Skip to main content

EUDI Wallet - Accreditation of conformity assessment bodies

Commission Implementing Regulation (EU) 2025/2162 establishes detailed rules under Regulation (EU) No 910/2014. This regulation aims to ensure consistent standards across EU Member States, enhancing trust and interoperability within the European Digital Identity ecosystem.

An electronic edition of the same is available here.

Article 1: Definitions

For the purpose of this Regulation, the following definitions shall apply:

  1. 'scheme owner' means an entity or a group of entities which is responsible for developing and maintaining a conformity assessment scheme;

  2. 'certification decision' means a certification decision, which follows a conformity assessment conducted by a conformity assessment body where that body positively or negatively confirms the conformity of a specific qualified trust service provider and the qualified trust service it provides with the requirements laid down in Regulation (EU) No 910/2014 and with Article 21 of Directive (EU) 2022/2555;

  3. 'certificate of conformity' means a document by which a conformity assessment body attests a certification decision that positively confirms that a specific qualified trust service provider and the qualified trust service it provides comply with the requirements laid down in Regulation (EU) No 910/2014 and with Article 21 of Directive (EU) 2022/2555;

  4. 'conformity assessment scheme' means a set of rules and procedures to be used by conformity assessment bodies for the purpose of the assessment of the conformity of qualified trust service providers and the qualified trust services that they provide with the requirements laid down in Regulation (EU) No 910/2014 and with Article 21 of Directive (EU) 2022/2555;

  5. 'conformity assessment report' means a document that provides detailed information, where applicable supplementary to that contained in a certification decision and associated certificate of conformity, on the method used to carry out, in accordance with a conformity assessment scheme, a conformity assessment of the compliance of a specific qualified trust service provider and the qualified trust service it provides with the requirements of Regulation (EU) No 910/2014 and of Article 21 of Directive (EU) 2022/2555 and on the results of the conformity assessment;

  6. 'accreditation' means an accreditation, as defined in Article 2, point 10 of Regulation (EC) No 765/2008;

  7. 'flexible scope accreditation' means an accreditation where the specific conformity assessment activities for which accreditation is sought, or has been granted, are expressed to allow conformity assessment bodies to make changes in methodology and other parameters which fall within the competence of the conformity assessment body as confirmed by the national accreditation body;

  8. 'national accreditation body' means a national accreditation body as defined in Article 2, point 11, of Regulation (EC) No 765/2008.

Article 2: Accreditation of conformity assessment bodies

  1. For the purposes of making certification decisions in accordance with a specific conformity assessment scheme, conformity assessment bodies shall be accredited in accordance with standard EN ISO/IEC 17065:2012 supplemented by standard ETSI EN 319 403-1 v2.3.1.

  2. The accreditation of conformity assessment bodies referred to in paragraph 1 shall be performed by a national accreditation body in compliance with standard EN ISO/IEC 17011:2017.

Article 3: Accreditation certificate issued to conformity assessment bodies

  1. National accreditation bodies shall ensure that the accreditation certificates they issue to conformity assessment bodies contain at least the following information:

    (a) the unique accreditation certificate identity code;

    (b) the issuance date of the accreditation certificate;

    (c) the name and country, as stated in the national official records, of the national accreditation body issuing the accreditation certificate;

    (d) the name and, where applicable, registration number as stated in the national official records, of the accredited conformity assessment body;

    (e) the scope of accreditation, with regard to one or more of the following qualified trust services:

    • the issuance of qualified certificates for electronic signatures;

    • the issuance of qualified certificates for electronic seals;

    • the issuance of qualified certificates for website authentication;

    • the qualified validation service for qualified electronic signatures;

    • the qualified validation service for qualified electronic seals,

    • the qualified preservation service for qualified electronic signatures;

    • the qualified preservation service for qualified electronic seals;

    • the creation of qualified electronic timestamps;

    • the provision of qualified electronic registered delivery services;

    • the qualified service for the management of remote qualified electronic signature creation devices;

    • the qualified service for the management of remote qualified electronic seal creation devices;

    • the provision of qualified electronic archiving services;

    • the issuance of qualified electronic attestations of attributes;

    • the recording of electronic data in a qualified electronic ledger.

