Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document 32025R2162

Commission Implementing Regulation (EU) 2025/2162 of 27 October 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and the Council as regards the accreditation of conformity assessment bodies performing the assessment of qualified trust service providers and the qualified trust services they provide, the conformity assessment report and the conformity assessment scheme

C/2025/7180

OJ L, 2025/2162, 28.10.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/2162/oj (BG, ES, CS, DA, DE, ET, EL, EN, FR, GA, HR, IT, LV, LT, HU, MT, NL, PL, PT, RO, SK, SL, FI, SV)

Legal status of the document In force

ELI: http://data.europa.eu/eli/reg_impl/2025/2162/oj

European flag

Official Journal
of the European Union

EN

L series

2025/2162

28.10.2025

COMMISSION IMPLEMENTING REGULATION (EU) 2025/2162

of 27 October 2025

laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and the Council as regards the accreditation of conformity assessment bodies performing the assessment of qualified trust service providers and the qualified trust services they provide, the conformity assessment report and the conformity assessment scheme

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 20(4) thereof,

Whereas:

(1)

Pursuant to Articles 20(1) and 21(1) of Regulation (EU) No 910/2014, qualified trust service providers and the qualified trust services they provide are to be audited by conformity assessment bodies. The resulting conformity assessment reports confirm whether the requirements laid down in that Regulation and in Article 21 of Directive (EU) 2022/2555 of the European Parliament and of the Council (2) are fulfilled. Consequently, it is necessary to establish a harmonised and robust framework for the accreditation of conformity assessment bodies, the conformity assessment schemes they implement, the conformity assessments they perform in accordance with those schemes, and the resulting conformity assessment reports.

(2)

The accreditation of conformity assessment bodies assessing qualified trust service providers and the qualified trust services they provide, the conformity assessment report and the conformity assessment scheme should meet the requirements laid down in this Regulation. Conformity assessment bodies may satisfy these requirements either independently, by utilising composite certification or by subcontracting to duly accredited entities.

(3)

Conformity assessment bodies accredited for assessing qualified trust service providers and the qualified trust services they provide as regards the issuance of qualified electronic attestations of attributes should be permitted to issue the conformity assessment report required by Article 45f(3) of Regulation (EU) No 910/2014.

(4)

To contribute to the transparency of the accreditation process, the accreditation certificate issued to a conformity assessment body in accordance with Article 5 of Regulation (EC) No 765/2008 of the European Parliament and of the Council (3), should contain sufficient information to enable third parties to verify that the accredited conformity assessment body is authorised to conduct a conformity assessment under Regulation (EU) No 910/2014.

(5)

To maintain the integrity and accuracy of accreditation certificates, national accreditation bodies should ensure that these certificates reflect up-to-date information.

(6)

To ensure the integrity of the accreditation process, the accreditation certificate issued to a conformity assessment body may be subject to suspension or withdrawal at any time for each qualified trust service that the conformity assessment body has been accredited to assess. Suspension or withdrawal may occur after sanctioning by the national accreditation body or voluntarily by the conformity assessment body itself.

(7)

For the purpose of harmonisation of this accreditation framework, this Regulation should be based on established standards, which reflect established practices and which are widely recognised within the relevant sectors.

(8)

To enhance transparency, conformity assessment bodies should make the certificates of conformity that they issue publicly available. The certificates of conformity confirm the positive certification decisions taken by the conformity assessment bodies. However, the qualified status is only granted to, or withdrawn from, the trust service provider and the trust services they provide, by the supervisory body.

(9)

To assess the compliance of qualified trust service providers and the qualified trust services they provide with Regulation (EU) No 910/2014 and with Article 21 of Directive (EU) 2022/2555, conformity assessment bodies should use a conformity assessment scheme. Conformity assessment bodies should apply standards as benchmarks to assess qualified trust service providers and the qualified trust services they provide, taking into account the versions and adaptations to these standards set out in the service specific implementing acts based on Regulation (EU) No 910/2014. These standards should reflect established practices and be widely recognised within the relevant sectors.

(10)

Conformity assessment schemes set out the rules and procedures to be used by conformity assessment bodies in their assessments of qualified trust service providers and of the qualified trust services that they provide. Such schemes are evaluated by national accreditation bodies against the requirements set out in this Regulation. The content of such schemes is subject to changes over time. To facilitate the application of successive versions of conformity assessment schemes, the accredited conformity assessment bodies should put in place a specific process to manage evolutions of a scheme for which they are accredited.

