COMMISSION IMPLEMENTING REGULATION (EU) …/...
of 29.9.2025
laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards for processes for sending and receiving data in qualified electronic registered delivery services and as regards interoperability of those services
THE EUROPEAN COMMISSION,
Having regard to the Treaty on the Functioning of the European Union,
Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, and in particular Article 44(2) and Article 44(2b) thereof,
Whereas:
(1)Qualified electronic registered delivery services provide a secure channel for the transmission of documents, including proof of sending and receiving the data. They aim at providing certainty in identifying the addressee and ensure a high level of confidence in the identification of the sender.
(2)The presumption of compliance laid down in Article 44(1a) of Regulation (EU) No 910/2014 should only apply where qualified trust services for the provision of qualified electronic registered delivery services comply with the standards set out in this Regulation. These standards should reflect established practices and be widely recognised within the relevant sectors. They should be adapted to include additional controls ensuring the security and trustworthiness of the qualified trust service.
(3)If a trust service provider adheres to the requirements set out in the Annex I to this Regulation, supervisory bodies should presume compliance with the relevant requirements of Regulation (EU) No 910/2014 and duly consider such presumption for granting or confirming the qualified status of the trust service. However, a qualified trust service provider may still rely on other practices to demonstrate compliance with the requirements of Regulation (EU) No 910/2014.
(4)Pursuant to Article 44(2a) of Regulation (EU) No 910/2014, where qualified trust service providers agree to make their services interoperable, it is important that they adhere to appropriate standards and specifications laid down in Annex II to this Implementing Regulation in order to easily transfer electronic registered data between two or more qualified trust service providers and to promote fair practices in the internal market.
(5)The Commission regularly assesses new technologies, practices, standards or technical specifications. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council, the Commission should review and update this Regulation, if necessary, to keep it in line with global developments, new technologies, standards or technical specifications and to follow the best practices on the internal market.
(6)Regulation (EU) 2016/679 of the European Parliament and of the Council, and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council apply to all personal data processing activities under this Regulation.
(7)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council and delivered its opinion on 06 June 2025.
(8)The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,
HAS ADOPTED THIS REGULATION:
Article 1
Reference standards and specifications for qualified electronic registered delivery services
The reference standards and specifications referred to in Article 44(2) of Regulation (EU) No 910/2014 are set out in the Annex I to this Regulation.
Article 2
Reference standards and specifications for the interoperability between qualified electronic registered delivery services
The reference standards and specifications referred to in Article 44(2b) of Regulation (EU) No 910/2014 are set out in the Annex II to this Regulation.
Article 3
Entry into force
This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.
This Regulation shall be binding in its entirety and directly applicable in all Member States.
Done at Brussels, 29.9.2025
For the Commission
The President
Ursula VON DER LEYEN
ANNEX I
List of reference standards and specifications referred to in Article 1
The standard ETSI EN 319 521 V1.1.1 (2019-02) (‘ETSI EN 319 521’) applies with the following adaptations:
1.For ETSI EN 319 521
(1)2.1 Normative references:
–[1] ETSI EN 319 401 V3.1.1 (2024-06) "Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers".
–[2] ETSI EN 319 411-1 V1.5.1 (2025-04) "Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements".
–[3] ETSI EN 319 522-1 V1.2.1 (2024-01) "Electronic Signatures and Infrastructures (ESI); Electronic Registered Delivery Services; Part 1: Framework and Architecture".
–[4] ETSI EN 319 522-2 V1.2.1 (2024-01) "Electronic Signatures and Infrastructures (ESI); Electronic Registered Delivery Services; Part 2: Semantic content".
–[5] European Cybersecurity Certification Group, Sub-group on Cryptography: "Agreed Cryptographic Mechanisms" published by the European Union Agency for Cybersecurity (‘ENISA’).
–[6] ISO/IEC 15408-1:2022 – Information security, cybersecurity and privacy protection – Evaluation criteria for IT security.
–[7] Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC).
–[8] Commission Implementing Regulation (EU) 2024/3144 of 18 December 2024 amending Implementing Regulation (EU) 2024/482 as regards applicable international standards and correcting that Implementing Regulation.
–[9] FIPS PUB 140-3 (2019) "Security Requirements for Cryptographic Modules".
(2)3.1 Terms
–advanced electronic seal: As defined in Regulation (EU) No 910/2014 [i.1].
–advanced electronic signature: As defined in Regulation (EU) No 910/2014 [i.1].
–qualified electronic seal: As defined in Regulation (EU) No 910/2014 [i.1].
–qualified electronic signature: As defined in Regulation (EU) No 910/2014 [i.1].
–secure cryptographic device: device which holds the user’s private key, protects this key against compromise and performs signing or decryption functions on behalf of the user.
