish a methodology for verifying compliance of trust service providers having notified their intention to start providing a qualified trust service with the requirements laid down in Regulation (EU) No 910/2014 and Article 21(2) of Directive (EU) 2022/2555 of the European Parliament and of the Council (5).

2.   The verification methodology shall include procedures and processes for involving competent authorities designated or established pursuant to Article 8(1) of Directive (EU) 2022/2555, which carry out supervisory actions to verify the trust service provider’s compliance with the requirements laid down in Article 21 of Directive (EU) 2022/2555.

Article 2

Transparency

Supervisory bodies shall make the following information publicly available:

(1)

contact details of the supervisory body;

(2)

the communication channels to be used when trust service providers submit a notification of the intention to start providing a qualified trust service;

(3)

the list of documentation that trust service providers are to provide as a part of a notification of intention to start providing a qualified trust service;

(4)

the procedures for handling complaints relating to the process of verification of compliance of trust service providers having notified their intention to start providing a qualified trust service with the requirements laid down in Regulation (EU) No 910/2014 and Article 21(2) of Directive (EU) 2022/2555;

(5)

a general description of the methodology referred to in Article 1.

Article 3

Trust service provider notifications

Trust service providers shall provide at least the following information in their notifications of intention to start providing a qualified trust service:

(1)

where the trust service provider is a legal person, its name and, where applicable, a registration number, name of the Member State where it is established and the name of the person(s) signing or submitting the notification on behalf of the legal person;

(2)

where the trust service provider is a natural person, their name and personal identification number, and in the absence thereof their date of birth and the type and number of their identity document;

(3)

the telephone number, email address and postal address of the trust service provider;

(4)

the Uniform Resource Identifiers (URI) where users can obtain additional information concerning that trust service provider, including the practice statements and policies, the general terms and conditions and the customer care policies that apply to the trust service being notified;

(5)

the risk analysis underlying the measures referred to in Article 24(2), point (fa) of Regulation (EU) No 910/2014, and the risk analysis underlying the measures referred to in Article 21 of Directive (EU) 2022/2555;

(6)

each qualified trust service which the trust service provider intends to start providing;

(7)

for each trust service that the trust service provider intends to start providing as a qualified trust service:

one or more identifiers and, where applicable, certificates of the trust service, for inclusion in the national trusted list in accordance with the implementing acts adopted pursuant to Article 22(5) of Regulation (EU) No 910/2014;

the intended start date of the provision of the trust service;

the conformity assessment reports(s) of the trust service and the contact details of the conformity assessment body;

where applicable, technical reports supporting the conformity assessment report.

(8)

the termination plan referred to in Article 24(2), point (i) of Regulation (EU) No 910/2014.

Article 4

Verifications by supervisory bodies

1.   To determine whether the trust service provider and the qualified trust service it intends to provide comply with the requirements of Regulation (EU) No 910/2014 and Article 21 of Directive (EU) 2022/2555, supervisory bodies shall analyse the trust service provider’s provided information and may, in addition to any measures described in the methodology established pursuant to Article 1, perform on-site verifications, as well as interviews with representatives of the trust service provider and the conformity assessment body.

2.   Supervisory bodies shall verify at least the following elements:

(a)

the submitted conformity assessment report sufficiently demonstrates compliance of the trust service provider and the qualified trust service it intends to provide with the requirements set out in Regulation (EU) No 910/2014 and in Article 21 of Directive (EU) 2022/2555;

(b)

the submitted conformity assessment report complies with the requirements set out in the implementing acts adopted pursuant to Article 20(4) of Regulation (EU) No 910/2014;

(c)

any information contained in the submitted conformity assessment report indicating non-conformity with the requirements of Regulation (EU) No 910/2014;

(d)

any additional information considered necessary to verify compliance with the requirements laid down in Regulation (EU) No 910/2014 and in Article 21 of Directive (EU) 2022/2555.

Article 5

Entry into force and applicability

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall apply from 19 August 2026.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 29 July 2025.

For the Commission

The President

Ursula VON DER LEYEN

(1)   OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj.

(2)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(3)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37, ELI: http://data.europa.eu/eli/dir/2002/58/oj).

(4)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

(5)  Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80, ELI: http://data.europa.eu/eli/dir/2022/2555/oj).

ELI: http://data.europa.eu/eli/reg_impl/2025/1572/oj

ISSN 1977-0677 (electronic edition)

Top