(fra kommisjonsforordningen)

(1) Qualified trust service providers play a crucial role in ensuring secure and reliable digital interactions by delivering qualified trust services in compliance with Regulation (EU) No 910/2014.

(2) The presumption of compliance laid down in Article 24(5) of Regulation (EU) No 910/2014 should only apply where qualified trust services comply with the requirements, reference standards and specifications set out in this Regulation. These requirements, reference standards and specifications should reflect established practices and be widely recognised within the relevant sectors. The reference standards should be adapted to include additional controls ensuring the security and trustworthiness of the qualified trust service and of the qualified trust service providers providing that service.

(3) If a trust service provider adheres to the requirements, reference standards and specifications set out in this Regulation, supervisory bodies should presume compliance with the relevant requirements of Regulation (EU) No 910/2014 and duly consider such presumption for granting or confirming the qualified status of the trust service. However, a qualified trust service provider may still rely on other practices to demonstrate compliance with the requirements of Regulation (EU) No 910/2014.

(4) The Commission regularly assesses new technologies, practices, standards or technical specifications. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (2), the Commission should review and, if necessary, update this Implementing Regulation, to keep it in line with global developments, new technologies, practices, standards or technical specifications and to follow the best practices on the internal market.

(5) Qualified trust service providers are to notify supervisory bodies prior to making any changes to the provision of their qualified trust services. These notifications should enable supervisory bodies to require qualified trust service providers to take appropriate measures mitigating potential negative impacts of the notified changes as regards the fulfilment of the requirements of Regulation (EU) No 910/2014 and as regards the grant of the qualified status. To provide clarity and guidance to qualified trust service providers regarding the changes that are to be notified to supervisory bodies, this Regulation should include a non-exhaustive list of such changes.

(6) Notwithstanding Article 21 of Directive (EU) 2022/2555 of the European Parliament and of the Council (3), Article 24(2) of Regulation (EU) No 910/2014 provides for additional requirements as regards to the risk management procedures concerning legal, business, operational and other direct or indirect risks to the provision of the qualified trust service, which are not addressed by Commission Implementing Regulation (EU) 2024/2690 (4). To ensure that qualified trust service providers structurally and systematically evaluate and document these risks to the reliability of their qualified trust services, they should implement a risk management framework tailored to the qualified trust services they provide. To ensure consistency of risk management policies implemented by non-qualified trust service providers and qualified trust service providers, that framework should comply with the requirements set out in Commission Implementing Regulation (EU) 2025/2160 (5).

(7) Continuity of qualified trust services, or appropriate termination of qualified trust services where their continuity cannot be ensured, is a critical element to support the trustworthiness of qualified trust services. Sufficiently detailed termination plans are an important tool for ensuring that the outputs of qualified trust services can be relied upon by subscribers and relying parties in case of termination of qualified trust services. The termination plans should cover both the anticipated termination of a qualified trust service, such as the sale of a qualified trust service to another qualified trust service provider and unanticipated termination, such as bankruptcy or other cases of insolvency. The termination plans should contain appropriate provisions to ensure that the effects of termination can be managed without any negative impact on the validity or value of the outputs generated by the qualified trust service prior to its termination. Moreover, the termination plans should ensure that no new outputs can be obtained from a terminated qualified trust service which no longer meets the relevant requirements for qualified trust services or qualified trust service providers set out in Regulation (EU) No 910/2014. Qualified trust service providers should keep the termination plans up to date and should analyse the impact of any changes to the qualified trust service provider or to the qualified trust services it provides, such as changes of name, mergers, acquisitions, bankruptcies, receivership, forced administration, or technical changes, on the termination plans before implementing those changes.

(8) The Commission has adopted Implementing Regulations referencing technical standards and specifications applicable to qualified trust services. Those Implementing Regulations, referred to in the Annex to this Regulation, specify how the requirements for qualified trust service providers set out in Article 24(2) of Regulation (EU) No 910/2014 are to be applied and interpreted considering the specific aspects of those qualified trust services. For the presumption of compliance laid down in Article 24(5) of Regulation (EU) No 910/2014 to apply to the qualified service provider, all requirements referenced by the Annex should be implemented as applicable to the specific qualified trust service.

(9) Regulation (EU) 2016/679 of the European Parliament and of the Council (6) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (7) apply to the personal data processing activities under this Regulation.

(10) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (8) and delivered its opinion on 21 October 2025 (9).

(11) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,