Skip to main content

eIDAS - Qualified electronic registered delivery services

Commission Implementing Regulation (EU) 2025/1944 establishes detailed rules under Regulation (EU) No 910/2014. This regulation aims to ensure consistent standards across EU Member States, enhancing trust and interoperability within the European Digital Identity ecosystem.

An electronic edition of the same is available here.

Article 1: Reference standards and specifications for qualified electronic registered delivery services

The reference standards and specifications referred to in Article 44(2) of Regulation (EU) No 910/2014 are set out in the Annex I to this Regulation.

Article 2: Reference standards and specifications for the interoperability between qualified electronic registered delivery services

The reference standards and specifications referred to in Article 44(2b) of Regulation (EU) No 910/2014 are set out in the Annex II to this Regulation.

Article 3: Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 29 September 2025.

For the Commission

The President

Ursula VON DER LEYEN

ANNEX I - List of reference standards and specifications referred to in Article 1

The standard ETSI EN 319 521 V1.1.1 (2019-02) ('ETSI EN 319 521 ') applies with the following adaptations:

  1. For ETSI EN 319 521 (1) 2.1 Normative references:
    • [1] ETSI EN 319 401 V3.1.1 (2024-06) 'Electronic Signatures and Infrastructures (ESI)
    • General Policy Requirements for Trust Service Providers'.
    • [2] ETSI EN 319 411-1 V1.5.1 (2025-04) 'Electronic Signatures and Infrastructures (ESI)
    • Policy and security requirements for Trust Service Providers issuing certificates
    • Part 1: General requirements'.
    • [3] ETSI EN 319 522-1 V1.2.1 (2024-01) 'Electronic Signatures and Infrastructures (ESI)
    • Electronic Registered Delivery Services
    • Part 1: Framework and Architecture'.
    • [4] ETSI EN 319 522-2 V1.2.1 (2024-01) 'Electronic Signatures and Infrastructures (ESI)
    • Electronic Registered Delivery Services
    • Part 2: Semantic content'.
    • [5] European Cybersecurity Certification Group, Sub-group on Cryptography: 'Agreed Cryptographic Mechanisms' published by the European Union Agency for Cybersecurity ('ENISA') (1).
    • [6] ISO/IEC 15408-1:2022 – Information security, cybersecurity and privacy protection – Evaluation criteria for IT security.
    • [7] Commission Implementing Regulation (EU) 2024/482 (2) laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC).
    • [8] Commission Implementing Regulation (EU) 2024/3144 (3) amending Implementing Regulation (EU) 2024/482 as regards applicable international standards and correcting that Implementing Regulation.
    • [9] FIPS PUB 140-3 (2019) 'Security Requirements for Cryptographic Modules'.
    • (2) 3.1 Terms
    • advanced electronic seal: As defined in Regulation (EU) No 910/2014 [i.1].
    • advanced electronic signature: As defined in Regulation (EU) No 910/2014 [i.1].
    • qualified electronic seal: As defined in Regulation (EU) No 910/2014 [i.1].
    • qualified electronic signature: As defined in Regulation (EU) No 910/2014 [i.1].
    • secure cryptographic device: device which holds the user's private key, protects this key against compromise and performs signing or decryption functions on behalf of the user.
    • (3) 5.1.1 Common provisions
    • REQ-ERDS-5.1.1-01 The ERDS shall ensure that availability, integrity and confidentiality of the user content is adequately guaranteed while it is handled by the ERDS, selecting suitable integrity and confidentiality cryptographic techniques compliant with the Agreed Cryptographic Mechanisms endorsed by the European Cybersecurity Certification Group and published by ENISA [5].
    • (4) 5.2.1.1 General
    • REQ-QERDS-5.2.1.1-01 The QERDSP shall verify with a very high level of confidence the identity of the recipient either directly or by relying on a third party, and by using one of the following means or a combination thereof as required:
    • (a) through the physical presence of the natural person or of an authorised representative of the legal person, by means of appropriate evidence and procedures, in accordance with national law
    • (b) remotely, using an electronic identification means, which meets the requirements set out in Article 8 of Regulation (EU) No 910/2014 [i.1] with regard to the assurance level 'high', or by means of the European Digital Identity Wallet
    • (c) by means of a certificate of a qualified electronic signature or of a qualified electronic seal
