Skip to main content

eIDAS - Qualified electronic archiving services

Commission Implementing Regulation (EU) 2025/2532 establishes detailed rules under Regulation (EU) No 910/2014. This regulation sets out requirements for qualified electronic archiving services for long-term data preservation within the European Digital Identity ecosystem.

An electronic edition of the same is available here.

Article 1: Electronic archiving of documents bearing a qualified electronic signature or a qualified electronic seal

  1. When archiving electronic data or electronic documents that contain qualified electronic signatures or qualified electronic seals, providers of qualified electronic archiving services shall ensure that the trustworthiness of those qualified electronic signatures or qualified electronic seals is maintained, including beyond their technological validity period, and that the integrity and the accuracy of the origin of the qualified electronic signatures and seals is maintained, at least until the end of the legal or contractual preservation period.

  2. For the purposes of paragraph 1, providers of qualified electronic archiving services may rely on a qualified preservation service for qualified electronic signatures or on a qualified preservation service for qualified electronic seals.

Article 2: Reference standards and specifications for the provision of qualified electronic archiving services

The reference standards and specifications referred to in Article 45j(2) of Regulation (EU) No 910/2014 are set out in the Annex to this Regulation.

Article 3: Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 16 December 2025.

For the Commission

The President

Ursula VON DER LEYEN

ANNEX - List of reference standards and specifications for qualified electronic archiving services

CEN/TS 18170:2025 ('CEN/TS 18170') applies with the following adaptations:

(a) Normative references (clause 2)

  • ETSI EN 319 401 V3.1.1 (2024-06), Electronic Signatures and Trust Infrastructures (ESI); General Policy Requirements for Trust Service Providers
  • ETSI EN 319 421 V1.3.1 (2025-07), Electronic Signatures and Infrastructures (ESI); Policy and Security Requirements for Trust Service Providers issuing Time-Stamps
  • ISO 14721:2025, Space Data System Practices -- Reference model for an open archival information system (OAIS)
  • ACM-ECCG, European Cybersecurity Certification Group, Sub-group on Cryptography: 'Agreed Cryptographic Mechanisms' published by the European Union Agency for Cybersecurity ('ENISA')
  • CIR (EU) 2024/482, Commission Implementing Regulation (EU) 2024/482 (1)
  • CIR (EU) 2024/3144, Commission Implementing Regulation (EU) 2024/3144 (2)
  • ISO/IEC 15408:2022 (parts 1 to 5), 'Information security, cybersecurity and privacy protection -- Evaluation criteria for IT security'
  • FIPS PUB 140-3 (2019), 'Security Requirements for Cryptographic Modules'

(b) Policy and practice statement (clause 6.1)

  • The requirements of CEN/TS 18170, clause 6.1 shall apply.
  • The requirements of ETSI EN 319 401, clause 5 shall apply.
  • The EATSP shall establish procedures to notify the supervisory body of any changes in the provision of the electronic archiving trust service and on the intention to cease those activities, in accordance with business requirements and relevant laws and regulations, including in accordance with the requirements of the implementing acts adopted pursuant to Article 24(5) of Regulation (EU) No 910/2014 [i.2].
  • The EATSP shall notify the competent supervisory body at least:
    • one month before implementing any change;
    • three months before the planned cessation of a trust service provision.

(c) Terms and Conditions (clause 6.2)

  • The requirements of CEN/TS 18170, clause 6.2 shall apply.
  • Subscribers and parties relying on the electronic archiving trust service shall be informed, in a clear, comprehensive and easily accessible manner, in a publicly accessible space and individually, of precise terms and conditions, before entering into a contractual relationship.

(d) Human resources (clause 7.3)

  • The requirements of CEN/TS 18170, clause 7.3 shall apply.
  • EATSP's personnel in trusted roles, and if applicable its subcontractors in trusted roles, shall be able to fulfil the requirement of 'expert knowledge, experience and qualifications' through formal training and credentials, or actual experience, or a combination of the two. This shall include regular updates (at least every 12 months) on new threats and current security practices.