(3)5.1.1 Common provisions
–REQ-ERDS-5.1.1-01 The ERDS shall ensure that availability, integrity and confidentiality of the user content is adequately guaranteed while it is handled by the ERDS, selecting suitable integrity and confidentiality cryptographic techniques compliant with the Agreed Cryptographic Mechanisms endorsed by the European Cybersecurity Certification Group and published by ENISA [5].
(4)5.2.1.1 General
–REQ-QERDS-5.2.1.1-01 The QERDSP shall verify with a very high level of confidence the identity of the recipient either directly or by relying on a third party, and by using one of the following means or a combination thereof as required:
(a)through the physical presence of the natural person or of an authorised representative of the legal person, by means of appropriate evidence and procedures, in accordance with national law;
(b)remotely, using an electronic identification means, which meets the requirements set out in Article 8 of Regulation (EU) No 910/2014 [i.1] with regard to the assurance level ‘high’, or by means of the European Digital Identity Wallet;
(c)by means of a certificate of a qualified electronic signature or of a qualified electronic seal;
(d)by using other identification methods, which ensure that the natural person or the authorised representative of the legal person can be identified with a very high level of confidence. The assurance that this identification is performed with a very high level of confidence shall be confirmed by a conformity assessment body.
–REQ-QERDS-5.2.1.1-01A The QERDSP shall verify the identity of the sender by appropriate means, either directly or by relying on a third party, on the basis of one of the following methods or on a combination thereof:
(a)through the physical presence of the natural person or of an authorised representative of the legal person, by means of appropriate evidence and procedures, in accordance with national law;
(b)remotely, by means of the European Digital Identity Wallet or a notified electronic identification means which meets the requirements set out in Article 8 of Regulation (EU) No 910/2014 [i.1] with regard to the assurance level ‘substantial’ provided that it has been issued based on prior physical presence of the natural person or of an authorised representative of the legal person;
(c)by means of a certificate of an advanced electronic signature or of an advanced electronic seal, provided the certificate has been issued to the natural person or to an authorised representative of the legal person under Normalised Certificate Policy (NCP) as defined in ETSI EN 319 411-1 [2]; or
(d)by using other identification methods, which ensure that the natural person or the authorised representative of the legal person can be identified with a very high level of confidence. The assurance that this identification is performed with a high level of confidence shall be confirmed by a conformity assessment body.
–NOTE The third party verifying the identity of the sender and the recipient may be another QERDSP if the sender and the recipient are subscribed to different QERDSPs.
(5)5.2.1.2 Recipient identification and handover of user content
–REQ-QERDS-5.2.1.2-03 If the identification of the recipient is based on a QERDS internal process, the QERDSP shall conduct the whole process in a secured and controlled environment.
(6)5.2.2 Provisions for EU QERDS authentication
–REQ-QERDS-5.2.2-03 [CONDITIONAL] When the QERDSP binds means of authentication to a sender identity verified as per clause 5.2.1, it shall be one of the following:
(a)two factor authentication mechanisms;
(b)European Digital Identity Wallet or a notified electronic identification means which meets the requirements set out in Article 8 of Regulation (EU) No 910/2014 [i.1] with regard to the assurance level ‘high’ or ‘substantial’;
(c)a mutual TLS authentication, which includes the certificate issued to the sender under NCP as defined in ETSI EN 319 411-1 [2];
(d)a digital signature supported by a certificate issued under NCP as defined in ETSI EN 319 411-1 [2];
(e)other means that ensure the authentication of the identified sender. The conformity of the binding shall be confirmed by a conformity assessment body. Example: This can include the use of one of the above means from letters (a), (b) and (d) to register a Transport Layer Security (TLS) client certificate for automated sending via mutual TLS, or to register a digital seal certificate used to seal assertions to authenticate with the ERDS. Other mechanisms where the identified senders are making use of delegated third-party services can also apply.
–REQ-QERDS-5.2.2-03A [CONDITIONAL] When the QERDSP binds means of authentication to a recipient identity verified as per clause 5.2.1, it shall be one of the following, provided that the means, or any combination of means, ensure very high level of confidence regarding the identity of the authenticated recipient:
(a)a multi factor authentication mechanism
(b)European Digital Identity Wallet or a notified electronic identification means which meets the requirements set out in Article 8 of Regulation (EU) No 910/2014 [i.1] with regard to the assurance level ‘high’ or ‘substantial’;
(c)a certificate of a qualified electronic signature or of a qualified electronic seal;
(d)other means that ensure the authentication of the identified recipient. The conformity of the binding shall be confirmed by a conformity assessment body. Example: This can include the use of one of the above means from letters (a) to (c) to register a Transport Layer Security (TLS) client certificate for automated sending via mutual TLS, or to register a digital seal certificate used to seal assertions to authenticate with the ERDS. Other mechanisms where the identified senders are making use of delegated third-party services can also apply.
