Skip to main content

eIDAS - Risk management for non-qualified trust service providers

Commission Implementing Regulation (EU) 2025/2160 establishes detailed rules under Regulation (EU) No 910/2014. This regulation aims to ensure consistent standards across EU Member States, enhancing trust and interoperability within the European Digital Identity ecosystem.

An electronic edition of the same is available here.

Article 1: Reference standards

The reference standards referred to in Article 19a(2) of Regulation (EU) No 910/2014 are set out in the Annex to this Regulation.

Article 2: Risk management policies

  1. The risk management policies referred to in Article 19a(1) of Regulation (EU) No 910/2014 shall clearly identify the trust services they apply to, shall be specific to the trust services concerned and shall be approved by the management body of the non-qualified trust service provider.

  2. The risk management policies shall include at least all the following elements:

    (a) the overall risk tolerance level in accordance with the criticality and required level of security of the trust services, having regard to the latest technological developments;

    (b) the relevant risk criteria, including at least the likelihood, impact and level of the risk, taking into account cyber threat intelligence and vulnerabilities;

    (c) an approach for the identification and documentation of the risks to the provision of the trust services, taking into account the complete scope of the information system used by the non-qualified trust service provider, including risks associated with the components of the system as well as with any active or passive parties involved in the implementation of the system or in the provision of the trust services;

    (d) a process for the evaluation of the identified risks based on the risk criteria referred to in point (b);

    (e) a process for the identification, prioritisation and continuous monitoring of the implementation of appropriate risk treatment measures;

    (f) a process for continuous monitoring of the implementation of the risk management policies.

  3. Non-qualified trust service providers shall establish appropriate procedures and maintain documents to ensure that the requirements set out in the applicable legislation are implemented.

  4. Non-qualified trust service providers shall establish appropriate documented procedures ensuring the monitoring of Union and national legislative and regulatory changes that may impact the provision of trust services.

Article 3: Identification, documentation and evaluation of risks

Non-qualified trust service providers shall identify, document and evaluate all risks referred to in Article 19a(1) of Regulation (EU) No 910/2014 in accordance with the risk management policies referred to in Article 2, and shall in particular:

(a) identify risks in relation to third parties;

(b) identify potential single point of failure in the provision of the trust services;

(c) evaluate the identified risks based on the risk criteria referred to in Article 2(2), point (b).

Article 4: Risk treatment measures

  1. In accordance with the policies referred to in Article 2, non-qualified trust service providers shall plan, document and implement risk treatment measures, and shall, in particular, carry out the following tasks:

    (a) identify and prioritise appropriate risk treatment measures;

    (b) select, approve and document the chosen risk treatment measures, including their security requirements and operational procedures, in a risk treatment plan, identify who is responsible for implementing the risk treatment measures and when they are to be implemented;

    (c) continuously monitor the implementation of the risk treatment measures.

  2. The risk treatment plan set out in paragraph 1, point (b), shall provide reasons justifying the acceptance of residual risks in a comprehensible manner.

  3. As part of the risk treatment measures referred to in paragraph 1, non-qualified trust service providers shall also:

    (a) verify, where applicable, the identity of the users of the trust service directly or by means of a third party and publish information on the identity verification methods used;

    (b) for the purposes of providing evidence in legal proceedings and of ensuring service continuity, record and securely retain for as long as necessary in accordance with Union or national laws, including after the activities of the non-qualified trust service provider have ceased, the following information:

    • all relevant information collected in the process of registration and onboarding of the trust service users, including, where applicable, the identity verification of the users,

    • authentication data assigned to the user of the trust service, where applicable, and

    • any change of the status of public key certificates or other cryptographic material used in the provision of the trust service.

    (c) ensure, where applicable, that authentication data assigned to the user of the trust service are unique.

  4. When identifying, selecting, approving and prioritising appropriate risk treatment measures, non-qualified trust service providers shall take into account the following elements:

    (a) the results of the risk evaluation referred to in Article 3;

    (b) the effectiveness of the risk treatment measures;

    (c) conformity assessments;

    (d) significant incidents;

    (e) the cost of implementation in relation to the expected benefit;

    (f) the applicable appropriate asset classification;

    (g) the analysis of any business impact of the risks identified in accordance with Article 3.

  5. The management bodies of non-qualified trust service providers shall approve the residual risks remaining after the implementation of the risk treatment measures as set out in the risk treatment plan.

  6. Non-qualified trust service providers shall review, document and, where appropriate, update the risk evaluation results and the risk treatment plan at planned intervals, and at least annually, and when significant changes to the infrastructure, operations or risks, or significant incidents, occur.

  7. Non-qualified trust service providers shall ensure the availability, integrity and confidentiality of the information referred to in paragraph 3, point (b).

Article 5: Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 27 October 2025.

For the Commission

The President

Ursula VON DER LEYEN

ANNEX - List of reference standards for non-qualified trust service providers

Requirements under the following clauses of the standard ETSI EN 319 401 V3.1.1 (2024-06): 'Electronic Signatures and Trust Infrastructures (ESI); General Policy Requirements for Trust Service Providers' shall apply:

  1. Risk Assessment;

  2. Policies and practices;

7.1 Internal organization;

7.2 Human resources;

7.3 Asset management;

7.4 Access control;

7.6 Physical and environmental security.