Access to European Union law
<a href="https://eur-lex.europa.eu/content/help/eurlex-content/experimental-features.html" target="_blank">More about the experimental features corner</a>
Choose the experimental features you want to try
EUR-Lex
Access to European Union law

This document is an excerpt from the EUR-Lex website

You are here
Use quotation marks to search for an "exact phrase". Append an asterisk (*) to a search term to find variations of it (transp*, 32019R*). Use a question mark (?) instead of a single character in your search term to find variations of it (ca?e finds case, cane, care).
Search tips
Need more search options? Use the Advanced search

Document Ares(2025)3079109

COMMISSION IMPLEMENTING REGULATION (EU) …/... laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the binding of date and time to data and establishing the accuracy of the time sources for the provision of qualified electronic time stamps

Please be aware that this draft act does not constitute the final position of the institution.

Date of document:
15/04/2025
Author:
Evropska komisija
Form:
Osnutek izvedbene uredbe
Additional information:
Please be aware that this draft act does not constitute the final position of the Commission
Legal basis:

COMMISSION IMPLEMENTING REGULATION (EU) …/...

of XXX

laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the binding of date and time to data and establishing the accuracy of the time sources for the provision of qualified electronic time stamps

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC 1 , and in particular Article 42(2) thereof,

Whereas:

(1)Qualified electronic time stamps play a crucial role in the digital business environment by promoting the transition from traditional paper-based processes to electronic equivalents. By binding date and time information to electronic data, qualified electronic time stamps help ensure the integrity and authenticity of digital documents.

(2)The presumption of compliance laid down in Article 42(1a) of Regulation (EU) No 910/2014 should only apply where qualified trust services for the issuance of qualified time stamps comply with the standards set out in this Regulation. These standards should reflect established practices and be widely recognised within the relevant sectors. These standards should be adapted to include additional controls ensuring the security and trustworthiness of the qualified trust service and of the binding of date and time to data and the accuracy of the time source.

(3)Regulation (EU) 2016/679 of the European Parliament and of the Council 2 and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council 3 apply to the personal data processing activities under this Regulation.

(4)The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council 4 and delivered its opinion on [XX.XX.2025]

(5)The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

The reference standards and specifications referred to in Article 42(2) of Regulation (EU) No 910/2014 are set out in the Annex to this Regulation.

Article 2

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels,

   For the Commission

   The President
   Ursula VON DER LEYEN

Top

ANNEX

List of reference standards and specifications for qualified time stamp services

The standards ETSI EN 319 421 V1.3.0 1 (‘ETSI EN 319 421’) and ETSI EN 319 422 V1.1.1 2 (‘ETSI EN 319 422’) apply with the following adaptations:

1.For ETSI EN 319 421:

(1)2.1 Normative references:

[4] ETSI EN 319 401 V3.1.1 (2024-06): "Electronic Signatures and Infrastructures (ESI); General Policy Requirements for Trust Service Providers".

[5] ETSI EN 319 422 V1.1.1 (2016-03): "Electronic Signatures and Infrastructures (ESI); Time-stamping protocol and time-stamp token profiles".

[6] void.

[7] void.

[8] ETSI EN 319 411-1: "Electronic Signatures and Infrastructures (ESI); Policy and security requirements for Trust Service Providers issuing certificates; Part 1: General requirements".

[9] ETSI TS 119 312: "Electronic Signatures and Infrastructures (ESI); Cryptographic Suites".

[10] Commission Implementing Regulation (EU) 2024/482 3 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC).

[11] Commission Implementing Regulation (EU) 2024/3144 4 of 18 December 2024 amending Implementing Regulation (EU) 2024/482 as regards applicable international standards and correcting that Implementing Regulation.

(2)2.2 Informative references

[i.7] void.

[i.10] void.

[i.20] Commission Implementing Decision (EU) 2015/1505 5 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market.