(11)

To oversee the development and maintenance of the conformity assessment schemes, each conformity assessment scheme should be assigned a scheme owner. Conformity assessment bodies, governmental bodies or an authority, a trade association, a group of conformity assessment bodies, or any appropriate body or group of bodies could be a scheme owner and could be different from the conformity assessment body operating the scheme.

(12)

To ensure the continuity of the provision of their services, the accreditation of conformity assessment bodies should remain valid for earlier versions of standards referenced in the conformity assessment scheme. In those instances, the conformity assessment bodies should refer to those earlier versions of the standards explicitly, including the year and version number.

(13)

To enhance flexibility, national accreditation bodies should be permitted to offer flexible scope accreditation, enabling conformity assessment bodies, in specific circumstances, to include additional activities in their scope of accreditation without the need for an evaluation by the national accreditation body. When designing the flexible scope accreditation, national accreditation bodies will consider the accreditation of flexible scopes as set out by European cooperation for Accreditation, appointed in accordance with Regulation (EC) No 765/2008. Where national accreditation bodies allow conformity assessment bodies to make use of such flexible scope accreditation, they should indicate it in the accreditation certificate for transparency purposes. To enhance flexibility even where national accreditation bodies do not offer flexible scope accreditation, they should carefully consider, before re-evaluating the accredited conformity assessment body, the impact of the changes to the conformity assessment scheme for which that body has been accredited.

(14)

To ensure reliability of the conformity assessment schemes, owners should ensure that their conformity assessment schemes do not allow positive certification decisions, or any certificate of conformity, to be issued where the conformity assessment leads to the identification of any non-conformity with the requirements of Regulation (EU) No 910/2014, or with Article 21 of Directive (EU) 2022/2555, with regard to qualified trust service providers and the qualified trust service they provide. Indeed, while conformity assessment reports could include non-conformities and potential remediation plans, no certificate of conformity or positive certification decision should be issued when non-conformities are identified.

(15)

To ensure transparency in their practices, scheme owners should make publicly available a summary of their conformity assessment schemes. The summary should contain a description of the set of rules and procedures followed for the assessment of the conformity of qualified trust service providers and the qualified trust services they provide with the requirements laid down in Regulation (EU) No 910/2014 and with Article 21 of Directive (EU) 2022/2555.

(16)

To support the quality, security and reliability of the qualified trust service provider’s activities, the conformity assessment report should identify, where appropriate, opportunities for improvement that could refine the manner in which the qualified trust service provider and the qualified trust services they provide meet the applicable requirements.

(17)

To support transparency and to facilitate the verification by supervisory bodies that an assessed qualified trust service provider and the qualified trust services they provide meet the applicable requirements, the conformity assessment report should include certain minimum information. In particular, for the purpose of facilitating the identification of the service entries to be listed in the national trusted list in accordance with Article 22 of Regulation (EU) No 910/2014, where applicable, a detailed description of the public key infrastructure functional hierarchy, per type of qualified trust service, should be provided in the conformity assessment report.

(18)

To support transparency and facilitate the verification and monitoring of accreditation of conformity assessment bodies in accordance with Regulation (EU) No 910/2014, national accreditation bodies should, where applicable, provide an history of the scope of accreditation, including the start and, where applicable, the end date of the accreditation for each qualified trust service.

(19)

To ensure continuity of conformity assessment bodies that have already been accredited, and to support the transition to the rules laid down in this Regulation, conformity assessment bodies that are currently accredited under standard ETSI EN 319 403 version 2.2.2, or an earlier version thereof, would not need to be re-accredited under Regulation (EU) No 910/2014 until 17 May 2027. After this date, the conformity assessment bodies should be evaluated by the national accreditation body against the requirements set out in this Regulation.

(20)

The Commission regularly assesses new technologies, practices, standards or technical specifications. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (4), the Commission should review and update this Implementing Regulation, if necessary, to keep it in line with global developments, new technologies, standards or technical specifications and to follow the best practices on the internal market.

(21)

Regulation (EU) 2016/679 of the European Parliament and of the Council (5) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (6) apply to the personal data processing activities under this Regulation.

(22)

The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (7) and delivered its opinion on 8 August 2025 (8).

