Skip to main content

eIDAS - Remote qualified electronic signature and seal creation devices

Commission Implementing **Regulation (EU) 2025/1567** establishes detailed rules under Regulation (EU) No 910/2014. This regulation aims to ensure consistent standards across EU Member States, enhancing trust and interoperability within the European Digital Identity ecosystem.

An electronic edition of the same is available here.

Article 1: Reference standards and specifications

The reference standards and specifications for the management of remote qualified electronic signature creation devices and of remote qualified electronic seal creation devices as qualified trust services referred to in Article 29a(2) and Article 39a of Regulation (EU) No 910/2014 are set out in the Annex to this Regulation.

Article 2: Entry into force and applicability

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall apply from 19 August 2027.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 29 July 2025.

For the Commission

The President

Ursula VON DER LEYEN

ANNEX - List of reference standards and specifications for the management of remote qualified electronic signature creation devices and of remote qualified electronic seal creation devices

The standard ETSI TS 119 431-1 V1.3.1 (2024-12) ('ETSI TS 119 431-1') applies for the purpose of assessing conformance with the EU Server Signing Application Service v2 Policy in compliance with Annex A of that standard, with the following adaptations:

  1. 2.1 Normative references; [1] ETSI EN 319 401 V3.1.1 (2024-06): 'Electronic Signatures and Trust Infrastructures (ESI); General Policy Requirements for Trust Service Providers';; [7] European Cybersecurity Certification Group, Sub-group on Cryptography: 'Agreed Cryptographic Mechanisms' published by the European Union Agency for Cybersecurity ('ENISA') (1).

  2. 6.1 Publication and repository responsibilities; OVR-6.1-04: The information identified in OVR-6.1-01 above shall be publicly and internationally available.

  3. 6.4.4 Personnel controls; OVR-6.4.4-02: SSASP's shall employ personnel in trusted roles and, if applicable, subcontractors in trusted roles, who possess the necessary expert knowledge, experience and qualifications through formal training and credentials, or experience, or a combination of the two.; OVR-6.4.4-03: Compliance with OVR-6.4.4-02 shall include regular (at least every 12 months) updates on new threats and current security practices.

  4. 6.4.9 SSASP service termination; OVR-6.4.9-02: The SSASP's termination plan shall comply with the implementing acts adopted pursuant to Article 24(5) of Regulation (EU) No 910/2014 [i.1].

  5. 6.5.5 Network security controls; OVR-6.5.5-02: The vulnerability scan requested by REQ-7.8-13 of ETSI EN 319 401 [1] shall be performed at least once per quarter.; OVR-6.5.5-03: Firewalls shall be configured to prevent all protocols and accesses not required for the operation of the TSP.

  6. 6.8.5 Cryptographic controls; OVR-6.8.5-01: Appropriate security controls shall be in place for the management of any cryptographic techniques of the SSASP throughout their lifecycle.; OVR-6.8.5-02: As regards OVR-6.8.5-01, the SSASP shall select and use suitable cryptographic techniques compliant with the Agreed Cryptographic Mechanisms endorsed by the European Cybersecurity Certification Group and published by ENISA [7].

  7. Annex A, section A.3 General requirements; OVR-A.3-02 [EUSPv2]: The TSP's practice statement shall include the reference to the certification of the employed QSCD in accordance with the requirements of Regulation (EU) No 910/2014 [i.1], Annex II.