Official Journal
of the European Union
EN
L series
|
|
Official Journal |
EN L series |
|
2025/2243 |
7.11.2025 |
COMMISSION IMPLEMENTING REGULATION (EU) 2025/2243
of 6 November 2025
laying down detailed specifications regarding the functional requirements for eFTI platforms in accordance with Regulation (EU) 2020/1056 of the European Parliament and of the Council
(Text with EEA relevance)
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) 2020/1056 of the European Parliament and of the Council of 15 July 2020 on electronic freight transport information (1), and in particular Article 9(2) thereof,
Whereas:
|
(1) |
Regulation (EU) 2020/1056 requires competent authorities in the Member States to accept regulatory information when made available electronically by the economic operators concerned in compliance with the requirements laid down in that Regulation and, more specifically, by means of electronic freight transport information (eFTI) platforms that are certified to comply with the requirements laid down in that Regulation. |
|
(2) |
Economic operators concerned, as well as ICT solution providers, should be able to flexibly re-use ICT solutions that are currently used in the transport and logistics sector, such as for managing internal business process flows and communications with business partners in the supply chain, in order to develop eFTI platforms. The possibility to build on existing solutions would enable the faster and cost-efficient development of eFTI platforms and facilitate faster and wider uptake of eFTI by economic operators concerned without significant technological investment or business process burden. |
|
(3) |
Pursuant to Article 12 of Regulation (EU) 2020/1056, a certification process of eFTI platforms should be put in place, whereby compliance with the requirements laid down in Article 9(1) of that Regulation is to be assessed. Once certification has been issued by a conformity assessment body accredited in one of the Member States in accordance with Regulation (EC) No 765/2008 of the European Parliament and of the Council (2), it will be valid in all Member States. The detailed common functional and technical specifications for the functioning of the eFTI platforms laid down in this Regulation should therefore allow the Commission to define at a later stage, pursuant to Article 12 of Regulation (EU) 2020/1056, the detailed rules necessary to ensure uniform assessment of the compliance of eFTI platforms in view of their certification. |
|
(4) |
Commercial data sensitivity remains an important factor influencing the willingness of economic operators to share data electronically. In order to build the confidence of economic operators concerned, the requirements for eFTI platforms should ensure that the data stored by economic operators on eFTI platforms is made available to competent authorities only based on secure and authenticated connections with the systems used by competent authorities. Furthermore, the data made available to competent authorities should be limited to information requirements specified in the requests for access to eFTI data, and only when these requests are transmitted by competent authorities in accordance with the functional and technical specifications laid down in Commission Implementing Regulation (EU) 2024/1942 (3). For the same reason, economic operators concerned should receive information, including through real time notifications, on all requests for access by competent authorities to the data they made available on the eFTI platform, including, when lodged, of the corresponding follow-up communications. |
|
(5) |
Implementing Regulation (EU) 2024/1942 lays down common procedures and detailed rules for the accessing and processing by competent authorities of information made available by economic operators concerned on eFTI platforms. This includes specific functional and technical requirements for communication between the ICT systems used by the competent authorities and the eFTI platforms. To ensure interoperability and seamless communication between the systems used by the competent authorities and the eFTI platforms, the common functional and technical requirements for eFTI platforms should be compatible with those laid down for the systems used by the competent authorities. |
|
(6) |
Access by economic operators to eFTI platforms should also be ensured through secure and transparent access management mechanisms. Only authorised users should be able to access and process eFTI data on behalf of economic operators. Authorisations should be based on processing rights that are clearly identified and are issued under the control of the economic operators that hold rights or obligations in relation to that data, pursuant to applicable EU or national law or specific commercial agreements. At the same time, authorisations should be granted only to users that have been reliably identified and authenticated using electronic identification means compliant with the requirements laid down in Regulation (EU) No 910/2014 of the European Parliament and of the Council (4). Such access management mechanisms should build trust among economic operators to share their eFTI data at source and would therefore eliminate the need for multiple data storage points and reduce associated costs and complexities in data management and synchronisation, among others. |
|
(7) |