    (f) the identification, including, where relevant, the specific version, of the conformity assessment scheme for which the conformity assessment body has been accredited;

    (g) the indication of the use of the flexible scope accreditation, where relevant;

    (h) the identification, where relevant, of the document outlining the design and implementation process of the flexible scope accreditation.

  2. National accreditation bodies shall ensure that the start date, and where applicable, the end date of the accreditation of the conformity assessment body for conducting the conformity assessment of the qualified trust services as referred to in paragraph 1, point (e), including specific dates for each qualified trust service as applicable, are part of the accreditation details referred to in Article 20(1b) of Regulation (EU) No 910/2014.

  3. National accreditation bodies shall ensure that any relevant changes made in relation to the information provided in accordance with paragraph 1 shall be clearly reflected in the accreditation certificate.

  4. The accreditation certificate shall clearly describe the scope of the accreditation of the conformity assessment body, in accordance with Article 2(1).

Article 4: Reconsideration of existing accreditation

  1. The scheme owner shall implement procedures to monitor any changes in the standards referred to in Article 2(1) or in Article 6(3), or to a conformity assessment scheme owned by it and on the basis of which a conformity assessment body has been accredited in accordance with Article 2.

  2. The scheme owner shall notify the national accreditation body of the changes identified as a result of the procedures referred to in paragraph 1, in a timely manner.

  3. Where the national accreditation body did not apply flexible scope accreditation to accredited conformity assessment bodies, the national accreditation body shall determine whether the changes, identified as a result of the procedures referred to in paragraph 1, are likely to materially affect the ability of accredited conformity assessment bodies to conduct conformity assessments pursuant to schemes for which they have been accredited.

  4. Where the national accreditation body determines, pursuant to paragraph 3, that changes do affect the ability of conformity assessment bodies to conduct conformity assessments, it shall request the conformity assessment body to take appropriate measures within a reasonable prescribed period.

  5. If the conformity assessment body is unable or unwilling to take the measures referred to in paragraph 4 within the period prescribed, the national accreditation body shall immediately withdraw or suspend the accreditation.

  6. Where the national accreditation body determines, pursuant to paragraph 3, that changes do not affect the ability of conformity assessment bodies to conduct conformity assessments, it may, where appropriate, extend the validity and scope of the accreditation of the assessed conformity assessment body.

  7. Where appropriate, the national accreditation body shall update the accreditation certificate in a timely manner to reflect the outcome of the reconsideration of the accreditation pursuant to this Article.

  8. Where a conformity assessment body receives a request pursuant to paragraph 4, it shall, in a timely manner, inform any qualified trust service providers that it has previously assessed under the relevant conformity assessment scheme of any impacts that the reconsideration of the conformity assessment body's accreditation may have on those qualified trust service providers, including with respect to future certification decisions made by the conformity assessment body under that scheme.

Article 5: Conformity assessment bodies

  1. Conformity assessment bodies shall make the certificates of conformity they issue available in a public repository maintained by that conformity assessment body for that purpose.

  2. Any subcontracting by the conformity assessment body of the performance of conformity assessment activities shall duly consider the nature of the activity to be performed. The conformity assessment body shall ensure that the subcontractor complies with the standards set out in Annex I for the specific activity being subcontracted.

  3. Conformity assessment bodies shall ensure, upon issuing a certification decision, that the qualified trust services provider to whom the decision relates, is able to submit the complete conformity assessment reports corresponding to that decision to the supervisory bodies.

Article 6: Conformity assessment schemes

  1. Each conformity assessment scheme shall identify a scheme owner.

  2. A conformity assessment scheme shall comply with scheme type 6 of standard EN ISO/IEC 17067:2013 and with the requirements laid down in this Article.

