Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document 32025R1945

Commission Implementing Regulation (EU) 2025/1945 of 29 September 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the validation of qualified electronic signatures and of qualified electronic seals and the validation of advanced electronic signatures based on qualified certificates and of advanced electronic seals based on qualified certificates

C/2025/6492

OJ L, 2025/1945, 30.9.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1945/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_impl/2025/1945/oj

European flag

Official Journal
of the European Union

EN

L series

2025/1945

30.9.2025

COMMISSION IMPLEMENTING REGULATION (EU) 2025/1945

of 29 September 2025

laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the validation of qualified electronic signatures and of qualified electronic seals and the validation of advanced electronic signatures based on qualified certificates and of advanced electronic seals based on qualified certificates

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 32(3), Article 32a(3), Article 40 and Article 40a thereof,

Whereas:

(1)

Qualified electronic signatures, qualified electronic seals, advanced electronic signatures based on qualified certificates for electronic signatures and advanced electronic seals based on qualified certificates for electronic seals, provided their validity can be confirmed, ensure to relying parties the integrity and authenticity of the signed or sealed data, and enhance the certainty regarding the identity of the signatory or the seal creator. Those electronic signatures and seals play a crucial role in the digital business environment by promoting the transition from traditional paper-based processes to electronic equivalent ones.

(2)

The presumption of compliance laid down in Article 32(1), Article 40, Article 32a(3) and Article 40a of Regulation (EU) No 910/2014 should apply where the processes for the validation of qualified electronic signatures, of qualified electronic seals, of advanced electronic signatures based on qualified certificates for electronic signatures and of advanced electronic seals based on qualified certificates for electronic seals comply with the technical standards set out in this Regulation. These standards should reflect established practices and be widely recognised within the relevant sectors. They should be adapted to include additional controls ensuring the ability to verify the technical validity of those signatures and seals, and, where applicable, their qualified status.

(3)

The Commission regularly assesses new technologies, practices, standards or technical specifications. In accordance with recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (2), the Commission should review and update this Regulation, if necessary, to keep it in line with global developments, new technologies, standards or technical specifications and to follow the best practices on the internal market.

(4)

Regulation (EU) 2016/679 of the European Parliament and of the Council (3) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (4) apply to all personal data processing activities under this Regulation.

(5)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (5) and delivered its opinion on 6 June 2025.

(6)

The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

Reference standards and specifications

1.   The reference standards and specifications referred to in Article 32(3) and Article 40 of Regulation (EU) No 910/2014 are set out in Annex I to this Regulation.

2.   The reference standards and specifications referred to in Article 32a(3) and Article 40a of Regulation (EU) No 910/2014 are set out in Annex II to this Regulation.

Article 2

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 29 September 2025.

For the Commission

The President

Ursula VON DER LEYEN

(1)   OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj.

(2)  Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework (OJ L, 2024/1183, 30.4.2024, ELI: http://data.europa.eu/eli/reg/2024/1183/oj).

(3)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(4)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37, ELI: http://data.europa.eu/eli/dir/2002/58/oj).

(5)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

ANNEX I

List of reference standards and specifications for the validation of qualified electronic signatures and of qualified electronic seals

The standards ETSI TS 119 172-4 V1.1.1 (2021-05) (1) (‘ETSI TS 119 172-4’), and ETSI TS 119 102-2 V1.4.1 (2023-06) (2) (‘ETSI TS 119 102-2’) apply with the following adaptations:

1.

For ETSI TS 119 172-4

(1)

2.1 Normative references:

[1] ETSI EN 319 102-1 V1.4.1 (2024-06) ‘Electronic Signatures and Trust Infrastructures (ESI); Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation’.

All references to ‘ETSI TS 119 102-1 [1]’ shall be understood as references to ‘ETSI EN 319 102-1 [1]’.

[2] ETSI TS 119 612 V2.3.1 (2024-11) ‘Electronic Signatures and Infrastructures (ESI); Trusted Lists’.

[13] ETSI TS 119 101 V1.1.1 (2016-03) ‘Electronic Signatures and Infrastructures (ESI); Policy and security requirements for applications for signature creation and signature validation’.

(2)

4.2 Validation constraints and validation procedures, requirement REQ-4.2-03, section ‘X.509 validation constraints’, point c):

(i) If an end-entity certificate represents a trust anchor, the RevocationCheckingConstraints shall not be used.

(ii) If an end-entity certificate does not represent a trust anchor, the RevocationCheckingConstraints shall be set to ‘eitherCheck’ as defined in ETSI TS 119 172-1 [3], clause A.4.2.1, table A.2 rows (m)2.1.

(iii) If an end-entity certificate represents a trust anchor, the RevocationFreshnessConstraints defined in ETSI TS 119 172-1 [3], clause A.4.2.1, table A.2 rows (m)2.2 shall not be used.

(iv) If an end-entity certificate does not represent a trust anchor, the RevocationFreshnessConstraints defined in ETSI TS 119 172-1 [3], clause A.4.2.1, table A.2 rows (m)2.2 shall be used with a maximum value of 24 hours for the signing certificate. No value shall be set for the RevocationFreshnessConstraints for certificates other than the signing certificate, including certificates supporting time-stamps.