The provisions referred to in Article 2(1) of Regulation (EU) 2020/1056 allow economic operators concerned, in most cases, to re-use business-to-business documents to provide the required freight transport information. The detailed specifications laid down in this Regulation should follow the same spirit, by focusing on how freight transport information should be shared electronically with the competent authorities. They should not lay down requirements for the electronic format and use of business documents, in order not to impact freight transport information beyond the scope of Regulation (EU) 2020/1056 or the flexibility of economic operators in preparing and exchanging information in business-to-business contexts. It is therefore appropriate that this Regulation lays down specifications for the composition of the eFTI data set that enable economic operators concerned to prove, by sharing the same data only once, compliance with the applicable Union and national regulatory information requirements referred to in Article 2(1) of Regulation (EU) 2020/1056. The eFTI data set should be composed in accordance with the specifications for the eFTI common data set and eFTI data subsets laid down in the Annex to Commission Delegated Regulation (EU) 2024/2024 (5). When providing the information for the eFTI data set, economic operators should be able to re-use, to the largest extent possible, information available in their internal electronic data management systems, such as enterprise resource planning or transportation management systems, which they use to manage commercial transport documents such as consignment notes or transport orders. |
|
(8) |
Pursuant to Article 4 of Regulation (EU) 2020/1056, the economic operators concerned are not obliged to make data available electronically to the competent authorities, as they continue to retain the right to present the regulatory information on freight transport in the form of paper documents. eFTI platform operators should therefore ensure that the economic operators concerned are informed that, by processing data on the eFTI platform, they agree that the regulatory information on freight transport recorded and otherwise processed as eFTI data on an eFTI platform is made available by that platform to the competent authorities, on behalf of the respective operator concerned, whenever the platform receives requests for access to eFTI data by the competent authorities transmitted in accordance with the requirements of Implementing Regulation (EU) 2024/1942. The eFTI platform operators should also ensure that operators are informed that, by processing data on the eFTI platform, they agree that the eFTI platform makes the corresponding data processing logging records available for auditing in accordance with applicable EU or national law. |
|
(9) |
Article 27(3) of Regulation (EU) 2024/1157 of the European Parliament and of the Council (6) provides for interoperability with the eFTI exchange environment of the central system for the electronic submission and exchanges of waste shipments information and documents between economic operators concerned and competent authorities, also referred to as the digital waste shipment system (DIWASS), established in accordance with that Regulation. Furthermore, Article 5(2) of Commission Implementing Regulation (EU) 2025/1290 (7) specifies that users representing economic operators concerned acting as carriers for the shipment of waste may connect to DIWASS by means of an eFTI platform interconnected with that system through an application programming interface. To ensure interoperability between the eFTI platforms and DIWASS, it is necessary to lay down specifications for exchanging waste information falling under the scope of Regulation (EU) 2020/1056, as referred to in Article 2(1), point (a)(iv) of that Regulation. This interoperability will make it easier for carriers that perform waste transport operations to prove compliance, by electronic means, both with requirements for availability of regulatory information during the transport operation, as provided for in the provisions referred to in Article 2(1) of Regulation (EU) 2020/1056, and with the requirements on the provision of waste shipments information laid down in Regulation (EU) 2024/1157. |
|
(10) |
The data that economic operators record on eFTI platforms will have substantial commercial value, both to allow economic operators concerned to prove compliance with administrative requirements and as a basis for commercial transactions, provision of services, and business monitoring and planning. It is therefore essential that, in addition to rigorous access management policies, eFTI platform operators put in place measures that ensure the continuous accessibility, preservation and security of that data, whether it is stored on physical storage devices under the control of the eFTI platform operator or in data clouds purchased as part of data storage services. To that end, and without affecting applicable EU or national cybersecurity requirements, eFTI platform operators should adhere to the latest international best practices and standards on data privacy and data security, such as ISO 27001, ISO 27017 and ISO 27701. When personal data are processed in the context of the application of this implementing regulation, Regulation (EU) 2016/679 of the European Parliament and of the Council (8) applies. |
|
(11) |
