(fra kommisjonsforordningen)

(1) Non-qualified trust service providers play an important role in the digital environment by providing trust services that facilitate secure electronic transactions. Regulation (EU) No 910/2014 places fewer regulatory requirements on non-qualified trust service providers than on qualified trust service providers. However, all trust service providers are subject to requirements on security and liability to ensure due diligence, transparency and accountability of their operations and services.

(2) Non-qualified trust service providers can be considered important or essential entities in accordance with Article 3 of Directive (EU) 2022/2555 of the European Parliament and of the Council (2). Thus, Commission Implementing Regulation (EU) 2024/2690 (3) laying down technical and methodological requirements of cybersecurity risk management measures applies to them. However, the scope of the requirements laid down in Article 19a(1), point (a), of Regulation (EU) No 910/2014 relates to the risk management procedures concerning legal, business, operational and other direct or indirect risks to the provision of non-qualified trust services. To complement the risk management framework set out in Implementing Regulation (EU) 2024/2690 and to enable a coherent approach to the management of all relevant types of risks, specifications and procedures concerning the management of those risks by non-qualified trust service providers should be laid down. Guidance provided by the European Union Agency for Cybersecurity (ENISA) or national competent authorities under Directive (EU) 2022/2555 can support non-qualified trust service providers in the design and implementation of appropriate risk management policies.

(3) The presumption of compliance laid down in Article 19a(2) of Regulation (EU) No 910/2014 should only apply where non-qualified trust service providers comply with the requirements set out in this Regulation. The reference standards referred to in the Annex should reflect established practices and be widely recognised within the relevant sectors. In order to ensure that non-qualified trust service providers manage legal, business, operational and other direct or indirect risks to the provision of the non-qualified trust service in accordance with Article 19a(1) of Regulation (EU) No 910/2014, non-qualified trust services providers should comply with the referenced elements of the standards as set out in the Annex and with the risk management requirements set out in this Regulation for the presumption of compliance.

(4) If a non-qualified trust service provider adheres to the requirements set out in this Implementing Regulation, supervisory bodies should presume compliance with the relevant requirements of Regulation (EU) No 910/2014. However, a non-qualified trust services provider may still rely on other practices to demonstrate compliance with the requirements of the Regulation (EU) No 910/2014.

(5) To ensure that the identified risks are adequately addressed, the risk management policies followed by non-qualified trust service providers should include procedures for risk documentation and evaluation, as well as for the identification, selection and implementation of appropriate risk treatment measures. The implementation of risk treatment measures should be continuously monitored. As regards the information that non-qualified trust service providers record and retain as part of their risk treatment measures, non-qualified trust service providers should ensure the integrity and confidentiality of such data. Moreover, to enhance transparency and to support supervisory activities, non-qualified trust service providers should publish the identity verification methods they apply. As not all identified risks may be fully addressed through their avoidance, mitigation or transfer to other entities, any residual risks should be approved by the management bodies of non-qualified trust service providers. Criteria for the acceptance of residual risks should be justified in a comprehensible manner.

(6) The Commission regularly assesses new technologies, practices, standards or technical specifications. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (4), the Commission should review and, if necessary, update this Implementing Regulation, to keep it in line with global developments, new technologies, practices, standards or technical specifications and to follow the best practices on the internal market.

(7) Regulation (EU) 2016/679 of the European Parliament and of the Council (5) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (6) apply to the personal data processing activities under this Regulation.

(8) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (7) and delivered its opinion on 8 August 2025 (8).

(9) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,