    • (d) by using other identification methods, which ensure that the natural person or the authorised representative of the legal person can be identified with a very high level of confidence. The assurance that this identification is performed with a very high level of confidence shall be confirmed by a conformity assessment body.
    • REQ-QERDS-5.2.1.1-01A The QERDSP shall verify the identity of the sender by appropriate means, either directly or by relying on a third party, on the basis of one of the following methods or on a combination thereof:
    • (a) through the physical presence of the natural person or of an authorised representative of the legal person, by means of appropriate evidence and procedures, in accordance with national law
    • (b) remotely, by means of the European Digital Identity Wallet or a notified electronic identification means which meets the requirements set out in Article 8 of Regulation (EU) No 910/2014 [i.1] with regard to the assurance level 'substantial' provided that it has been issued based on prior physical presence of the natural person or of an authorised representative of the legal person
    • (c) by means of a certificate of an advanced electronic signature or of an advanced electronic seal, provided the certificate has been issued to the natural person or to an authorised representative of the legal person under Normalised Certificate Policy (NCP) as defined in ETSI EN 319 411-1 [2]
    • or
    • (d) by using other identification methods, which ensure that the natural person or the authorised representative of the legal person can be identified with a very high level of confidence. The assurance that this identification is performed with a high level of confidence shall be confirmed by a conformity assessment body.
    • NOTE The third party verifying the identity of the sender and the recipient may be another QERDSP if the sender and the recipient are subscribed to different QERDSPs.
    • (5) 5.2.1.2 Recipient identification and handover of user content
    • REQ-QERDS-5.2.1.2-03 If the identification of the recipient is based on a QERDS internal process, the QERDSP shall conduct the whole process in a secured and controlled environment.
    • (6) 5.2.2 Provisions for EU QERDS authentication
    • REQ-QERDS-5.2.2-03 [CONDITIONAL] When the QERDSP binds means of authentication to a sender identity verified as per clause 5.2.1, it shall be one of the following:
    • (a) two factor authentication mechanisms
    • (b) European Digital Identity Wallet or a notified electronic identification means which meets the requirements set out in Article 8 of Regulation (EU) No 910/2014 [i.1] with regard to the assurance level 'high' or 'substantial'
    • (c) a mutual TLS authentication, which includes the certificate issued to the sender under NCP as defined in ETSI EN 319 411-1 [2]
    • (d) a digital signature supported by a certificate issued under NCP as defined in ETSI EN 319 411-1 [2]
    • (e) other means that ensure the authentication of the identified sender. The conformity of the binding shall be confirmed by a conformity assessment body. Example: This can include the use of one of the above means from letters (a), (b) and (d) to register a Transport Layer Security (TLS) client certificate for automated sending via mutual TLS, or to register a digital seal certificate used to seal assertions to authenticate with the ERDS. Other mechanisms where the identified senders are making use of delegated third-party services can also apply.
    • REQ-QERDS-5.2.2-03A [CONDITIONAL] When the QERDSP binds means of authentication to a recipient identity verified as per clause 5.2.1, it shall be one of the following, provided that the means, or any combination of means, ensure very high level of confidence regarding the identity of the authenticated recipient:
    • (a) a multi factor authentication mechanism
    • (b) European Digital Identity Wallet or a notified electronic identification means which meets the requirements set out in Article 8 of Regulation (EU) No 910/2014 [i.1] with regard to the assurance level 'high' or 'substantial'
    • (c) a certificate of a qualified electronic signature or of a qualified electronic seal
    • (d) other means that ensure the authentication of the identified recipient. The conformity of the binding shall be confirmed by a conformity assessment body. Example: This can include the use of one of the above means from letters (a) to (c) to register a Transport Layer Security (TLS) client certificate for automated sending via mutual TLS, or to register a digital seal certificate used to seal assertions to authenticate with the ERDS. Other mechanisms where the identified senders are making use of delegated third-party services can also apply.