To enable eFTI platform operators to take account of continuously evolving technical developments and standards, the detailed specifications laid down in this Regulation should not go beyond necessary requirements to ensure functional and minimum technical interoperability with other components within the eFTI exchange environment, as provided for in Implementing Regulation (EU) 2024/1942. At the same time, seamless interoperability between these different ICT components cannot be achieved without a set of common and detailed technical specifications that can be easily updated and shared among all stakeholders. Technical guidance documents should therefore be developed to support the implementation of this Regulation, involving stakeholders from both the public and the private sector, and in particular the working group of experts appointed by the Member States to act as a network of operational support in accordance with Article 13 of Implementing Regulation (EU) 2024/1942, and relevant working groups or sub-groups of the Digital Transport and Logistics Forum Expert Group (9). |
|
(12) |
The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (10) and delivered an opinion on 8 July 2025. |
|
(13) |
The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 15(1) of Regulation (EU) 2020/1056, |
HAS ADOPTED THIS REGULATION:
CHAPTER I
GENERAL PROVISIONS
Article 1
Definitions
For the purposes of this Regulation, the following definitions apply:
|
(1) |
‘ICT system’ means an organised assembly of information and communications technologies (ICT) including hardware, software and networks united and regulated by interaction or interdependence to accomplish a set of specific functions; |
|
(2) |
‘tributary ICT system’ means an identifiable ICT system external to an eFTI platform, including another eFTI platform, by means of which business users connect to an eFTI platform to access and process eFTI data; |
|
(3) |
‘eFTI data’ means data corresponding to regulatory information as defined in Article 3(1) of Regulation (EU) 2020/1056; |
|
(4) |
‘eFTI platform operator’ means a natural or legal person who is deemed legally responsible for the appropriate functioning of an eFTI platform; |
|
(5) |
‘eFTI Gate’ means an ICT component or a set of ICT components performing the functionalities set out in Article 6 of Implementing Regulation (EU) 2024/1942; |
|
(6) |
‘business user’ means a natural or legal person who constitutes or is authorised to represent an economic operator concerned in accordance with Regulation (EU) 2020/1056, or another economic operator who constitutes a data holder in accordance with paragraph 23, and who processes data on an eFTI platform on behalf of that economic operator concerned or other data holder; |
|
(7) |
‘login session’ means a restricted period of time during which a business user is given access to an eFTI platform; |
|
(8) |
‘consignment movement’ means the transport of a collection of goods by a single own-powered means of transport, with or without transport equipment such as trailer, pallet or container, from the same place of loading or taking over to the same place of unloading or handover, under the terms of a single transport contract; |
|
(9) |
‘eFTI consignment movement data set’ or ‘eFTI CMDS’ means a uniquely identified eFTI data set composed of the eFTI data that, together, constitute the regulatory information on freight transport related to a specific consignment movement; |
|
(10) |
‘applicable regulatory information requirements’ means the regulatory information requirements referred to in Article 2(1) of Regulation (EU) 2020/1056 that apply to a specific consignment movement; |
|
(11) |
‘identifiers of the eFTI data subsets’ means the identifiers in the format ‘EUyy’ or ‘XXyy’ of the eFTI data subsets established in Sections 3 and 4 of the Annex to Delegated Regulation (EU) 2024/2024; |
|
(12) |
‘UUID of the eFTI CMDS’ means the unique number, as referred to Article 11(2), point (c) of Implementing Regulation (EU) 2024/1942, which is allocated automatically by an eFTI platform to an eFTI data set constituting an eFTI CMDS; |
|
(13) |
‘unique identification number of the request’ means the unique number of a request for access to eFTI data lodged by a competent authority officer, issued and allocated to the request in accordance with Article 3(2), point (c) of Implementing Regulation (EU) 2024/1942; |
|
(14) |
‘follow-up communication’ means the communication between competent authorities and the economic operators concerned as defined in Article 1, point (6) of Implementing Regulation (EU) 2024/1942; |
|
(15) |
‘human-to-machine user interface’ means a web or application based graphical user interface that allows natural persons to perform data processing operations on an eFTI platform; |
|
(16) |
‘electronic identification means’ means a material or immaterial unit containing person identification data and which is used for authentication purposes to access an online service or, where appropriate, an offline service; |
|
(17) |
‘electronic identification scheme’ means a system for electronic identification under which electronic identification means are issued to natural or legal persons or natural persons representing other natural persons or legal persons; |
|
(18) |
‘authentication’ means an electronic process that enables the confirmation of the electronic identification of a natural or legal person or the confirmation of the origin and integrity of data in electronic form; |