(3)3.1 Terms

certificate validity period: time interval from notBefore to notAfter inclusive, during which the certification authority (CA) warrants that it will maintain information about the status of the certificate

NOTE: The notBefore and notAfter terms are defined in RFC 5280 [i.18]

(4)3.3 Abbreviations

EUCC European Common Criteria-based cybersecurity certification scheme

(5)6.2 Trust Service Practice Statement

OVR-6.2-03: The TSA shall include statements about the availability of its time-stamping service in its TSA disclosure statement.

(6)7.6.2 TSU key generation

TIS-7.6.2-03: The generation of the TSUs key(s) shall be carried out within a secure cryptographic device which:

(a)is a trustworthy system certified to EAL 4 or higher in accordance with ISO/IEC 15408 [3], or with EUCC [10][11]. This certification shall be to a security target or protection profile which meets the requirements of the present document, based on a risk analysis and taking into account physical and other non-technical security measures. NOTE 2: Standards specifying common criteria protection profiles for TSP cryptographic modules, in accordance with ISO/IEC 15408 [3], are available within CEN as TS 419221-2 [i.13], TS 419221-3 [i.14], TS 419221-4 [i.15], or EN 419221-5 [i.16].

(b)void.

TIS-7.6.2-04: void.

NOTE 3: void.

TIS-7.6.2-05: The TSU key generation algorithm, the resulting signing key length and signature algorithm used for signing time-stamps and for signing TSU public key certificates respectively shall be as specified in ETSI TS 119 312 [9].

NOTE 4: void.

TIS-7.6.2-06: A TSUs signing key shall not be imported into different secure cryptographic devices.

(7)7.6.3 TSU private key protection

TIS-7.6.3-02: The TSU private key shall be held and used within a secure cryptographic device which:

(a)is a trustworthy system certified to EAL 4 or higher in accordance with ISO/IEC 15408 [3], or with the European Common Criteria-based cybersecurity certification scheme (EUCC) [10][11]. This certification shall be to a security target or protection profile which meets the requirements of the present document, based on a risk analysis and taking into account physical and other non-technical security measures. NOTE 1: Standards specifying common criteria protection profiles for TSP cryptographic modules, in accordance with ISO/IEC 15408 [3], are available within CEN as TS 419 221-2 [i.13], TS 419 221-3 [i.14], TS 419 221-4 [i.15], or EN 419 221-5 [i.16].

(b)void.

TIS-7.6.3-03: void.

NOTE 2: void.

(8)7.6.5 Rekeying TSUs key

NOTE 1: void.

(9)7.6.7 End of TSU key life cycle

TIS-7.6.7-02: The expiration date for TSUs private keys shall not be later than the notAfter date of the associated TSU public key certificate validity period. 

TIS-7.6.7-03: The expiration date for TSUs private keys shall take into account the lifetime set out in 'recommended key sizes versus time' from ETSI TS 119 312 [9].

NOTE 1: void

TIS-7.6.7-04: To be able to verify during a sufficient lapse of time the validity of the time-stamps, the validity of the TSUs private keys shall be shorter than the associated TSU public key certificate validity period.

EXAMPLE: Public key certificate valid four years, and private key validity reduced to one year by using a privateKeyUsagePeriod extension in the TSU public key certificate [i.18].

TIS-7.6.7-09: The TSA shall specify the expiration date of the TSU´s keys in its TSA policy or practice statement, including a description of the operational or technical procedures put in place to comply with the requirements of the present clause.

NOTE 2: See also OVR-6.2-02 and TIS-7.6.7-04.

(10)7.14 TSA termination and termination plans

OVR-7.14-01A: The TSP’s termination plan shall comply with the requirements set out in the implementing acts adopted pursuant to Article 24(5) of Regulation (EU) No 910/2014 [i.4].

(11)7.16 Supply chain

OVR-7.16-01: The requirements identified in ETSI EN 319 401 [4], clause 7.14 shall apply.