  3. Scheme owners shall ensure that their conformity assessment schemes include at least the standards, as applicable, set out in Annex II by indicating the year and version number of these standards.

  4. Scheme owners shall ensure that where a flexible scope accreditation is applicable, this is indicated in the conformity assessment scheme.

  5. Scheme owners shall ensure that their conformity assessment schemes establish processes and procedures, regarding at least the following:

    (a) receiving and handling complaints to the scheme owner on the implementation of the conformity assessment scheme;

    (b) notifications by the conformity assessment body to the supervisory body designated in accordance with Article 46b(1) of Regulation (EU) No 910/2014 on the issuance of certificates of conformity and any changes thereto;

    (c) where applicable, subcontracting the performance of conformity assessment activities by the conformity assessment body;

    (d) the performance of yearly surveillance activities on the basis of the applicable requirements of clause 7.9 of standard ISO/IEC 17065:2012;

    (e) the management and notification by the qualified trust service provider to the conformity assessment body and to the competent supervisory body of any change impacting the operation of qualified trust service providers or the qualified trust services they provide;

    (f) the verification of evidence demonstrating that the conformity assessment body:

    • has sufficient knowledge and expertise in the application of specific standards related to the qualified trust service provided by the qualified trust service provider, as referred to in paragraph 3;

    • has professional experience in conformity assessment in at least three assessments of trust service providers or three assessments of information security management systems; and

    • can ensure the availability of a team of no fewer than two qualified persons possessing the necessary expertise to carry out such conformity assessment.

  6. Scheme owners shall ensure that their conformity assessment schemes require the qualified trust service providers to have processes, procedures and work instructions in place to notify the conformity assessment body at least one month before the qualified trust service providers implement any significant change in the provision of the qualified trust services certified under that scheme and at least three months before it intends to cease the provision of the services or parts thereof.

  7. Scheme owners shall ensure that their conformity assessment schemes do not allow positive certification decisions, or any certificate of conformity, to be issued where the conformity assessment leads to the identification of non-conformity of the assessed qualified trust service providers and the qualified trust service they provide with the requirements of Regulation (EU) No 910/2014 and of Article 21 of Directive (EU) 2022/2555.

  8. Scheme owners shall ensure that their conformity assessment schemes set out the procedure for the attestation of a certificate of conformity. They shall require, in particular, that the qualified trust service providers immediately inform the competent supervisory body of any change to a certificate of conformity. They shall also require that qualified trust services providers refrain from providing the qualified trust services concerned or from advertising any reference thereto until the competent supervisory body reconfirms the qualified status. This procedure shall comply with the requirements set out in clause 7.11 of standard ISO/IEC 17065:2012.

  9. Scheme owners shall ensure that their conformity assessment schemes set out the conformity assessment process to be conducted over a sufficient number of person-days and shall ensure that sufficient resources and time are allocated for the conformity assessment, taking into account the scope and the complexity of the assessment.

  10. Scheme owners shall make a summary of the conformity assessment scheme publicly available for download. The summary shall contain a description of the set of rules and procedures followed for the assessment of the conformity of qualified trust service providers and the qualified trust services they provide with the requirements of Regulation (EU) No 910/2014 and of Article 21 of Directive (EU) 2022/2555.

  11. Scheme owners shall ensure that their conformity assessment schemes require that at least one surveillance conformity assessment is conducted annually for every evaluated qualified trust service.

Article 7: Conformity assessment reports

  1. The conformity assessment report referred to in Article 20(1) of Regulation (EU) No 910/2014, shall comply with the specifications set out in Annex III.

  2. The conformity assessment report shall be considered a part of the certification documentation specified in clause 7.7 of standard ETSI EN 319 403-1.

Article 8: Accreditation information

  1. Any interested party can request, free of charge, current and past information about the scope, start date and, where applicable, end date of the accreditation of conformity assessment bodies, for each type of qualified trust service that the conformity assessment body is or has been accredited to assess. This information shall be made available by national accreditation bodies.