|
(19) |
‘advanced electronic signature’ means an electronic signature that meets the requirements laid down in Article 26 of Regulation (EU) No 910/2014; |
|
(20) |
‘advanced electronic seal’ means an electronic seal that meets the requirements laid down in Article 36 of Regulation (EU) No 910/2014; |
|
(21) |
‘onboarded user’ means a business user for whom the identification, authentication and authorisation has been done in accordance with the requirements established in Article 4(2), point (a); |
|
(22) |
‘non-onboarded user’ means a business user that is allowed to access an eFTI platform based only on temporary access and processing rights, issued in accordance with the requirements established in Article 5(1) point (b); |
|
(23) |
‘data holder’ means a natural or legal person that has the right or obligation, in accordance with applicable Union law, national legislation, or private contractual agreements to use and make available data that also constitute regulatory information in accordance with the requirements referred to in Article 2(1) of Regulation (EU) 2020/1056; |
|
(24) |
‘primary authoriser’ means an onboarded business user who is allowed to modify the information recorded in an onboarded user profile, including the setting up or deletion of a user profile; |
|
(25) |
‘temporary authoriser’ means an onboarded business user who is allowed to issue temporary data processing rights to non-onboarded users; |
|
(26) |
‘two-factor authentication’ means an identity and access management security method that requires two forms of identification to access an eFTI platform; |
|
(27) |
‘certification mark’ means a coded reference to the eFTI platform attesting the validity of its certification status, which should accompany all information made available to competent authorities by means of a certified eFTI platform, in accordance with Article 12(3) of Regulation (EU) 2020/1056; |
|
(28) |
‘digital waste shipment system’ (DIWASS) means the central system referred to in Article 27(3) of Regulation (EU) 2024/1157; |
|
(29) |
‘waste shipments operator’ means an operator as defined in Article 2(2), point (13) of Implementing Regulation (EU) 2025/1290; |
|
(30) |
‘waste shipment documents’ means the documents referred to in Article 9(2), Article 16(1) and Article 18(4) of Regulation (EU) 2024/1157; |
|
(31) |
‘combined transport details’ means the regulatory information referred to in Article 3 of Council Directive 92/106/EEC (11); |
|
(32) |
‘qualified electronic time stamp’ means an electronic time stamp that meets the requirements laid down in Article 42 of Regulation (EU) No 910/2014. |
Article 2
eFTI platforms system architecture
The system architecture of eFTI platforms shall consist of any combination of ICT components or systems that comply with the requirements laid down in this Regulation.
CHAPTER II
ACCESS TO eFTI PLATFORMS
Article 3
Access to eFTI platforms by competent authorities
1. eFTI platforms shall enable competent authorities to access eFTI data solely by means of machine-to-machine communication, via a secure connection between the eFTI platform and an eFTI Gate. An eFTI platform shall establish such a connection with at least one eFTI Gate.
2. To enable the communication referred to in paragraph 1, an eFTI platform shall provide the following functionalities:
|
(a) |
validate the request for access to eFTI data or the follow-up communication received from the eFTI Gate, by verifying the security key of the eFTI Gate; |
|
(b) |
process the request for access to eFTI data, by identifying:
|
|
(c) |
keep an audit trail of the request for access to eFTI data, by recording at least the following information:
|
|
(d) |
prepare and transmit to the eFTI Gate the response to the request for access to eFTI data, as appropriate:
|
|
(e) |
keep an audit trail of the response, which allows at least the following information to be retrieved:
|
|
(f) |
process the follow-up communication, by:
|
|
(g) |
keep an audit trail of the follow-up communication, which allows at least the following information to be retrieved:
|
Article 4
Access to eFTI platforms by business users
1. eFTI platforms shall allow business users to access and process eFTI data by means of one or both of the following modalities:
|
(a) |
human-to-machine user interfaces; |
|
(b) |
machine-to-machine communication via secure connections to other ICT systems that act as tributary ICT systems. |
2. For access and processing of eFTI data by means of human-to-machine interfaces, eFTI platforms shall provide functionalities that ensure:
|
(a) |
for each onboarded user:
|
|
(b) |
for non-onboarded users, user identification, authentication and authorisation by means of the authorisation mechanism referred to in Article 5(1), point (b). |
3. The electronic identification scheme referred to in paragraph 2, point (a)(i), shall comply, as a minimum, with the requirements laid down in Article 8(2), point (b), of Regulation (EU) No 910/2014.
For users accessing and processing eFTI data that corresponds to the information requirements referred to in Article 2(1), point (a)(iv), of Regulation (EU) 2020/1056, the electronic identification means referred to in paragraph 2, point (a)(i), of this Article shall include reference to the identification number of the waste shipments operator referred to in Article 9 of Implementing Regulation (EU) 2025/1290.