(3)

4.3 Requirements on signature validation and applicability rules checking practices

REQ-4.3-02 Signature validation applications shall be compliant with ETSI TS 119 101 [13].

(4)

4.4 Technical applicability (rules) checking process

REQ-4.4.2-03 If any of the checks specified in REQ-4.4.2-01 fails, then:

(a)

the process stops;

(b)

the signature shall be technically determined as indeterminate, i.e. as neither an EU qualified electronic signature, nor as an EU qualified electronic seal; and

(c)

the above result and the results of processes of all the intermediate processes shall be reflected in the signature applicability rules checking report.

(1)  ETSI TS 119 172-4 – Electronic Signatures and Infrastructures (ESI); Signature Policies; Part 4: Signature applicability rules (validation policy) for European qualified electronic signatures/seals using trusted lists, V1.1.1 (2021-05).

(2)  ETSI TS 119 102-2 – Electronic Signatures and Infrastructures (ESI); Procedures for Creation and Validation of AdES Digital Signatures; Part 2: Signature Validation Report, V1.4.1 (2023-06).

ANNEX II

List of reference standards and specifications for the validation of advanced electronic signatures based on qualified certificates and of advanced electronic seals based on qualified certificates

The standards ETSI TS 119 172-4 V1.1.1 (2021-05) (1) (‘ETSI TS 119 172-4’), and ETSI TS 119 102-2 V1.4.1 (2023-06) (2) (‘ETSI TS 119 102-2’) apply with the following adaptations:

1.

For ETSI TS 119 172-4

(1)

2.1 Normative references:

[1] ETSI EN 319 102-1 V1.4.1 (2024-06) ‘Electronic Signatures and Trust Infrastructures (ESI); Procedures for Creation and Validation of AdES Digital Signatures; Part 1: Creation and Validation’.

All references to ‘ETSI TS 119 102-1 [1]’ shall be understood as references to ‘ETSI EN 319 102-1 [1]’.

[2] ETSI TS 119 612 V2.3.1 (2024-11) ‘Electronic Signatures and Infrastructures (ESI); Trusted Lists’.

[13] ETSI TS 119 101 V1.1.1 (2016-03) ‘Electronic Signatures and Infrastructures (ESI); Policy and security requirements for applications for signature creation and signature validation’.

(2)

4.2 Validation constraints and validation procedures, requirement REQ-4.2-03, section ‘X.509 validation constraints’, point (c):

(i) If an end-entity certificate represents a trust anchor, the RevocationCheckingConstraints shall not be used.

(ii) If an end-entity certificate does not represent a trust anchor, the RevocationCheckingConstraints shall be set to ‘eitherCheck’ as defined in ETSI TS 119 172-1 [3], clause A.4.2.1, table A.2 rows (m)2.1.

(iii) If an end-entity certificate represents a trust anchor, the RevocationFreshnessConstraints defined in ETSI TS 119 172-1 [3], clause A.4.2.1, table A.2 rows (m)2.2 shall not be used.

(iv) If an end-entity certificate does not represent a trust anchor, the RevocationFreshnessConstraints defined in ETSI TS 119 172-1 [3], clause A.4.2.1, table A.2 rows (m)2.2 shall be used with a maximum value of 24 hours for the signing certificate. No value shall be set for the RevocationFreshnessConstraints for certificates other than the signing certificate, including certificates supporting time-stamps.

(3)

4.3 Requirements on signature validation and applicability rules checking practices

REQ-4.3-02 Signature validation applications shall be compliant with ETSI TS 119 101 [13].

(4)

4.4 Technical applicability (rules) checking process

REQ-4.4.2-03 If any of the checks specified in REQ-4.4.2-01 fails, then:

(a)

the process stops;

(b)

the signature shall be technically determined as indeterminate, i.e. as neither an advanced electronic signature based on EU qualified certificate, nor as an advanced electronic seal based on EU qualified certificate; and

(c)

the above result and the results of processes of all the intermediate processes shall be reflected in the signature applicability rules checking report.

REQ-4.4.2-04 void.

REQ-4.4.2-05 void.

REQ-4.4.2-06 At that point of the TARC process, if the following conditions are met:

(a)

the signing certificate is determined, at the best signature time, as an EU qualified certificate for electronic signatures (respectively for electronic seals), as specified in REQ-4.4.2-02 a); and

(b)

the result of the process performed as specified in clause 4.2 of the present document is TOTAL-PASSED,

then the digital signature shall be determined as technically suitable to implement an EU advanced electronic signature based on a qualified certificate (respectively an EU advanced electronic seal based on a qualified certificate), otherwise the signature shall not be determined technically either as an EU advanced electronic signature based on a qualified certificate, or as an EU advanced electronic seal based on a qualified certificate.

(1)  ETSI TS 119 172-4 – Electronic Signatures and Infrastructures (ESI); Signature Policies; Part 4: Signature applicability rules (validation policy) for European qualified electronic signatures/seals using trusted lists, V1.1.1 (2021-05).

(2)  ETSI TS 119 102-2 – Electronic Signatures and Infrastructures (ESI); Procedures for Creation and Validation of AdES Digital Signatures; Part 2: Signature Validation Report, V1.4.1 (2023-06).

ELI: http://data.europa.eu/eli/reg_impl/2025/1945/oj

ISSN 1977-0677 (electronic edition)

Top