  2. Current and past information, as referred to in paragraph 1, should be made available for at least a period of 6 years after the accreditation of the conformity assessment body.

Article 9: Grandfathering provision

Conformity assessment bodies that have, before 17 November 2025, been accredited with reference to standard ETSI EN 319 403 version 2.2.2, or earlier version, for the purposes of the assessment of conformity with Regulation (EU) No 910/2014 of qualified trust service providers and the qualified trust services they provide shall have their accreditation be considered to meet the requirements of Article 2(1) until 17 May 2027.

Article 10: Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 27 October 2025.

For the Commission

The President

Ursula VON DER LEYEN

ANNEX I

Reference standards for the subcontracting of conformity assessment activities

  1. EN ISO/IEC 17025:2017 for testing activities;

  2. EN ISO/IEC 17021-1:2015 for audit activities of management systems;

  3. EN ISO/IEC 17020:2012 for inspection activities;

  4. EN ISO/IEC 17065:2012 for conformity assessments activities.

ANNEX II

Reference standards for conformity assessment schemes

The standards referred to in Article 6(3) are ETSI TS 119 612 v2.4.1 and the following:

Qualified Trust ServiceRelevant standards
The issuance of qualified certificates for electronic signaturesETSI EN 319 411 -2; ETSI EN 301 549; ETSI EN 319 412 -1; ETSI EN 319 412 -2; ETSI EN 319 412 -5; ETSI TS 119 461; ETSI EN 319 401
The issuance of qualified certificates for electronic sealsETSI EN 319 411 -2; ETSI TS 119 495; ETSI EN 301 549; ETSI EN 319 412 -1; ETSI EN 319 412 -2; ETSI EN 319 412 -3; ETSI EN 319 412 -5; ETSI TS 119 461; ETSI EN 319 401
The issuance of qualified certificates for website authenticationETSI EN 319 411 -2; ETSI TS 119 411 -5; ETSI TS 119 495; ETSI EN 301 549; ETSI EN 319 412 -1; ETSI EN 319 412 -4; ETSI EN 319 412 -5; ETSI TS 119 461; ETSI EN 319 401
The qualified validation service for qualified electronic signaturesETSI TS 119 441; ETSI TS 119 442; ETSI EN 319 102 -1; ETSI TS 119 102 -2; ETSI TS 119 172 -4; ETSI EN 301 549; ETSI EN 319 401
The qualified validation service for qualified electronic sealsETSI TS 119 441; ETSI TS 119 442; ETSI EN 319 102 -1; ETSI TS 119 102 -2; ETSI TS 119 172 -4; ETSI EN 301 549; ETSI EN 310 401
The qualified preservation service for qualified electronic signaturesETSI TS 119 511; ETSI TS 119 172 -4; ETSI TS 119 512; ETSI EN 301 549; ETSI EN 310 401
The qualified preservation service for qualified electronic sealsETSI TS 119 511; ETSI TS 119 172 -4; ETSI TS 119 512; ETSI EN 301 549; ETSI EN 319 401
The creation of qualified electronic time stampsETSI EN 319 421; ETSI EN 319 422; ETSI EN 301 549; ETSI EN 319 401
The provision of qualified electronic registered delivery servicesETSI EN 319 521; ETSI EN 319 522; ETSI EN 319 531; ETSI EN 319 532; ETSI EN 301 549; ETSI TS 119 461; ETSI EN 319 401
The qualified service for the management of remote qualified electronic signature creation devicesETSI TS 119 431 -1; ETSI EN 301 549; ETSI TS 119 461; ETSI EN 319 401
The qualified service for the management of remote qualified electronic seal creation devicesETSI TS 119 431 -1; ETSI EN 301 549; ETSI TS 119 461; ETSI EN 319 401
The provision of qualified electronic archiving servicesISO 14641; ISO 14721; CEN/TS 18170; ETSI TS 301 549; ETSI EN 319 401; ETSI EN 119 511
The issuance of qualified electronic attestations of attributesETSI TS 119 471; ETSI EN 301 549; ETSI TS 119 461; ETSI EN 319 401
The recording of electronic data in a qualified electronic ledgerETSI EN 319 401; ETSI EN 301 549; CEN/TS 18170; ISO 23257; ISO/TS 23635; ETSI EN 319 122 -1; ETSI EN 319 132 -1; ETSI EN 319 182 -1

