Skip to main content

eIDAS - Qualified trust service providers

Commission Implementing Regulation (EU) 2025/2530 establishes detailed rules under Regulation (EU) No 910/2014. This regulation aims to ensure consistent standards across EU Member States, enhancing trust and interoperability within the European Digital Identity ecosystem.

An electronic edition of the same is available here.

Article 1: Notifications to the supervisory body

  1. In notifications referred to in Article 24(2), point (a), of Regulation (EU) No 910/2014, qualified trust service providers shall cover at least significant changes to all of the following elements:

    (a) the service descriptions, policies, practice statements or associated terms and conditions;

    (b) the technical architecture of the qualified trust services, or any trustworthy systems or products referred to in Article 24(2), points (e) and (f), of Regulation (EU) No 910/2014;

    (c) the hosting of any technical components required for the provision of the qualified trust services, or the technical services pertaining to these technical components;

    (d) the use of cryptographic techniques or cryptographic materials in the provision of the qualified trust services;

    (e) the registration and identification procedures;

    (f) the organisational structure or governance of the trust service provider;

    (g) the termination plan;

    (h) financial resources and liability insurance referred to in Article 24(2), point (c) of Regulation (EU) No 910/2014;

    (i) elements with an impact on the content of the corresponding national trusted list;

    (j) third parties involved in the provision of the qualified trust services, including subcontractors or service providers, or to contractual terms with these third parties.

  2. Notifications referred to in paragraph 1 shall include:

    (a) description of the change;

    (b) planned date and time of the change;

    (c) reasons for the change and, where applicable, evidence for the reasons;

    (d) where applicable, updated documents.

Article 2: Risk management framework

The requirements laid down in Article 2, Article 3 and Article 4 of Commission Implementing Regulation 2025/2160 shall apply mutatis mutandis to qualified trust service providers with regard to the requirement to have a risk management framework laid down in Article 24(2), point (fa), of Regulation (EU) No 910/2014.

Article 3: Termination plan

  1. Qualified trust service providers shall establish a termination plan for each qualified trust service they provide, that establishes the necessary provisions for the effective and correct application of the termination of the service or parts thereof, for the purposes of ensuring continuity of the service and of providing evidence in legal proceedings, including how information is kept accessible in accordance with Article 24(2), point (h) of Regulation (EU) No 910/2014.

  2. Qualified trust service providers shall set up controls and procedures to ensure the availability for internal use of documented policies, practices, procedures, third party arrangements and any other documents required to ensure the effectiveness of the termination plan.

  3. Qualified trust service providers shall set up controls and procedures to ensure that their termination plan and any document associated with it are up to date.

  4. Qualified trust service providers shall review the termination plan, and any associated documents, at least every two years and as part of the implementation of any changes to the qualified trust service provider or to the qualified trust services it provides and update the termination plan accordingly.

  5. Qualified trust service providers shall manage the risks that are specific to the termination of the provision of their qualified trust services as part of the risk management framework referred to in Article 2.

  6. Qualified trust service providers shall ensure maintenance of sufficient financial resources or obtain appropriate insurance to cover the costs required to effectively execute the termination plan, including in case of unanticipated termination.

  7. Qualified trust service providers shall ensure that the termination plan specifies appropriate procedures and arrangements for at least the following:

    (a) the termination of the qualified trust services, including, where relevant, in relation to the decommissioning of any technical components or services used to provide the concerned qualified trust service;

    (b) a timely update of the related service entries as listed in the corresponding national trusted list;

    (c) the revocation of any existing and unrevoked qualified certificates issued by them before concluding the termination of the qualified trust service for the issuance of qualified certificates, unless all relevant obligations of the terminated qualified trust services are transferred to another qualified trust service provider in a manner that ensures that the qualified certificates and all related services continue to meet the requirements of Regulation (EU) No 910/2014 in an uninterrupted manner;

    (d) ensuring that after the termination of the provision of qualified trust services, no further qualified trust service output can be created or enabled through the use of the signature or seal creation data of the qualified trust service provider;

    (e) ensuring the accessibility and usability of all relevant records held by the qualified trust service provider;

    (f) addressing scenarios of anticipated, unanticipated, partial and complete termination;

    (g) ensuring that the interests of the subscribers of the terminated qualified trust services are safeguarded upon termination, including continued maintenance of information required for the subscribers to verify the legal validity of the outputs of the qualified trust services;

    (h) where applicable, specifying any arrangements made to allow provision of alternative qualified trust services by other qualified trust service providers for the purpose of minimising disruptions for the subscribers;

    (i) providing notices to parties known to the qualified trust service provider that will be directly or indirectly affected by the termination.

  8. The procedures and arrangements referred to in paragraph 7, point (e) shall ensure the accessibility and usability of the records necessary to:

    (a) provide evidence in relation to the compliance of the qualified trust services with Regulation (EU) No 910/2014 and Regulation (EU) 2016/679;

    (b) ensure continuity of the qualified trust services, as regards the signature or seal validation data of the qualified trust service provider and as regards enabling continued maintenance of information required to verify the correctness of previously created trust service outputs.

  9. Qualified trust service providers shall ensure that the termination plan and records associated with it include at least the following documentation:

    (a) procedures for the termination of qualified trust services;

    (b) procedures for and records of regular review of the termination plan referred to in paragraph 4;

    (c) audit reports relating to the termination plan;

    (d) termination arrangements with third parties involved in the provision of the qualified trust services that are to be terminated;

    (e) terms and conditions, practices and policy documents relating to the qualified trust services.

Article 4: Reference standards and specifications for qualified trust services

  1. In addition to the requirements set out in Article 1, Article 2 and Article 3, the reference standards and specifications referred to in Article 24(5) of Regulation (EU) No 910/2014 are set out in the Annex to this Regulation.

  2. Where there are discrepancies between the reference standards and specifications established by the Implementing Regulations and as set out in the Annex to this Regulation and the requirements set out in Article 1, Article 2 and Article 3 of this Regulation, the requirements set out in Article 1, Article 2 and Article 3 of this Regulation shall prevail.

Article 5: Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 16 December 2025.

For the Commission

The President

Ursula VON DER LEYEN