4. For access and processing of eFTI data by means of machine-to machine communication, eFTI platforms shall provide functionalities that ensure for each tributary ICT system:
|
(a) |
the identification and authentication of the business user under whose legal responsibility the tributary ICT system operates, by means of a registry where at least the following information is recorded and kept updated:
|
|
(b) |
the authorisation of the business user under whose legal responsibility the tributary ICT system operates, by means of the authorisation registry referred to in Article 5(1), point (a). |
5. eFTI platform operators shall establish and implement measures for the appropriate onboarding of tributary ICT systems that include, as a minimum:
|
(a) |
verifying that the tributary ICT system identifies and authenticates the users that are allowed to act as business users of the eFTI platform, by electronic identification means issued under an electronic identification scheme that complies with the requirements laid down in paragraph 3; |
|
(b) |
verifying that the tributary ICT system controls the access of users that are allowed to act as business users of the eFTI platform, by means of an authorisation registry referred to in Article 5(1), point (a). |
6. For each login session, the eFTI platform shall ensure the identification, authentication and authorisation of the business user, before allowing the business user to process eFTI data.
Article 5
Authorisation mechanism
1. eFTI platforms shall use one or both of the following types of authorisation mechanisms:
|
(a) |
verification of the processing rights of the user, by means of authorisation registries where the processing rights of onboarded users are recorded, kept updated and remain available for auditing purposes, and which shall constitute the principal mechanism for authorisation; |
|
(b) |
issuing and verification of temporary processing rights, by means of authorisation registries where temporary access credentials of occasional, non-onboarded users, are recorded. |
2. The authorisation registries referred to in paragraph 1 shall be established and maintained as a separate ICT component. This separate ICT component shall be either internal to the eFTI platform or part of an ICT system external to the eFTI platform with which the eFTI platform establishes secure communications, in accordance with Article 12(4).
3. The authorisation registries referred to in paragraph 1, point (a), shall maintain a uniquely identified ‘user profile’ for each onboarded business user, by recording at least the following information:
|
(a) |
unique identification of the business user, expressed as a coded reference; |
|
(b) |
processing rights, expressed as references, where those references include:
|
|
(c) |
an indication of whether the business user may act as primary or temporary authoriser; |
|
(d) |
for business users designated as primary authoriser, the unique identification numbers of the existing onboarded user profiles that they are allowed to modify; |
|
(e) |
for business users designated as temporary authoriser, the temporary processing rights they are entitled to issue to non-onboarded users, expressed as references to the processing operations referred to in Article 8; |
|
(f) |
an indication of whether the business user may request notifications related to requests for access to eFTI data by competent authorities and related follow-up communications, when related to the eFTI CMDS for which the business user has processing rights. |
4. The eFTI platform operator or, where the authorisation registry is established as a component of an ICT system external to the eFTI platform, the operator of the external ICT system, shall take measures to ensure the appropriate onboarding of the business users that may act as ‘primary authoriser’. Those measures shall, as a minimum, consist of:
|
(a) |
identification and authentication, in accordance with the requirements laid down in Article 4(2), point (a); |
|
(b) |
verification of credentials stating that the business user is a data holder or constitutes the legal representative of a data holder, or that the business user is empowered to authorise, on behalf of a data holder, the processing of data in relation to which that data holder has rights or obligations as referred to in Article 1, point (23); |
|
(c) |
keeping a record of those credentials for auditing purposes. |
5. The authorisation mechanism referred to in paragraph 1, point (b), shall include functionalities that comply, as a minimum, with the following specifications:
|
(a) |
allow onboarded users with temporary authoriser designation to issue temporary processing rights to non-onboarded users, by recording in a dedicated registry the temporary access credentials of non-onboarded users, containing as a minimum:
|
|
(b) |
allow the onboarded users with temporary authoriser designation to give temporary access to eFTI data to the non-onboarded users for whom they recorded temporary access credentials by sending, using the recorded contact details of the non-onboarded user, a message containing:
|
|
(c) |
when access to the eFTI platform is requested by a non-onboarded user, give the non-onboarded user access to the eFTI platform based on two-factor authentication, and allow them to perform processing operations based on their processing rights recorded in accordance with point (a); |
|
(d) |
terminate the login session of a non-onboarded user as soon as one of the following events occur:
|
6. The information recorded in the authorisation registries in accordance with paragraphs 1 to 5 shall be retained for auditing purposes, as a minimum, for the same period of time for which the eFTI CMDS, on which the respective users performed processing operations, is required to be kept available, in accordance with the applicable national or Union law, pursuant to Article 9(1), point (i), of Regulation (EU) 2020/1056.
7. eFTI platforms shall delete all information that constitute personal data in accordance with Regulation (EU) 2016/679 within a reasonable time after the expiration of the period referred to in paragraph 6.