(23)

The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

Definitions

For the purpose of this Regulation, the following definitions shall apply:

(1)

‘scheme owner’ means an entity or a group of entities which is responsible for developing and maintaining a conformity assessment scheme;

(2)

‘certification decision’ means a certification decision, which follows a conformity assessment conducted by a conformity assessment body where that body positively or negatively confirms the conformity of a specific qualified trust service provider and the qualified trust service it provides with the requirements laid down in Regulation (EU) No 910/2014 and with Article 21 of Directive (EU) 2022/2555;

(3)

‘certificate of conformity’ means a document by which a conformity assessment body attests a certification decision that positively confirms that a specific qualified trust service provider and the qualified trust service it provides comply with the requirements laid down in Regulation (EU) No 910/2014 and with Article 21 of Directive (EU) 2022/2555;

(4)

‘conformity assessment scheme’ means a set of rules and procedures to be used by conformity assessment bodies for the purpose of the assessment of the conformity of qualified trust service providers and the qualified trust services that they provide with the requirements laid down in Regulation (EU) No 910/2014 and with Article 21 of Directive (EU) 2022/2555;

(5)

‘conformity assessment report’ means a document that provides detailed information, where applicable supplementary to that contained in a certification decision and associated certificate of conformity, on the method used to carry out, in accordance with a conformity assessment scheme, a conformity assessment of the compliance of a specific qualified trust service provider and the qualified trust service it provides with the requirements of Regulation (EU) No 910/2014 and of Article 21 of Directive (EU) 2022/2555 and on the results of the conformity assessment;

(6)

‘accreditation’ means an accreditation, as defined in Article 2, point 10 of Regulation (EC) No 765/2008;

(7)

‘flexible scope accreditation’ means an accreditation where the specific conformity assessment activities for which accreditation is sought, or has been granted, are expressed to allow conformity assessment bodies to make changes in methodology and other parameters which fall within the competence of the conformity assessment body as confirmed by the national accreditation body;

(8)

‘national accreditation body’ means a national accreditation body as defined in Article 2, point 11, of Regulation (EC) No 765/2008.

Article 2

Accreditation of conformity assessment bodies

1.   For the purposes of making certification decisions in accordance with a specific conformity assessment scheme, conformity assessment bodies shall be accredited in accordance with standard EN ISO/IEC 17065:2012 supplemented by standard ETSI EN 319 403-1 v2.3.1.

2.   The accreditation of conformity assessment bodies referred to in paragraph 1 shall be performed by a national accreditation body in compliance with standard EN ISO/IEC 17011:2017.

Article 3

Accreditation certificate issued to conformity assessment bodies

1.   National accreditation bodies shall ensure that the accreditation certificates they issue to conformity assessment bodies contain at least the following information:

(a)

the unique accreditation certificate identity code;

(b)

the issuance date of the accreditation certificate;

(c)

the name and country, as stated in the national official records, of the national accreditation body issuing the accreditation certificate;

(d)

the name and, where applicable, registration number as stated in the national official records, of the accredited conformity assessment body;

(e)

the scope of accreditation, with regard to one or more of the following qualified trust services:

the issuance of qualified certificates for electronic signatures;

the issuance of qualified certificates for electronic seals;

the issuance of qualified certificates for website authentication;

the qualified validation service for qualified electronic signatures;

the qualified validation service for qualified electronic seals,

the qualified preservation service for qualified electronic signatures;

the qualified preservation service for qualified electronic seals;

the creation of qualified electronic timestamps;

the provision of qualified electronic registered delivery services;

the qualified service for the management of remote qualified electronic signature creation devices;

the qualified service for the management of remote qualified electronic seal creation devices;

the provision of qualified electronic archiving services;

the issuance of qualified electronic attestations of attributes;

the recording of electronic data in a qualified electronic ledger.

(f)

the identification, including, where relevant, the specific version, of the conformity assessment scheme for which the conformity assessment body has been accredited;

(g)

the indication of the use of the flexible scope accreditation, where relevant;

(h)

the identification, where relevant, of the document outlining the design and implementation process of the flexible scope accreditation.

2.   National accreditation bodies shall ensure that the start date, and where applicable, the end date of the accreditation of the conformity assessment body for conducting the conformity assessment of the qualified trust services as referred to in paragraph 1, point (e), including specific dates for each qualified trust service as applicable, are part of the accreditation details referred to in Article 20(1b) of Regulation (EU) No 910/2014.

3.   National accreditation bodies shall ensure that any relevant changes made in relation to the information provided in accordance with paragraph 1 shall be clearly reflected in the accreditation certificate.

4.   The accreditation certificate shall clearly describe the scope of the accreditation of the conformity assessment body, in accordance with Article 2(1).

Article 4

Reconsideration of existing accreditation

1.   The scheme owner shall implement procedures to monitor any changes in the standards referred to in Article 2(1) or in Article 6(3), or to a conformity assessment scheme owned by it and on the basis of which a conformity assessment body has been accredited in accordance with Article 2.

2.   The scheme owner shall notify the national accreditation body of the changes identified as a result of the procedures referred to in paragraph 1, in a timely manner.