–REQ-QERDS-5.2.2-04 [CONDITIONAL] If the sender connects to the QERDS on a secured connection which requires machine-to-machine mutual authentication between the sender’s machine and the QERDS’s server based on certificates issued according to NCP as defined in ETSI EN 319 411-1 [2], then after this secure connection has been established, single factor authentication mechanisms may be adopted for a second phase of sender authentication if the organisational procedures and security measures put in place ensure confidence in the authentication of the sender.
(7)5.4.1 Common provisions
–REQ-ERDS-5.4.1-06 The ERDS shall generate and make available to legitimate interested parties ERDS evidence about ERD events as defined in clause 6 of ETSI EN 319 522-1 [3].
–REQ-ERDS-5.4.1-07 The ERDSP shall archive the evidence and/or evidence digests for each evidence that it issued.
–REQ-ERDS-5.4.1-08 The ERDS evidence generated by the ERDS shall comply with evidence semantic defined in clause 8 of ETSI EN 319 522-2 [4].
(8)7.2.1 Common provisions
–REQ-ERDS-7.2.1-02 The ERDSP’s personnel in trusted roles shall be able to fulfil the requirement of ‘expert knowledge, experience and qualifications’ through formal training and credentials, or actual experience, or a combination of the two.
–REQ-ERDS-7.2.1-03 Compliance with REQ-ERDS-7.2.1-02 shall include regular updates (at least every 12 months) on new threats and current security practices.
(9)7.3.2 Media handling
–REQ-ERDS-7.3.1-02 All requirements from ETSI EN 319 401 [1], clause 7.3.3 shall apply.
(10)7.5 Cryptographic controls
–REQ-ERDS-7.5-01A The ERDS shall select and use suitable cryptographic techniques in accordance with the Agreed Cryptographic Mechanisms endorsed by the European Cybersecurity Certification Group and published by ENISA [5].
–REQ-ERDSP-7.5-03 The ERDS signing private key shall be held and used within a secure cryptographic device which is a trustworthy system certified in accordance with:
(a)Common Criteria for Information Technology Security Evaluation, as set out in ISO/IEC 15408 [6] or in Common Criteria for Information Technology Security Evaluation, version CC:2002, Parts 1 through 5, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security, and certified to EAL 4 or higher; or
(b)the European Common Criteria-based cybersecurity certification scheme (EUCC) [7][8], and certified to EAL 4 or higher; or
(c)until 31.12.2030, FIPS PUB 140-3 [9] level 3.
This certification shall be to a security target or protection profile, or to a module design and security documentation, which meets the requirements of the present document, based on a risk analysis and taking into account physical and other non-technical security measures.
If the secure cryptographic device benefits from an EUCC [7][8] certification, then this device shall be configured and used in accordance with that certification.
(11)7.8 Network security
–REQ-ERDSP-7.8-04 The ERDSP shall use state-of-the-art protocols and algorithms for encryption on transport layer level in compliance with the Agreed Cryptographic Mechanisms endorsed by the European Cybersecurity Certification Group and published by ENISA [5].
–REQ-ERDSP-7.8-06 The vulnerability scan requested by REQ-7.8-13 of ETSI EN 319 401 [1] shall be performed at least once per quarter.
–REQ-ERDSP-7.8-07 The penetration test requested by REQ-7.8-17X of ETSI EN 319 401 [1] shall be performed at least once per year.
–REQ-ERDSP-7.8-08 Firewalls shall be configured to prevent all protocols and accesses not required for the operation of the TSP.
(12)7.12 ERDSP termination and ERDS termination plans
–REQ-ERDS-7.12-03 The ERDSP’s termination plan shall comply with the requirements set out in the implementing acts adopted pursuant to Article 24(5) of Regulation (EU) No 910/2014 [i.1].
(13)7.14 Supply chain
–REQ-ERDS-7.14-01 The requirements specified in ETSI EN 319 401 [1], clause 7.14 shall apply.
ANNEX II
List of reference standards and specifications referred to in Article 2
The standards ETSI EN 319 522-1 V1.2.1 (2024-01) (‘ETSI EN 319 522-1’), ETSI EN 319 522-2 V1.2.1 (2024-01) (‘ETSI EN 319 522-2’), ETSI EN 319 522-3 V1.2.1 (2024-01) (‘ETSI EN 319 522-3’), ETSI EN 319 522-4-1 V1.2.1 (2019-01) (‘ETSI EN 319 522-4-1’), ETSI EN 319 522-4-2 V1.1.1 (2018-09) (‘ETSI EN 319 522-4-2’) and ETSI EN 319 522-4-3 V1.1.1 (2018-09) (‘ETSI EN 319 522-4-3’) apply.