Article 6
Communication with DIWASS
1. To allow economic operators concerned to make available to competent authorities the regulatory information referred to in Article 2(1), point (a)(iv), of Regulation (EU) 2020/1056, eFTI platforms shall establish secure connections with the central system referred to in Article 27(3) of Regulation (EU) 2024/1157, through an application programming interface as referred to in Article 5(2) of Implementing Regulation (EU) 2025/1290, or where made available by a Member State, through connection to the local system operated by a competent authority in that Member State in accordance with Article 27(4) of Regulation (EU) 2024/1157 and that connects to the that central system in accordance with the requirements of Implementing Regulation (EU) 2025/1290.
2. Where eFTI platforms establish either of the connections referred to in paragraph 1, they shall also provide corresponding additional functionalities in accordance with Article 9(2) of this Regulation.
Article 7
Transparency
1. eFTI platforms shall provide functionalities that allow business users to request and receive notifications, including in the form of periodical reports, based on appropriate authorisations. Those notifications and reports shall cover requests for access to eFTI data by competent authorities and related follow-up communications. They shall also cover processing operations by business users, when the business user requesting those notifications or reports constitutes a data holder or has processing rights for that data assigned in the authorisation registry referred to in Article 5(1), point (a) in relation to that data.
2. Where the notifications or reports referred to in paragraph 1 concern requests for access to eFTI data by competent authorities and related follow-up communications, those notifications shall contain at least the following information:
|
(a) |
date and time of receipt of the request for access to eFTI data and, where lodged, of the follow-up communication; |
|
(b) |
the Member State of the competent authority that lodged the request for access to eFTI data; |
|
(c) |
the UUID of the eFTI CMDS for which the request for access to eFTI data was made; |
|
(d) |
where lodged, the information in the follow-up communication. |
CHAPTER III
DATA PROCESSING ON eFTI PLATFORMS
Article 8
The eFTI CMDS
1. eFTI platforms shall manage the processing of eFTI data based on uniquely identified data sets, each constituting an eFTI CMDS.
2. eFTI CMDS shall be generated by selecting all the data elements that constitute the eFTI data subsets corresponding to the applicable regulatory information requirements for a specific consignment movement, where all the data elements common to two or more eFTI data subsets shall be included only once.
3. All eFTI data processed on an eFTI platform shall comply with the definitions and technical characteristics, including structure, code lists and business rules, established by Delegated Regulation (EU) 2024/2024.
Article 9
Processing operations
1. eFTI platforms shall provide functionalities that enable business users, following validation of their processing rights by means of an authorisation mechanism referred to in Article 5, to perform the following processing operations on eFTI data:
|
(a) |
create eFTI CMDS; |
|
(b) |
edit eFTI CMDS; |
|
(c) |
read eFTI CMDS data; |
|
(d) |
download a copy of eFTI CMDS data; |
|
(e) |
consignor signature; |
|
(f) |
carrier signature; |
|
(g) |
consignee signature; |
|
(h) |
combined transport ‘stamp’ by competent authority in sea port, inland waterway port or railway station; |
|
(i) |
archive eFTI CMDS. |
2. The eFTI platform functionalities referred to in Article 6 shall enable business users, following validation of their processing rights by means of an authorisation mechanism referred to in Article 5, to perform the following processing operations on eFTI data:
|
(a) |
download a copy of waste shipments documents; |
|
(b) |
submit waste shipment carrier transfer confirmations, in accordance with Annex II, Part B, point 3 and Part C point 3 of Implementing Regulation (EU) 2025/1290; |
|
(c) |
edit submitted waste shipments carrier transfer confirmations, in accordance with Annex II, Part B, point 4 and Part C point 4 of Implementing Regulation (EU) 2025/1290. |
3. The processing operations referred to in paragraphs 1 and 2 shall be as specified in the Annex, together with the actions to be performed by eFTI platforms to enable business users to perform those operations.
