Article 1, Amendments to Regulation (EU) No 910/2014
Regulation (EU) No 910/2014 is amended as follows:
Articles 17 and 18 are deleted; the following article is inserted in Chapter III, Section 2
‘Article 19a, Requirements for non-qualified trust service providers
1. A non-qualified trust service provider providing non-qualified trust services shall:
(a) have appropriate policies and take corresponding measures to manage legal, business, operational and other direct or indirect risks to the provision of the non-qualified trust service, which shall, notwithstanding Article 21 of Directive (EU) 2022/2555, include at least measures relating to:
(i) registration and onboarding procedures for a trust service;
(ii) procedural or administrative checks needed to provide trust services;
(iii) the management and implementation of trust services;
(b) notifying the supervisory body, the identifiable affected individuals, the public if it is of public interest and, where applicable, other relevant competent authorities, of any security breaches or disruptions in the provision of the service or the implementation of the measures referred to in point (a) (i), (ii) or (iii), that have a significant impact on the trust service provided or on the personal data maintained therein, without undue delay and in any case no later than 24 hours of having become aware of any security breaches or disruptions.
2. By 21 May 2025, the Commission shall, by means of implementing acts, establish a list of reference standards and, where necessary, establish specifications and procedures for paragraph 1, point (a), of this Article. Compliance with the requirements laid down in this Article shall be presumed where those standards, specifications and procedures are met. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).’;
Note: This is the final text of Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024, establishing the European Digital Identity Framework.