3.   Where the national accreditation body did not apply flexible scope accreditation to accredited conformity assessment bodies, the national accreditation body shall determine whether the changes, identified as a result of the procedures referred to in paragraph 1, are likely to materially affect the ability of accredited conformity assessment bodies to conduct conformity assessments pursuant to schemes for which they have been accredited.

4.   Where the national accreditation body determines, pursuant to paragraph 3, that changes do affect the ability of conformity assessment bodies to conduct conformity assessments, it shall request the conformity assessment body to take appropriate measures within a reasonable prescribed period.

5.   If the conformity assessment body is unable or unwilling to take the measures referred to in paragraph 4 within the period prescribed, the national accreditation body shall immediately withdraw or suspend the accreditation.

6.   Where the national accreditation body determines, pursuant to paragraph 3, that changes do not affect the ability of conformity assessment bodies to conduct conformity assessments, it may, where appropriate, extend the validity and scope of the accreditation of the assessed conformity assessment body.

7.   Where appropriate, the national accreditation body shall update the accreditation certificate in a timely manner to reflect the outcome of the reconsideration of the accreditation pursuant to this Article.

8.   Where a conformity assessment body receives a request pursuant to paragraph 4, it shall, in a timely manner, inform any qualified trust service providers that it has previously assessed under the relevant conformity assessment scheme of any impacts that the reconsideration of the conformity assessment body’s accreditation may have on those qualified trust service providers, including with respect to future certification decisions made by the conformity assessment body under that scheme.

Article 5

Conformity assessment bodies

1.   Conformity assessment bodies shall make the certificates of conformity they issue available in a public repository maintained by that conformity assessment body for that purpose.

2.   Any subcontracting by the conformity assessment body of the performance of conformity assessment activities shall duly consider the nature of the activity to be performed. The conformity assessment body shall ensure that the subcontractor complies with the standards set out in Annex I for the specific activity being subcontracted.

3.   Conformity assessment bodies shall ensure, upon issuing a certification decision, that the qualified trust services provider to whom the decision relates, is able to submit the complete conformity assessment reports corresponding to that decision to the supervisory bodies.

Article 6

Conformity assessment schemes

1.   Each conformity assessment scheme shall identify a scheme owner.

2.   A conformity assessment scheme shall comply with scheme type 6 of standard EN ISO/IEC 17067:2013 and with the requirements laid down in this Article.

3.   Scheme owners shall ensure that their conformity assessment schemes include at least the standards, as applicable, set out in Annex II by indicating the year and version number of these standards.

4.   Scheme owners shall ensure that where a flexible scope accreditation is applicable, this is indicated in the conformity assessment scheme.

5.   Scheme owners shall ensure that their conformity assessment schemes establish processes and procedures, regarding at least the following:

(a)

receiving and handling complaints to the scheme owner on the implementation of the conformity assessment scheme;

(b)

notifications by the conformity assessment body to the supervisory body designated in accordance with Article 46b(1) of Regulation (EU) No 910/2014 on the issuance of certificates of conformity and any changes thereto;

(c)

where applicable, subcontracting the performance of conformity assessment activities by the conformity assessment body;

(d)

the performance of yearly surveillance activities on the basis of the applicable requirements of clause 7.9 of standard ISO/IEC 17065:2012;

(e)

the management and notification by the qualified trust service provider to the conformity assessment body and to the competent supervisory body of any change impacting the operation of qualified trust service providers or the qualified trust services they provide;

(f)

the verification of evidence demonstrating that the conformity assessment body:

has sufficient knowledge and expertise in the application of specific standards related to the qualified trust service provided by the qualified trust service provider, as referred to in paragraph 3;

has professional experience in conformity assessment in at least three assessments of trust service providers or three assessments of information security management systems; and

can ensure the availability of a team of no fewer than two qualified persons possessing the necessary expertise to carry out such conformity assessment.

6.   Scheme owners shall ensure that their conformity assessment schemes require the qualified trust service providers to have processes, procedures and work instructions in place to notify the conformity assessment body at least one month before the qualified trust service providers implement any significant change in the provision of the qualified trust services certified under that scheme and at least three months before it intends to cease the provision of the services or parts thereof.

7.   Scheme owners shall ensure that their conformity assessment schemes do not allow positive certification decisions, or any certificate of conformity, to be issued where the conformity assessment leads to the identification of non-conformity of the assessed qualified trust service providers and the qualified trust service they provide with the requirements of Regulation (EU) No 910/2014 and of Article 21 of Directive (EU) 2022/2555.