4. Before allowing a business user to perform processing operations on eFTI data, the platform shall inform the user through clearly worded messages that, by processing the data on the eFTI platform, the user consents that:
|
(a) |
the data processed by the business user may automatically be made available to the competent authorities, specifically whenever the eFTI platform receives a request for access to eFTI data, from a competent authority, for the specific eFTI CMDS of which that data is part; |
|
(b) |
an audit trail of the data processing operations made by the business user is recorded, in accordance with the provisions in paragraph 6, and may be made available to the competent authorities for consultation in accordance with applicable Union law or national law. |
5. eFTI platforms shall log each processing operation performed by a business user on an eFTI CMDS, by recording in relation to each data element processed, the following information:
|
(a) |
the UUID of the eFTI CMDS; |
|
(b) |
for onboarded users, a coded identification linked to their user account; |
|
(c) |
for non-onboarded users, identification information provided by the user in the context of the two-factor authentication referred to in Article 5(5), point (c); |
|
(d) |
date and time; |
|
(e) |
type of operation performed, identified in accordance with paragraphs 1 and 2; when the processing operation involves modifying or deleting the value of a data element, the original value of the data element shall also be maintained. |
6. eFTI platforms shall record and keep the eFTI CMDS data readily available for access by both business users and competent authorities on an online data storage system, for at least the period in which the eFTI CMDS has the status ‘active’ and, where applicable, ‘inactive’, as assigned by the eFTI platform in accordance with the specifications laid down in the Annex to this Regulation.
7. eFTI platforms shall maintain the eFTI CMDS that have the status ‘ready to archive’ or ‘archived’ and the corresponding processing operation logs accessible for access by competent authorities for the periods of time referred to in Article 9(1), point (i), of Regulation (EU) 2020/1056.
8. eFTI platforms shall delete all information that constitute personal data in accordance with Regulation (EU) 2016/679 within a reasonable time after the expiration of the periods referred to in paragraph 8.
Article 10
Human-to-machine user interfaces
1. The human-to-machine interfaces referred to in Article 4(1), point (a) shall provide the following web or application-based functionalities:
|
(a) |
allow business users to interact with the eFTI platform for purposes of identification, authentication and authorisation by the eFTI platform in accordance with Articles 4 and 5 and, respectively, for processing eFTI data on the eFTI platform in accordance with Articles 5 and 9; |
|
(b) |
allow authorised users to download the unique electronic identifying link (UIL) of the eFTI CMDS, and enable them to communicate it in machine-readable format to the competent authorities; |
|
(c) |
allow authorised users to download a human-readable copy of the eFTI CMDS and, where applicable, of the waste shipment documents, and to display these copies for inspection by competent authorities’ officers, when required by those officers in accordance with Article 4(2) of Regulation (EU) 2020/1056. |
2. The human-readable copies referred to in paragraph 1, point (d), shall include a machine-readable coded reference of the eFTI platform certification mark and an indication of the date and time of the download in the form of a time stamp.
3. eFTI platforms’ human-to-machine interfaces shall include access protection features to prevent unauthorised access to eFTI data and eFTI platform functionalities when the device by the means of which the business user accesses the eFTI platform is not under the control of the user.
CHAPTER IV
AVAILABILITY, SECURITY AND RESILIENCE MEASURES
Article 11
Availability
An eFTI platform shall remain available for access by competent authorities, as specified in Article 3, for at least the period of time for which the eFTI CMDSs recorded on that platform have the status ‘active’ and, where applicable, ‘inactive’, as assigned by the eFTI platform in accordance with the specifications laid down in the Annex to this Regulation.
Article 12
Security of data exchanges
1. For communication with an eFTI Gate, eFTI platforms shall:
|
(a) |
maintain an eDelivery Access Point, in compliance with the eDelivery message exchange specifications, or an access point compliant with the equivalent message exchange specifications supported by the eFTI Gate, where such message exchange specifications are established by a Member State in accordance with Article 9(4) of Implementing Regulation (EU) 2024/1942; |
|
(b) |
use secure procedures and protocols for receiving, recording, retrieving and validating the security keys or security certificates of the eFTI Gate. |
2. The access points referred to in paragraph 1, point (a), shall use security certificates issued, through a certificate authority, by the Member State where the eFTI platform received the compliance certificate referred to in Article 12(1) of Regulation (EU) 2020/1056.
3. All communication between the eFTI platform and the eFTI Gate shall take place by means of message exchanges that comply with the specifications laid down in Article 9(3) and (4) of Implementing Regulation (EU) 2024/1942.
