(fra kommisjonsforordningen)

(1) Pursuant to Articles 20(1) and 21(1) of Regulation (EU) No 910/2014, qualified trust service providers and the qualified trust services they provide are to be audited by conformity assessment bodies. The resulting conformity assessment reports confirm whether the requirements laid down in that Regulation and in Article 21 of Directive (EU) 2022/2555 of the European Parliament and of the Council (2) are fulfilled. Consequently, it is necessary to establish a harmonised and robust framework for the accreditation of conformity assessment bodies, the conformity assessment schemes they implement, the conformity assessments they perform in accordance with those schemes, and the resulting conformity assessment reports.

(2) The accreditation of conformity assessment bodies assessing qualified trust service providers and the qualified trust services they provide, the conformity assessment report and the conformity assessment scheme should meet the requirements laid down in this Regulation. Conformity assessment bodies may satisfy these requirements either independently, by utilising composite certification or by subcontracting to duly accredited entities.

(3) Conformity assessment bodies accredited for assessing qualified trust service providers and the qualified trust services they provide as regards the issuance of qualified electronic attestations of attributes should be permitted to issue the conformity assessment report required by Article 45f(3) of Regulation (EU) No 910/2014.

(4) To contribute to the transparency of the accreditation process, the accreditation certificate issued to a conformity assessment body in accordance with Article 5 of Regulation (EC) No 765/2008 of the European Parliament and of the Council (3), should contain sufficient information to enable third parties to verify that the accredited conformity assessment body is authorised to conduct a conformity assessment under Regulation (EU) No 910/2014.

(5) To maintain the integrity and accuracy of accreditation certificates, national accreditation bodies should ensure that these certificates reflect up-to-date information.

(6) To ensure the integrity of the accreditation process, the accreditation certificate issued to a conformity assessment body may be subject to suspension or withdrawal at any time for each qualified trust service that the conformity assessment body has been accredited to assess. Suspension or withdrawal may occur after sanctioning by the national accreditation body or voluntarily by the conformity assessment body itself.

(7) For the purpose of harmonisation of this accreditation framework, this Regulation should be based on established standards, which reflect established practices and which are widely recognised within the relevant sectors.

(8) To enhance transparency, conformity assessment bodies should make the certificates of conformity that they issue publicly available. The certificates of conformity confirm the positive certification decisions taken by the conformity assessment bodies. However, the qualified status is only granted to, or withdrawn from, the trust service provider and the trust services they provide, by the supervisory body.

(9) To assess the compliance of qualified trust service providers and the qualified trust services they provide with Regulation (EU) No 910/2014 and with Article 21 of Directive (EU) 2022/2555, conformity assessment bodies should use a conformity assessment scheme. Conformity assessment bodies should apply standards as benchmarks to assess qualified trust service providers and the qualified trust services they provide, taking into account the versions and adaptations to these standards set out in the service specific implementing acts based on Regulation (EU) No 910/2014. These standards should reflect established practices and be widely recognised within the relevant sectors.

(10) Conformity assessment schemes set out the rules and procedures to be used by conformity assessment bodies in their assessments of qualified trust service providers and of the qualified trust services that they provide. Such schemes are evaluated by national accreditation bodies against the requirements set out in this Regulation. The content of such schemes is subject to changes over time. To facilitate the application of successive versions of conformity assessment schemes, the accredited conformity assessment bodies should put in place a specific process to manage evolutions of a scheme for which they are accredited.

(11) To oversee the development and maintenance of the conformity assessment schemes, each conformity assessment scheme should be assigned a scheme owner. Conformity assessment bodies, governmental bodies or an authority, a trade association, a group of conformity assessment bodies, or any appropriate body or group of bodies could be a scheme owner and could be different from the conformity assessment body operating the scheme.

(12) To ensure the continuity of the provision of their services, the accreditation of conformity assessment bodies should remain valid for earlier versions of standards referenced in the conformity assessment scheme. In those instances, the conformity assessment bodies should refer to those earlier versions of the standards explicitly, including the year and version number.

(13) To enhance flexibility, national accreditation bodies should be permitted to offer flexible scope accreditation, enabling conformity assessment bodies, in specific circumstances, to include additional activities in their scope of accreditation without the need for an evaluation by the national accreditation body. When designing the flexible scope accreditation, national accreditation bodies will consider the accreditation of flexible scopes as set out by European cooperation for Accreditation, appointed in accordance with Regulation (EC) No 765/2008. Where national accreditation bodies allow conformity assessment bodies to make use of such flexible scope accreditation, they should indicate it in the accreditation certificate for transparency purposes. To enhance flexibility even where national accreditation bodies do not offer flexible scope accreditation, they should carefully consider, before re-evaluating the accredited conformity assessment body, the impact of the changes to the conformity assessment scheme for which that body has been accredited.

(14) To ensure reliability of the conformity assessment schemes, owners should ensure that their conformity assessment schemes do not allow positive certification decisions, or any certificate of conformity, to be issued where the conformity assessment leads to the identification of any non-conformity with the requirements of Regulation (EU) No 910/2014, or with Article 21 of Directive (EU) 2022/2555, with regard to qualified trust service providers and the qualified trust service they provide. Indeed, while conformity assessment reports could include non-conformities and potential remediation plans, no certificate of conformity or positive certification decision should be issued when non-conformities are identified.

(15) To ensure transparency in their practices, scheme owners should make publicly available a summary of their conformity assessment schemes. The summary should contain a description of the set of rules and procedures followed for the assessment of the conformity of qualified trust service providers and the qualified trust services they provide with the requirements laid down in Regulation (EU) No 910/2014 and with Article 21 of Directive (EU) 2022/2555.

(16) To support the quality, security and reliability of the qualified trust service provider’s activities, the conformity assessment report should identify, where appropriate, opportunities for improvement that could refine the manner in which the qualified trust service provider and the qualified trust services they provide meet the applicable requirements.

(17) To support transparency and to facilitate the verification by supervisory bodies that an assessed qualified trust service provider and the qualified trust services they provide meet the applicable requirements, the conformity assessment report should include certain minimum information. In particular, for the purpose of facilitating the identification of the service entries to be listed in the national trusted list in accordance with Article 22 of Regulation (EU) No 910/2014, where applicable, a detailed description of the public key infrastructure functional hierarchy, per type of qualified trust service, should be provided in the conformity assessment report.

(18) To support transparency and facilitate the verification and monitoring of accreditation of conformity assessment bodies in accordance with Regulation (EU) No 910/2014, national accreditation bodies should, where applicable, provide an history of the scope of accreditation, including the start and, where applicable, the end date of the accreditation for each qualified trust service.

(19) To ensure continuity of conformity assessment bodies that have already been accredited, and to support the transition to the rules laid down in this Regulation, conformity assessment bodies that are currently accredited under standard ETSI EN 319 403 version 2.2.2, or an earlier version thereof, would not need to be re-accredited under Regulation (EU) No 910/2014 until 17 May 2027. After this date, the conformity assessment bodies should be evaluated by the national accreditation body against the requirements set out in this Regulation.

(20) The Commission regularly assesses new technologies, practices, standards or technical specifications. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (4), the Commission should review and update this Implementing Regulation, if necessary, to keep it in line with global developments, new technologies, standards or technical specifications and to follow the best practices on the internal market.

(21) Regulation (EU) 2016/679 of the European Parliament and of the Council (5) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (6) apply to the personal data processing activities under this Regulation.

(22) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (7) and delivered its opinion on 8 August 2025 (8).

(23) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,