8.   Scheme owners shall ensure that their conformity assessment schemes set out the procedure for the attestation of a certificate of conformity. They shall require, in particular, that the qualified trust service providers immediately inform the competent supervisory body of any change to a certificate of conformity. They shall also require that qualified trust services providers refrain from providing the qualified trust services concerned or from advertising any reference thereto until the competent supervisory body reconfirms the qualified status. This procedure shall comply with the requirements set out in clause 7.11 of standard ISO/IEC 17065:2012.

9.   Scheme owners shall ensure that their conformity assessment schemes set out the conformity assessment process to be conducted over a sufficient number of person-days and shall ensure that sufficient resources and time are allocated for the conformity assessment, taking into account the scope and the complexity of the assessment.

10.   Scheme owners shall make a summary of the conformity assessment scheme publicly available for download. The summary shall contain a description of the set of rules and procedures followed for the assessment of the conformity of qualified trust service providers and the qualified trust services they provide with the requirements of Regulation (EU) No 910/2014 and of Article 21 of Directive (EU) 2022/2555.

11.   Scheme owners shall ensure that their conformity assessment schemes require that at least one surveillance conformity assessment is conducted annually for every evaluated qualified trust service.

Article 7

Conformity assessment reports

1.   The conformity assessment report referred to in Article 20(1) of Regulation (EU) No 910/2014, shall comply with the specifications set out in Annex III.

2.   The conformity assessment report shall be considered a part of the certification documentation specified in clause 7.7 of standard ETSI EN 319 403-1.

Article 8

Accreditation information

1.   Any interested party can request, free of charge, current and past information about the scope, start date and, where applicable, end date of the accreditation of conformity assessment bodies, for each type of qualified trust service that the conformity assessment body is or has been accredited to assess. This information shall be made available by national accreditation bodies.

2.   Current and past information, as referred to in paragraph 1, should be made available for at least a period of 6 years after the accreditation of the conformity assessment body.

Article 9

Grandfathering provision

Conformity assessment bodies that have, before 17 November 2025, been accredited with reference to standard ETSI EN 319 403 version 2.2.2, or earlier version, for the purposes of the assessment of conformity with Regulation (EU) No 910/2014 of qualified trust service providers and the qualified trust services they provide shall have their accreditation be considered to meet the requirements of Article 2(1) until 17 May 2027.

Article 10

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 27 October 2025.

For the Commission

The President

Ursula VON DER LEYEN

(1)   OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj.

(2)  Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80, ELI: http://data.europa.eu/eli/dir/2022/2555/oj).

(3)  Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and market surveillance relating to the marketing of products and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30, ELI: http://data.europa.eu/eli/reg/2008/765/oj).

(4)  Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework (OJ L, 2024/1183, 30.4.2024, ELI: http://data.europa.eu/eli/reg/2024/1183/oj).

(5)  Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(6)  Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37, ELI: http://data.europa.eu/eli/dir/2002/58/oj).

(7)  Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

(8)   EDPS Formal comments on the draft regarding the accreditation of conformity assessment bodies performing the assessment of qualified trust service providers and the qualified trust services they provide | European Data Protection Supervisor.

ANNEX I

Reference standards for the subcontracting of conformity assessment activities

(1)

EN ISO/IEC 17025:2017 for testing activities;

(2)

EN ISO/IEC 17021-1:2015 for audit activities of management systems;

(3)

EN ISO/IEC 17020:2012 for inspection activities;

(4)

EN ISO/IEC 17065:2012 for conformity assessments activities.

ANNEX II

Reference standards for conformity assessment schemes

The standards referred to in Article 6(3) are ETSI TS 119 612 v2.4.1 and the following:

Qualified Trust Service

Relevant standards

The issuance of qualified certificates for electronic signatures

ETSI EN 319 411 -2

ETSI EN 301 549

ETSI EN 319 412 -1

ETSI EN 319 412 -2

ETSI EN 319 412 -5

ETSI TS 119 461

ETSI EN 319 401

The issuance of qualified certificates for electronic seals

ETSI EN 319 411 -2

ETSI TS 119 495

ETSI EN 301 549

ETSI EN 319 412 -1

ETSI EN 319 412 -2

ETSI EN 319 412 -3

ETSI EN 319 412 -5

ETSI TS 119 461

ETSI EN 319 401

The issuance of qualified certificates for website authentication

ETSI EN 319 411 -2

ETSI TS 119 411 -5

ETSI TS 119 495

ETSI EN 301 549

ETSI EN 319 412 -1

ETSI EN 319 412 -4

ETSI EN 319 412 -5

ETSI TS 119 461

ETSI EN 319 401

The qualified validation service for qualified electronic signatures

ETSI TS 119 441

ETSI TS 119 442

ETSI EN 319 102 -1

ETSI TS 119 102 -2

ETSI TS 119 172 -4

ETSI EN 301 549

ETSI EN 319 401

The qualified validation service for qualified electronic seals

ETSI TS 119 441

ETSI TS 119 442

ETSI EN 319 102 -1

ETSI TS 119 102 -2

ETSI TS 119 172 -4

ETSI EN 301 549

ETSI EN 310 401

The qualified preservation service for qualified electronic signatures

ETSI TS 119 511

ETSI TS 119 172 -4

ETSI TS 119 512

ETSI EN 301 549

ETSI EN 310 401

The qualified preservation service for qualified electronic seals

ETSI TS 119 511

ETSI TS 119 172 -4

ETSI TS 119 512

ETSI EN 301 549

ETSI EN 319 401

The creation of qualified electronic time stamps

ETSI EN 319 421

ETSI EN 319 422

ETSI EN 301 549

ETSI EN 319 401

The provision of qualified electronic registered delivery services

ETSI EN 319 521

ETSI EN 319 522

ETSI EN 319 531

ETSI EN 319 532

ETSI EN 301 549

ETSI TS 119 461

ETSI EN 319 401

The qualified service for the management of remote qualified electronic signature creation devices

ETSI TS 119 431 -1

ETSI EN 301 549

ETSI TS 119 461

ETSI EN 319 401

The qualified service for the management of remote qualified electronic seal creation devices

ETSI TS 119 431 -1

ETSI EN 301 549

ETSI TS 119 461

ETSI EN 319 401

The provision of qualified electronic archiving services

ISO 14641

ISO 14721

CEN/TS 18170

ETSI TS 301 549

ETSI EN 319 401

ETSI EN 119 511

The issuance of qualified electronic attestations of attributes

ETSI TS 119 471

ETSI EN 301 549

ETSI TS 119 461

ETSI EN 319 401

The recording of electronic data in a qualified electronic ledger

ETSI EN 319 401

ETSI EN 301 549

CEN/TS 18170

ISO 23257

ISO/TS 23635

ETSI EN 319 122 -1

ETSI EN 319 132 -1

ETSI EN 319 182 -1

ANNEX III

Specifications for conformity assessment reports

The conformity assessment report as referred to in Article 7(1) shall

(1)

be accompanied by a clear certification decision in accordance with clause 7.6 of standard ETSI EN 319403-1 v2.3.1 (‘ETSI EN 319403-1’), confirming, whether the assessed trust service provider and the assessed qualified trust services it provides or aims to provide meet the requirements laid down in Regulation (EU) No 910/2014 and in Article 21 of Directive (EU) 2022/2555;

(2)

specify the name of the qualified trust service provider and, where applicable, its registration number, as stated in the official records, its official postal address, and its electronic address as well as, where applicable, the same information for all subsidiaries, affiliated legal entities, contractors and subcontractors that are operating trust service components in the scope of the provision of the qualified trust services by the qualified trust service provider;

(3)

include a detailed description of the scope of the assessment of the qualified trust service provider, including the specific qualified trust services covered by the assessment;

(4)

contain sufficient evidence to demonstrate that the qualified trust service provider and the qualified trust services it provides fulfil the requirements laid down in Regulation (EU) No 910/2014 and in Article 21 of Directive (EU) 2022/2555;

(5)

specify the name of the conformity assessment body, and, where applicable its registration number, as stated in the official records, its registered postal address, and its electronic address;

(6)

specify the following:

(a)

the name and country of the national accreditation body having accredited the conformity assessment body;

(b)

the names of the natural persons involved by the conformity assessment body in performing the conformity assessment and their respective role in that assessment;

(c)

the link to the official website of the national accreditation body and containing the accreditation certificate issued by the national accreditation body to the conformity assessment body;

(d)

where applicable, the digital accreditation symbol;

(e)

the conformity assessment scheme for which the conformity assessment body has been accredited in accordance with Article 2(1);

(f)

conformity assessment enquiries of the conformity assessment conducted, the rationale behind their selection, and the methodology employed, including sampling methodology and test procedures;

(g)

the accredited conformity assessment scheme and relevant documents or a link to the location from where that conformity assessment scheme and relevant documents are available;

(7)

contain at least one qualified electronic signature, where the report is provided in an electronic form, or handwritten signature, where provided paper-based, identifying the name and title of the responsible person or persons that authorised to adopt the certification decision on behalf of the conformity assessment body;

(8)

concern one qualified trust service provider;

(9)

identify, in accordance with clause 5.5.3 of standard ETSI TS 119612 v.2.4.1, the service digital identities per type of qualified trust service for which it confirms the conformity with the requirements laid down in Regulation (EU) No 910/2014 and in Article 21 of Directive (EU) 2022/2555, providing the following information:

(a)

when the qualified trust service is not public key infrastructure technology based, an identifier expressed as a URI that uniquely identifies the qualified trust service;

(b)

when the qualified trust service is based on public key infrastructure technology, at least the following:

the Subject Key Identifier as defined in IETF RFC 5280;

the Base64 PEM representation of the associated X.509v3 digital certificate;

where applicable, an indication whether specific sets or subsets of end-entity certificates issued by or under the service digital identity are excluded from or specifically included in the certification decision and on the basis of which criteria they may be identified;

an indication whether the service digital identity relates to an end-entity or a certification authority, clarifying whether it is an issuing, intermediate or root certificate;

a description on how the service digital identity is used in the context of the corresponding qualified trust service;

(10)

provide, where applicable, a detailed description of the public key infrastructure functional hierarchy, per type of qualified trust service and for all service digital identities identified in accordance with point 11, including at least:

(a)

the illustration of the public key infrastructure hierarchy identifying the root certification authorities, the intermediate certification authorities, the issuing certification authorities and the certification paths between them;

(b)

the identification of each certification authority illustrated in point (a) through the Subject Key Identifier as defined in IETF RFC 5280;

(c)

for each of the issuing certification authorities identified in accordance with point (b), the list of the different policy sets of certificates that each certification authority is issuing, together with for each set:

criteria that unambiguously identify the certificates of the set, being either a list of certificate policy identifiers to match with the content of the certificate policy certificate extension as defined in IETF RFC 5280 or other criteria as set out in implementing acts adopted pursuant to Article 22(5) of Regulation (EU) No 910/2014;

an indication of whether the certificates of the set are either qualified or non-qualified;

an indication of whether the certificates of the set are either for electronic signatures, or for electronic seals, or for web site authentication or for none of those purposes and, in the latter case, for which other purposes their use is intended;

an indication of whether the private key corresponding to the public key certified in the certificates of the sets resides in a local or remote qualified signature or seal creation device;

(11)

include, in accordance with point 2

(a)

an exhaustive list of third parties, including subcontractors, which provide qualified trust service components or service components by indicating their name, as identified in point 2, together with the location of the sites where the corresponding component services are operated;

(b)

an indication whether those third parties and sites have been subject to the conformity assessment and to which extent;

(12)

describe, where appropriate, the content of the entry to be included, or to be updated, in the relevant national trusted list, in accordance with the result of the assessment;

(13)

include an exhaustive list of public and qualified trust service providers’ internal documents, which are properly identified including versioning, which have been part of the scope of the conformity assessment, including at least the following documentation as referred to in point 8, for which a copy shall be either provided together with the conformity assessment report or made otherwise available to the competent supervisory body on its request:

(a)

the declaration of the practices used by the qualified trust service provider to provide the qualified trust services;

(b)

the set of rules that indicates the applicability of the qualified trust services to a particular community or class of application with common security requirements (‘qualified trust service policies’);

(c)

the terms and conditions related to subscriber agreements;

(d)

the termination plan of the qualified trust services;

(e)

the documentation which is related to the assessment of risks and which aims to demonstrate that the requirements of Article 24(2), points (fa) and (fb) of Regulation (EU) No 910/2014 and Article 21 of Directive (EU) 2022/2555 have been fulfilled;

(f)

the security breaches notification plan which aims to demonstrate that the requirements of Article 24(2), points (fa) and (fb) of Regulation (EU) No 910/2014 and Article 21 of Directive (EU) 2022/2555 have been fulfilled;

(g)

the list of all internal documents supporting the effective implementation of the practices declared and used by the qualified trust service provider to provide the qualified trust services;

(h)

the memorandum and articles of incorporation or statutes of the qualified trust service provider, in accordance with the applicable national laws, together with the following elements:

statement of business activities not relating to the provision of trust services;

organisational chart;

ownership structure information;

where applicable and available, report of the accounts of the accounts auditor for the previous two accounting years, or from the date of its incorporation until the date of signing the conformity assessment report, whichever period is shorter;

(i)

evidence that the qualified trust service provider, in accordance with applicable national laws, maintains sufficient financial resources and, where applicable, has obtained appropriate liability insurance with regard to the provision of the qualified trust services;

(j)

the list of standards with which the operations are claimed to be compliant;

(k)

the list of standards with which the operations are audited, evaluated, certified, or assessed to be compliant, together with details about the underlying audit, evaluation, certification or assessment scheme, as applicable;

(l)

the list of qualified electronic signature creation devices or qualified electronic seal creation devices and their certification related information when the qualified trust service provider delivers or makes available such devices to its users;