ANNEX III

Specifications for conformity assessment reports

The conformity assessment report as referred to in Article 7(1) shall

  1. be accompanied by a clear certification decision in accordance with clause 7.6 of standard ETSI EN 319403-1 v2.3.1 ('ETSI EN 319403-1'), confirming, whether the assessed trust service provider and the assessed qualified trust services it provides or aims to provide meet the requirements laid down in Regulation (EU) No 910/2014 and in Article 21 of Directive (EU) 2022/2555;

  2. specify the name of the qualified trust service provider and, where applicable, its registration number, as stated in the official records, its official postal address, and its electronic address as well as, where applicable, the same information for all subsidiaries, affiliated legal entities, contractors and subcontractors that are operating trust service components in the scope of the provision of the qualified trust services by the qualified trust service provider;

  3. include a detailed description of the scope of the assessment of the qualified trust service provider, including the specific qualified trust services covered by the assessment;

  4. contain sufficient evidence to demonstrate that the qualified trust service provider and the qualified trust services it provides fulfil the requirements laid down in Regulation (EU) No 910/2014 and in Article 21 of Directive (EU) 2022/2555;

  5. specify the name of the conformity assessment body, and, where applicable its registration number, as stated in the official records, its registered postal address, and its electronic address;

  6. specify the following: (a) the name and country of the national accreditation body having accredited the conformity assessment body (b) the names of the natural persons involved by the conformity assessment body in performing the conformity assessment and their respective role in that assessment (c) the link to the official website of the national accreditation body and containing the accreditation certificate issued by the national accreditation body to the conformity assessment body (d) where applicable, the digital accreditation symbol (e) the conformity assessment scheme for which the conformity assessment body has been accredited in accordance with Article 2(1) (f) conformity assessment enquiries of the conformity assessment conducted, the rationale behind their selection, and the methodology employed, including sampling methodology and test procedures (g) the accredited conformity assessment scheme and relevant documents or a link to the location from where that conformity assessment scheme and relevant documents are available

  7. contain at least one qualified electronic signature, where the report is provided in an electronic form, or handwritten signature, where provided paper-based, identifying the name and title of the responsible person or persons that authorised to adopt the certification decision on behalf of the conformity assessment body;

  8. concern one qualified trust service provider;

  9. identify, in accordance with clause 5.5.3 of standard ETSI TS 119612 v.2.4.1, the service digital identities per type of qualified trust service for which it confirms the conformity with the requirements laid down in Regulation (EU) No 910/2014 and in Article 21 of Directive (EU) 2022/2555, providing the following information: (a) when the qualified trust service is not public key infrastructure technology based, an identifier expressed as a URI that uniquely identifies the qualified trust service
    (b) when the qualified trust service is based on public key infrastructure technology, at least the following:

    • the Subject Key Identifier as defined in IETF RFC 5280
    • the Base64 PEM representation of the associated X.509v3 digital certificate
    • where applicable, an indication whether specific sets or subsets of end-entity certificates issued by or under the service digital identity are excluded from or specifically included in the certification decision and on the basis of which criteria they may be identified
    • an indication whether the service digital identity relates to an end-entity or a certification authority, clarifying whether it is an issuing, intermediate or root certificate
    • a description on how the service digital identity is used in the context of the corresponding qualified trust service

  10. provide, where applicable, a detailed description of the public key infrastructure functional hierarchy, per type of qualified trust service and for all service digital identities identified in accordance with point 11, including at least: (a) the illustration of the public key infrastructure hierarchy identifying the root certification authorities, the intermediate certification authorities, the issuing certification authorities and the certification paths between them
    (b) the identification of each certification authority illustrated in point (a) through the Subject Key Identifier as defined in IETF RFC 5280
    (c) for each of the issuing certification authorities identified in accordance with point (b), the list of the different policy sets of certificates that each certification authority is issuing, together with for each set:

    • criteria that unambiguously identify the certificates of the set, being either a list of certificate policy identifiers to match with the content of the certificate policy certificate extension as defined in IETF RFC 5280 or other criteria as set out in implementing acts adopted pursuant to Article 22(5) of Regulation (EU) No 910/2014
    • an indication of whether the certificates of the set are either qualified or non-qualified
    • an indication of whether the certificates of the set are either for electronic signatures, or for electronic seals, or for web site authentication or for none of those purposes and, in the latter case, for which other purposes their use is intended
    • an indication of whether the private key corresponding to the public key certified in the certificates of the sets resides in a local or remote qualified signature or seal creation device

  11. include, in accordance with point 2 (a) an exhaustive list of third parties, including subcontractors, which provide qualified trust service components or service components by indicating their name, as identified in point 2, together with the location of the sites where the corresponding component services are operated; (b) an indication whether those third parties and sites have been subject to the conformity assessment and to which extent;

  12. describe, where appropriate, the content of the entry to be included, or to be updated, in the relevant national trusted list, in accordance with the result of the assessment;

  13. include an exhaustive list of public and qualified trust service providers' internal documents, which are properly identified including versioning, which have been part of the scope of the conformity assessment, including at least the following documentation as referred to in point 8, for which a copy shall be either provided together with the conformity assessment report or made otherwise available to the competent supervisory body on its request: (a) the declaration of the practices used by the qualified trust service provider to provide the qualified trust services
    (b) the set of rules that indicates the applicability of the qualified trust services to a particular community or class of application with common security requirements ('qualified trust service policies')
    (c) the terms and conditions related to subscriber agreements
    (d) the termination plan of the qualified trust services
    (e) the documentation which is related to the assessment of risks and which aims to demonstrate that the requirements of Article 24(2), points (fa) and (fb) of Regulation (EU) No 910/2014 and Article 21 of Directive (EU) 2022/2555 have been fulfilled
    (f) the security breaches notification plan which aims to demonstrate that the requirements of Article 24(2), points (fa) and (fb) of Regulation (EU) No 910/2014 and Article 21 of Directive (EU) 2022/2555 have been fulfilled
    (g) the list of all internal documents supporting the effective implementation of the practices declared and used by the qualified trust service provider to provide the qualified trust services
    (h) the memorandum and articles of incorporation or statutes of the qualified trust service provider, in accordance with the applicable national laws, together with the following elements:

    • statement of business activities not relating to the provision of trust services
    • organisational chart
    • ownership structure information
    • where applicable and available, report of the accounts of the accounts auditor for the previous two accounting years, or from the date of its incorporation until the date of signing the conformity assessment report, whichever period is shorter

    (i) evidence that the qualified trust service provider, in accordance with applicable national laws, maintains sufficient financial resources and, where applicable, has obtained appropriate liability insurance with regard to the provision of the qualified trust services
    (j) the list of standards with which the operations are claimed to be compliant
    (k) the list of standards with which the operations are audited, evaluated, certified, or assessed to be compliant, together with details about the underlying audit, evaluation, certification or assessment scheme, as applicable
    (l) the list of qualified electronic signature creation devices or qualified electronic seal creation devices and their certification related information when the qualified trust service provider delivers or makes available such devices to its users
    (m) the list of devices used by the qualified trust service provider as trustworthy system or product, including hardware security modules or secure cryptographic devices, to protect its own keys, and information related to their certification, when the qualified trust service provider uses such devices to secure the processes supporting the qualified trust services it provides

  14. contain an assessment of the fulfilment of the requirements that apply to the relevant qualified trust services pursuant to Regulation (EU) No 910/2014, and, where applicable, as set out in the implementing and delegated acts that apply to that qualified trust service as adopted in accordance with:

    • Article 24(1c) of Regulation (EU) No 910/2014 with respect to the verification of the identity and attributes of persons to whom the qualified certificate or the qualified electronic attestation is to be issued
    • Article 24(5) of Regulation (EU) No 910/2014 with respect to the requirements for qualified trust service providers providing qualified trust services
    • Article 28(6) of Regulation (EU) No 910/2014 with respect to the issuance of qualified certificates for electronic signatures
    • Article 38(6) of Regulation (EU) No 910/2014 with respect to the issuance of qualified certificates for electronic seals
    • Article 45(2) of Regulation (EU) No 910/2014 with respect to the issuance of qualified certificates for website authentication
    • Article 33(2) of Regulation (EU) No 910/2014 with respect to the qualified validation service for qualified electronic signatures
    • Article 33(2) and Article 40 of Regulation (EU) No 910/2014 with respect to the qualified validation service for qualified electronic seals,
    • Article 34(2) of Regulation (EU) No 910/2014 with respect to the qualified preservation service for qualified electronic signatures
    • Article 34(2) and Article 40 of Regulation (EU) No 910/2014 with respect to the qualified preservation service for qualified electronic seals
    • Article 42(2) of Regulation (EU) No 910/2014 with respect to the creation of qualified electronic timestamps
    • Article 44(2) of Regulation (EU) No 910/2014 with respect to the provision of qualified electronic registered delivery services
    • Article 29a(2) of Regulation (EU) No 910/2014 with respect to the qualified service for the management of remote qualified electronic signature creation devices
    • Article 29a(2) and Article 39a of Regulation (EU) No 910/2014 with respect to the qualified service for the management of remote qualified electronic seal creation devices
    • Article 45j(2) of Regulation (EU) No 910/2014 with respect to the provision of qualified electronic archiving services
    • Article 45d(5) of Regulation (EU) No 910/2014 with respect to the issuance of qualified electronic attestation of attributes
    • Article 45l(3) of Regulation (EU) No 910/2014 with respect to the recording of electronic data in a qualified electronic ledger

  15. contains an assessment of the fulfilment of the requirements that apply to qualified trust service provider and to the relevant qualified trust services pursuant to Article 21 of Directive (EU) 2022/2555, and under the implementing acts that apply to that qualified trust service as adopted in accordance with of Article 21(5) of that Directive;

  16. contains a statement declaring, where applicable, the absence of any non-conformities, irrespective of their level of criticality; where any non-conformity is identified in the report, the report shall provide a plan of corrective actions and their timescale, provided by the qualified trust service provider and agreed by the conformity assessment body, together with the description of the planned evaluation tasks the conformity assessment body shall undertake to evaluate that those non-conformities have been corrected;

  17. contains, where appropriate and necessary, an indication of opportunities for improvement concerning the fulfilment by the qualified trust service provider and the qualified trust services it provides of relevant requirements;

  18. identify, for each stage of the conformity assessment, including documentation audit, implementation assessment and onsite inspections, the period in relation to which the assessment has been conducted and the time taken by the conformity assessment body in person-days to conduct the assessment;

  19. identify in the corresponding specific requirement report the detailed conformity assessment controls and control objectives that have been conducted during the assessment or include a reference to separately available assessment reports in which such information is included, provided that such separated assessment reports are: (a) issued by conformity assessment bodies accredited in accordance with Regulation (EU) No 910/2014
    (b) endorsed by the conformity assessment bodies issuing the conformity assessment report

  20. include the scope, the description, and the results of a significant set of tests or production samples and their assessment for all relevant and applicable types of outputs from the assessed qualified trust services;

  21. indicate the following deadlines: (a) the deadline within which the next surveillance conformity assessment must be conducted
    (b) the deadline within which the next conformity assessment must be conducted in accordance with Article 20(1) of Regulation (EU) No 910/2014

  22. contain an explicit declaration stating that the certification documents, including the conformity assessment report, are also intended for the use by the competent national supervisory body.