    • REQ-QERDS-5.2.2-04 [CONDITIONAL] If the sender connects to the QERDS on a secured connection which requires machine-to-machine mutual authentication between the sender's machine and the QERDS's server based on certificates issued according to NCP as defined in ETSI EN 319 411-1 [2], then after this secure connection has been established, single factor authentication mechanisms may be adopted for a second phase of sender authentication if the organisational procedures and security measures put in place ensure confidence in the authentication of the sender.
    • (7) 5.4.1 Common provisions
    • REQ-ERDS-5.4.1-06 The ERDS shall generate and make available to legitimate interested parties ERDS evidence about ERD events as defined in clause 6 of ETSI EN 319 522-1 [3].
    • REQ-ERDS-5.4.1-07 The ERDSP shall archive the evidence and/or evidence digests for each evidence that it issued.
    • REQ-ERDS-5.4.1-08 The ERDS evidence generated by the ERDS shall comply with evidence semantic defined in clause 8 of ETSI EN 319 522-2 [4].
    • (8) 7.2.1 Common provisions
    • REQ-ERDS-7.2.1-02 The ERDSP's personnel in trusted roles shall be able to fulfil the requirement of 'expert knowledge, experience and qualifications' through formal training and credentials, or actual experience, or a combination of the two.
    • REQ-ERDS-7.2.1-03 Compliance with REQ-ERDS-7.2.1-02 shall include regular updates (at least every 12 months) on new threats and current security practices.
    • (9) 7.3.2 Media handling
    • REQ-ERDS-7.3.1-02 All requirements from ETSI EN 319 401 [1], clause 7.3.3 shall apply.
    • (10) 7.5 Cryptographic controls
    • REQ-ERDS-7.5-01A The ERDS shall select and use suitable cryptographic techniques in accordance with the Agreed Cryptographic Mechanisms endorsed by the European Cybersecurity Certification Group and published by ENISA [5].
    • REQ-ERDSP-7.5-03 The ERDS signing private key shall be held and used within a secure cryptographic device which is a trustworthy system certified in accordance with:
    • (a) Common Criteria for Information Technology Security Evaluation, as set out in ISO/IEC 15408 [6] or in Common Criteria for Information Technology Security Evaluation, version CC:2002, Parts 1 through 5, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security, and certified to EAL 4 or higher
    • or
    • (b) the European Common Criteria-based cybersecurity certification scheme (EUCC) [7][8], and certified to EAL 4 or higher
    • or
    • (c) until 31.12.2030, FIPS PUB 140-3 [9] level 3.
    • This certification shall be to a security target or protection profile, or to a module design and security documentation, which meets the requirements of the present document, based on a risk analysis and taking into account physical and other non-technical security measures.
    • If the secure cryptographic device benefits from an EUCC [7][8] certification, then this device shall be configured and used in accordance with that certification.
    • (11) 7.8 Network security
    • REQ-ERDSP-7.8-04 The ERDSP shall use state-of-the-art protocols and algorithms for encryption on transport layer level in compliance with the Agreed Cryptographic Mechanisms endorsed by the European Cybersecurity Certification Group and published by ENISA [5].
    • REQ-ERDSP-7.8-06 The vulnerability scan requested by REQ-7.8-13 of ETSI EN 319 401 [1] shall be performed at least once per quarter.
    • REQ-ERDSP-7.8-07 The penetration test requested by REQ-7.8-17X of ETSI EN 319 401 [1] shall be performed at least once per year.
    • REQ-ERDSP-7.8-08 Firewalls shall be configured to prevent all protocols and accesses not required for the operation of the TSP.
    • (12) 7.12 ERDSP termination and ERDS termination plans
    • REQ-ERDS-7.12-03 The ERDSP's termination plan shall comply with the requirements set out in the implementing acts adopted pursuant to Article 24(5) of Regulation (EU) No 910/2014 [i.1].
    • (13) 7.14 Supply chain
    • REQ-ERDS-7.14-01 The requirements specified in ETSI EN 319 401 [1], clause 7.14 shall apply.

ANNEX II - List of reference standards and specifications referred to in Article 2

The standards ETSI EN 319 522-1 V1.2.1 (2024-01) ('ETSI EN 319 522-1'), ETSI EN 319 522-2 V1.2.1 (2024-01) ('ETSI EN 319 522-2'), ETSI EN 319 522-3 V1.2.1 (2024-01) ('ETSI EN 319 522-3'), ETSI EN 319 522-4-1 V1.2.1 (2019-01) ('ETSI EN 319 522-4-1'), ETSI EN 319 522-4-2 V1.1.1 (2018-09) ('ETSI EN 319 522-4-2') and ETSI EN 319 522-4-3 V1.1.1 (2018-09) ('ETSI EN 319 522-4-3') apply.