(fra kommisjonsforordningen)

(1) Qualified certificates for website authentication are essential for ensuring trust and transparency in online interactions. They make it possible to authenticate a website and link the website to the natural or legal person to whom the certificate is issued. The Commission is to establish a list of reference standards for such certificates.

(2) The reference standards should allow for the implementation of different types of qualified certificates for website authentication for various use cases, including their use under Directive (EU) 2015/2366 of the European Parliament and of the Council (2). They should reflect established practices and be widely recognised within the relevant sectors. To enable innovation and accommodate diverse technical and operational needs, the reference standards should also allow for issuance of qualified certificates for website authentication in different ways, i.e. as standalone certificates, as certificates bound to other certificates, or in other configurations meeting the requirements of Regulation (EU) No 910/2014. Such flexibility regarding the issuance of qualified certificates for website authentication ensures that the certificates can be adapted to meet the needs of a wide range of use cases, which maintain trust and interoperability across Member States, while not affecting the freedom of providers of web-browsers to ensure web security, domain authentication and the encryption of web traffic in the manner and by the means of technology that they consider to be the most appropriate.

(3) With a view to ensuring sufficient time for the audit of qualified trust service providers as regards compliance with the requirements of this Regulation, this Regulation should apply from 12 months as of its entry into force.

(4) The Commission regularly assesses new technologies, practices, standards or technical specifications. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (3), the Commission should review and, if necessary, update this Regulation, to keep it in line with global developments, new technologies, practices, standards or technical specifications and to follow the best practices on the internal market.

(5) Regulation (EU) 2016/679 of the European Parliament and of the Council (4) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (5) apply to the personal data processing activities under this Regulation.

(6) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) and delivered its opinion on 21 October 2025 (7).

(7) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,