(e) Cryptographic controls and monitoring (clause 7.6)

  • The archiving system must guarantee the confidentiality of data and documents through the lifecycle of the archive from its deposit to its elimination.
  • The requirements specified in ETSI EN 319 401, sub-clause 7.5 "Cryptographic controls" shall apply.
  • The origin of the data to be archived in the electronic archiving system shall be established by the EATSP. If they use electronic signatures or electronic seals to do so, those electronic signatures or electronic seals shall be qualified.
  • When EATSP digitally signs (part of) a digital object or record, the EATSP private signing key shall be held and used within either a qualified electronic signature or seal creation device or a secure cryptographic device which is a trustworthy system certified in accordance with:
    • (a) Common Criteria for Information Technology Security Evaluation, as set out in ISO/IEC 15408 or in Common Criteria for Information Technology Security Evaluation, version CC:2022, Parts 1 through 5, published by the participants of the Arrangement on the Recognition of Common Criteria Certificates in the field of IT Security, and certified to EAL 4 or higher; or
    • (b) the European Common Criteria-based cybersecurity certification scheme (CIR (EU) 2024/482, CIR (EU) 2024/3144) and certified to EAL 4 or higher; or
    • (c) until 31.12.2030, FIPS PUB 140-3 level 3.
  • This certification shall be to a security target or protection profile, or to a module design and security documentation, which meets the requirements of the present document, based on a risk analysis and taking into account physical and other non-technical security measures.
  • If the secure cryptographic device benefits from an EUCC certification (CIR (EU) 2024/482, CIR (EU) 2024/3144), then this device shall be configured and used in accordance with that certification.
  • The EATSP shall monitor the strength of cryptographic algorithm that was and are used. In case, one of the used algorithms or parameters is thought to become not suitable as defined in the risk management, the EATSP shall either update the related archiving policy or create a new archiving profile to handle the AIPs and define and perform appropriate measures.
  • The evaluation of the cryptographic algorithms and their use by the EATSP shall be compliant with the Agreed Cryptographic Mechanisms endorsed by the European Cybersecurity Certification Group and published by ENISA (ACM-ECCG).
  • Technical components of the EATS shall authenticate each other based on cryptographic techniques before communicating.

(f) Network (clause 7.9)

  • The requirements specified in ETSI EN 319 401, sub-clause 7.8 "Network security" shall apply.
  • The vulnerability scan requested by REQ-7.8-13 of ETSI EN 319 401 shall be performed at least once per quarter.
  • The penetration test requested by REQ-7.8-17X of ETSI EN 319 401 shall be performed at least once per year.
  • Firewalls shall be configured to prevent all protocols and accesses not required for the operation of the EATSP.

(g) Collection of evidence (clause 7.11)

  • The requirements specified in ETSI EN 319 401, sub-clause 7.10 "Collection of evidence" shall apply, including for critical and non-critical events (see subclause 13.2).

(h) EATSP termination and termination plan (clause 7.13)

  • The requirements of CEN/TS 18170, clause 7.13 shall apply.
  • The EATSP's termination plan shall comply with the requirements set out in the implementing acts adopted pursuant to Article 24(5) of Regulation (EU) No 910/2014.

(i) Reliable time of events (clause 13.3.1)

  • The requirements of CEN/TS 18170, clause 13.3.1 shall apply.
  • When using timestamps the EATSP shall use a qualified timestamp.

(1) Commission Implementing Regulation (EU) 2024/482 of 31 January 2024 laying down rules for the application of Regulation (EU) 2019/881 of the European Parliament and of the Council as regards the adoption of the European Common Criteria-based cybersecurity certification scheme (EUCC) (OJ L, 2024/482, 7.2.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/482/oj).

(2) Commission Implementing Regulation (EU) 2024/3144 of 18 December 2024 amending Implementing Regulation (EU) 2024/482 as regards applicable international standards and correcting that Implementing Regulation (OJ L, 2024/3144, 19.12.2024, ELI: http://data.europa.eu/eli/reg_impl/2024/3144/oj).