(12)8.1 TSU public key certificate

TIS-8.1-01 [CONDITIONAL]: If a time-stamp is declared by the TSA to be a qualified electronic time-stamp as per Regulation (EU) No 910/2014 [i.4], the TSU signature verification (public) key certificate:

(a)shall be issued in compliance with the NCP+ certificate policy as specified in ETSI EN 319 411-1 [8];

(b)should be issued in compliance with an appropriate certificate policy as specified in ETSI EN 319 411-2 [i.11].

NOTE 2: The relying party is expected to use a trusted list compliant with Commission Implementing Decision (EU) 2015/1505 [i.20] and to use ETSI TS 119 615 [i.19] to establish whether the time-stamp is qualified in accordance with Regulation (EU) 910/2014. The qcStatement "esi4-qtstStatement-1" as defined in ETSI EN 319 422 [5], clause 9.1 can only be an indication that the time stamp is claimed to be a qualified electronic time stamp.

2.For ETSI EN 319 422:

(1)2.1 Normative references

[5] void.

[6] void.

[8] ETSI TS 119 312: "Electronic Signatures and Infrastructures (ESI); Cryptographic Suites".

[9] RFC 9110: HTTP Semantics.

(2)2.2 Informative references

[i.5] void.

(3)4.1.3 Hash algorithms to be used

Hash algorithms used to hash the information to be time-stamped, the expected duration of the time stamp and selected hash functions versus time shall be as specified in ETSI TS 119 312 [8].

NOTE: void.

(4)4.2.3 Algorithms to be supported

Time-stamp token signature algorithms to be supported shall be as specified in ETSI TS 119 312 [8].

NOTE: void.

(5)4.2.4 Key lengths to be supported

Signature algorithm key lengths for the selected signature algorithm shall be supported as specified in ETSI TS 119 312 [8].

NOTE: void.

(6)5.1.3 Algorithms to be supported

Hash algorithms for the time-stamp data to be supported, the expected duration of the time-stamp and selected hash functions versus time shall be as specified in ETSI TS 119 312 [8].

NOTE: void.

(7)5.2.3 Algorithms to be used

Hash algorithms used to hash the information to be time-stamped and time-stamp token signature algorithms shall be as specified in ETSI TS 119 312 [8].

NOTE: void.

(8)6.3 Key lengths requirements

The key length for the selected signature algorithm of the TSU certificate shall be supported in compliance with ETSI TS 119 312 [8].

NOTE: void.

(9)6.5 Algorithm requirements

The TSU public key and the TSU certificate signature shall use the algorithms as specified in ETSI TS 119 312 [8].

NOTE: void.

(10)7 Profiles for the transport protocols to be supported

The time-stamping client and the time-stamping server shall support the time-stamping protocol via HTTPS [9] as defined in clause 3.4 of IETF RFC 3161 [1].

(11)8 Object identifiers of the cryptographic algorithms

The TSU public key and the TSU certificate signature shall use the algorithms as specified in ETSI TS 119 312 [8].

(12)9.1

If a time-stamp token is declared by the TSA to be a qualified electronic time stamp in accordance with Regulation (EU) No 910/2014 [i.2], it shall contain one instance of the qcStatements extension in the time stamp token extension field with the syntax as defined in IETF RFC 3739 [i.3], clause 3.2.6.

The qcStatements extension shall contain one instance of the statement "esi4-qtstStatement-1" as defined in Annex B.

The extension qcStatements shall not be marked as critical.

(1)    EN 319 421 - Electronic Signatures and Infrastructures (ESI) - Policy and Security Requirements for Trust Service Providers issuing Time Stamps, V1.3.1 (2025-01).
(2)    EN 319 422 - Electronic Signatures and Infrastructures (ESI) - Time-stamping protocol and time-stamp token profiles, V1.1.1 (2016-03). https://www.etsi.org/deliver/etsi_en/319400_319499/319422/01.01.01_60/en_319422v010101p.pdf
(3)    OJ L, 2024/482, 7.2.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/482/oj .
(4)    OJ L, 2024/3144, 19.12.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/3144/oj .
(5)

   OJ L 235, 9.9.2015, p. 26, ELI: http://data.europa.eu/eli/dec_impl/2015/1505/oj .

Top