(m)

the list of devices used by the qualified trust service provider as trustworthy system or product, including hardware security modules or secure cryptographic devices, to protect its own keys, and information related to their certification, when the qualified trust service provider uses such devices to secure the processes supporting the qualified trust services it provides;

(14)

contain an assessment of the fulfilment of the requirements that apply to the relevant qualified trust services pursuant to Regulation (EU) No 910/2014, and, where applicable, as set out in the implementing and delegated acts that apply to that qualified trust service as adopted in accordance with:

Article 24(1c) of Regulation (EU) No 910/2014 with respect to the verification of the identity and attributes of persons to whom the qualified certificate or the qualified electronic attestation is to be issued;

Article 24(5) of Regulation (EU) No 910/2014 with respect to the requirements for qualified trust service providers providing qualified trust services;

Article 28(6) of Regulation (EU) No 910/2014 with respect to the issuance of qualified certificates for electronic signatures;

Article 38(6) of Regulation (EU) No 910/2014 with respect to the issuance of qualified certificates for electronic seals;

Article 45(2) of Regulation (EU) No 910/2014 with respect to the issuance of qualified certificates for website authentication;

Article 33(2) of Regulation (EU) No 910/2014 with respect to the qualified validation service for qualified electronic signatures;

Article 33(2) and Article 40 of Regulation (EU) No 910/2014 with respect to the qualified validation service for qualified electronic seals,

Article 34(2) of Regulation (EU) No 910/2014 with respect to the qualified preservation service for qualified electronic signatures;

Article 34(2) and Article 40 of Regulation (EU) No 910/2014 with respect to the qualified preservation service for qualified electronic seals;

Article 42(2) of Regulation (EU) No 910/2014 with respect to the creation of qualified electronic timestamps;

Article 44(2) of Regulation (EU) No 910/2014 with respect to the provision of qualified electronic registered delivery services;

Article 29a(2) of Regulation (EU) No 910/2014 with respect to the qualified service for the management of remote qualified electronic signature creation devices;

Article 29a(2) and Article 39a of Regulation (EU) No 910/2014 with respect to the qualified service for the management of remote qualified electronic seal creation devices;

Article 45j(2) of Regulation (EU) No 910/2014 with respect to the provision of qualified electronic archiving services

Article 45d(5) of Regulation (EU) No 910/2014 with respect to the issuance of qualified electronic attestation of attributes;

Article 45l(3) of Regulation (EU) No 910/2014 with respect to the recording of electronic data in a qualified electronic ledger;

(15)

contains an assessment of the fulfilment of the requirements that apply to qualified trust service provider and to the relevant qualified trust services pursuant to Article 21 of Directive (EU) 2022/2555, and under the implementing acts that apply to that qualified trust service as adopted in accordance with of Article 21(5) of that Directive;

(16)

contains a statement declaring, where applicable, the absence of any non-conformities, irrespective of their level of criticality; where any non-conformity is identified in the report, the report shall provide a plan of corrective actions and their timescale, provided by the qualified trust service provider and agreed by the conformity assessment body, together with the description of the planned evaluation tasks the conformity assessment body shall undertake to evaluate that those non-conformities have been corrected;

(17)

contains, where appropriate and necessary, an indication of opportunities for improvement concerning the fulfilment by the qualified trust service provider and the qualified trust services it provides of relevant requirements;

(18)

identify, for each stage of the conformity assessment, including documentation audit, implementation assessment and onsite inspections, the period in relation to which the assessment has been conducted and the time taken by the conformity assessment body in person-days to conduct the assessment;

(19)

identify in the corresponding specific requirement report the detailed conformity assessment controls and control objectives that have been conducted during the assessment or include a reference to separately available assessment reports in which such information is included, provided that such separated assessment reports are:

(a)

issued by conformity assessment bodies accredited in accordance with Regulation (EU) No 910/2014;

(b)

endorsed by the conformity assessment bodies issuing the conformity assessment report;

(20)

include the scope, the description, and the results of a significant set of tests or production samples and their assessment for all relevant and applicable types of outputs from the assessed qualified trust services;

(21)

indicate the following deadlines:

(a)

the deadline within which the next surveillance conformity assessment must be conducted;

(b)

the deadline within which the next conformity assessment must be conducted in accordance with Article 20(1) of Regulation (EU) No 910/2014;

(22)

contain an explicit declaration stating that the certification documents, including the conformity assessment report, are also intended for the use by the competent national supervisory body.

ELI: http://data.europa.eu/eli/reg_impl/2025/2162/oj

ISSN 1977-0677 (electronic edition)

Top