eIDAS - Certified creation devices

Commission Implementing Regulation (EU) 2025/1570 of 29 July 2025 lays down rules for the application of Regulation (EU) No 910/2014 as regards notification of information on certified qualified electronic signature creation devices and certified qualified electronic seal creation devices.

An electronic edition of the same is available here.

Article 1: Notification requirements

1. The notification referred to in Article 31(1) of Regulation (EU) No 910/2014 shall contain at least the information set out in the Annex to this Regulation and shall be made in electronic form through a secure electronic channel made available by the Commission.

2. Where there are any changes to the submitted information after the initial submission, including changes to the certification status of qualified electronic signature creation devices and qualified electronic seal creation devices, Member States shall submit the updated information with the relevant accompanying documents through the channel referred to in paragraph 1.

Article 2: Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall apply from 19 December 2025.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 29 July 2025.

For the Commission

The President

Ursula VON DER LEYEN

ANNEX

Information to be notified by Member States in accordance with Article 31(1)

1. The identification of the qualified electronic signature creation device or qualified electronic seal creation device, as covered by the certification or certification cancellation notification and specified through the following elements:

   (a) product name;

   (b) reference to the configured software component, including the relevant version;

   (c) reference to the configured hardware component, including the relevant version;

   (d) version;

2. The identity of the body that applied for certification;

3. The description of the qualified electronic signature creation device or qualified electronic seal creation device, including:

   (a) whether it is a qualified electronic signature creation device or/and a qualified electronic seal creation device;

   (b) which of the following categories the device belongs to:

   • devices where the electronic signature creation data or electronic seal creation data is held in an entirely (but not necessarily exclusively) user-managed environment;
   • devices where a qualified trust service provider manages the electronic signature creation data or electronic seal creation data on behalf of a signatory or of a creator of a seal;

4. The certificate of conformity of the device with the requirements of Annex II to Regulation (EU) No 910/2014;

5. A reference to the certification report issued in accordance with Article 30 of Regulation (EU) No 910/2014 that shall not change at least for the validity period of the certificate of conformity;

6. The identity of the issuer of the certification report, including appropriate reference to its qualification as a certification body designated by a Member State in accordance with Article 30(1) of Regulation (EU) No 910/2014 and as compliant for the certification of those devices in accordance with Article 30(3) of that Regulation;

7. A uniform resource locator ('URL') of a location from where the certification report is publicly available free of charge;

8. The effective starting date of certification;

9. The certification status;

10. The expiry date of certification;

11. Whether certification is planned not to be continued after the current certification for the current configuration of the qualified electronic signature creation devices or qualified electronic seal creation devices;

12. Contact details of the designated body;

13. Whether the certification method is in accordance with Article 30(3), first subparagraph, point (a) or point (b) of Regulation (EU) No 910/2014, and as applicable, the reference and URL to the alternative procedures that have been notified to the Commission pursuant to Article 30(3), first subparagraph, point (b), of that Regulation;

14. All related certification reports established in accordance with the implementing acts adopted pursuant to Article 30(3), second subparagraph of Regulation (EU) No 910/2014 including:

    (a) a reference to each certification report;

    (b) the identification of the issuer of each certification report;

    (c) a URL to a location from where each certification report is publicly available free of charge;

    (d) the issuance date of each certification report;

    (e) where publicly available, a version of the corresponding security target document describing the device, or any component thereof, being targeted by the certification evaluation covered by the certification report.