4. For communication with tributary ICT systems or other external ICT systems hosting components that perform certain eFTI platform functionalities, eFTI platforms shall, as a minimum:
|
(a) |
maintain access points with valid security keys or security certificates; |
|
(b) |
use secure procedures and protocols for receiving, recording, retrieving and validating the security keys or security certificates of those other ICT systems. |
5. For communication with DIWASS, eFTI platforms shall:
|
(a) |
maintain access points that comply with the specifications referred to in Article 12 of Implementing Regulation (EU) 2025/1290; |
|
(b) |
use secure procedures and protocols for receiving, recording, retrieving and validating the security key of DIWASS; |
|
(c) |
maintain an application programming interface that allows it to receive from DIWASS data related to the consignee signature, when the consignee is a waste treatment facility as referred to in Regulation (EU) 2024/1157. |
Article 13
Security of stored data
eFTI platform operators shall define and implement measures that ensure the security and preservation of the data stored on eFTI platforms, and in particular:
|
(a) |
where eFTI data is stored on physical storage devices managed by the platform operator:
|
|
(b) |
where eFTI data is stored by means of cloud storage, measures to ensure that cloud storage space is purchased from service providers that comply with main international standards and best practices for cloud security and protection of personal data; |
|
(c) |
measures to ensure that eFTI data is stored within the Union or under Union or Member State jurisdiction. |
CHAPTER V
FINAL PROVISIONS
Article 14
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 6 November 2025.
For the Commission
The President
Ursula VON DER LEYEN
(1) OJ L 249, 31.7.2020, p. 33, ELI: http://data.europa.eu/eli/reg/2020/1056/oj.
(2) Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008 setting out the requirements for accreditation and repealing Regulation (EEC) No 339/93 (OJ L 218, 13.8.2008, p. 30, ELI: http://data.europa.eu/eli/reg/2008/765/oj).
(3) Commission Implementing Regulation (EU) 2024/1942 of 5 July 2024 laying down common procedures and detailed rules for accessing and processing electronic freight transport information by competent authorities in accordance with Regulation (EU) 2020/1056 of the European Parliament and of the Council (OJ L, 2024/1942, 20.12.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/1942/oj).
(4) Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj).
(5) Commission Delegated Regulation (EU) 2024/2024 of 26 July 2024 supplementing Regulation (EU) 2020/1056 by establishing the eFTI common data set and eFTI data subsets (OJ L, 2024/2024, 20.12.2024, ELI: http://data.europa.eu/eli/reg_del/2024/2024/oj).
(6) Regulation (EU) 2024/1157 of the European Parliament and of the Council of 11 April 2024 on shipments of waste, amending Regulations (EU) No 1257/2013 and (EU) 2020/1056 and repealing Regulation (EC) No 1013/2006 (OJ L, 2024/1157, 30.4.2024, ELI: http://data.europa.eu/eli/reg/2024/1157/oj).
(7) Commission Implementing Regulation (EU) 2025/1290 of 2 July 2025 laying down rules for the application of Regulation (EU) 2024/1157 of the European Parliament and of the Council as regards the requirements necessary for the interoperability between the central system for the electronic submission and exchange of information and documents related to shipments of waste and other systems or software, as well as other technical and organisational requirements necessary for the practical implementation of such electronic submission and exchange of information and documents (OJ L, 2025/1290, 14.7.2025, ELI: http://data.europa.eu/eli/reg_impl/2025/1290/oj).
(8) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).
(9) https://ec.europa.eu/transparency/expert-groups-register/screen/expert-groups/consult?lang=en&groupID=3280.
(10) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).
(11) Council Directive 92/106/EEC of 7 December 1992 on the establishment of common rules for certain types of combined transport of goods between Member States (OJ L 368, 17.12.1992, p. 38, ELI: http://data.europa.eu/eli/dir/1992/106/oj).
ANNEX
PROCESSING OPERATIONS TO BE PERFORMED BY BUSINESS USERS ON eFTI PLATFORMS
(referred to in Article 9)
The following table describes the processing operations on eFTI data that eFTI platforms enable business users to perform, pursuant to Article 9(1) and (2), and the automatic actions that eFTI platforms must perform in order to ensure the performance of those processing operations, where:
|
(a) |
the column with title ‘Operation’ provides the short name by which the processing operation is identified in Article 9(1) or (2); |
|
(b) |
the column with title ‘Business user action’ describes the actions eFTI platforms shall enable business users to carry out in order to perform the corresponding processing operation; |
|
(c) |
the column with title ‘eFTI platform action’ describes the actions eFTI platforms shall execute, as a minimum, in conjunction with the corresponding business user actions, to ensure the completion of that operation. Table
|
(1) Regulation (EC) No 1072/2009 of the European Parliament and of the Council of 21 October 2009 on common rules for access to the international road haulage market (OJ L 300, 14.11.2009, p. 72, ELI: http://data.europa.eu/eli/reg/2009/1072/oj).
ELI: http://data.europa.eu/eli/reg_impl/2025/2243/oj
ISSN 1977-0677 (electronic edition)