Article 29-32, Amendments to Regulation (EU) No 910/2014
Regulation (EU) No 910/2014 is amended as follows:
In Article 29, the following paragraph is inserted:
‘1a. Generating or managing electronic signature creation data or duplicating such signature creation data for back-up purposes shall be carried out only on behalf of the signatory, at the request of the signatory, and by a qualified trust service provider providing a qualified trust service for the management of a remote qualified electronic signature creation device.’;
The following article is inserted:
‘Article 29a, Requirements for a qualified service for the management of remote qualified electronic signature creation devices.
1. The management of remote qualified electronic signature creation devices as a qualified service shall be carried out only by a qualified trust service provider that:
(a) generates or manages electronic signature creation data on behalf of the signatory;
(b) notwithstanding point (1)(d) of Annex II, duplicates the electronic signature creation data for back-up purposes only, provided that the following requirements are met:
(i) the security of the duplicated datasets must be at the same level as for the original datasets;
(ii) the number of duplicated datasets must not exceed the minimum needed to ensure continuity of the service;
(c) complies with any requirements identified in the certification report of the specific remote qualified electronic signature creation device issued pursuant to Article 30.
2. By 21 May 2025, the Commission shall, by means of implementing acts, establish a list of reference standards and, where necessary, specifications and procedures for the purposes of paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).’;
In Article 30, the following paragraph is inserted:
‘3a . The validity of a certification referred to in paragraph 1 shall not exceed five years, provided that vulnerabilities assessments are carried out every two years. Where vulnerabilities are identified and not remedied, the certification shall be cancelled.’;
In Article 31, paragraph 3 is replaced by the following:
‘3. By 21 May 2025, the Commission shall, by means of implementing acts, establish the formats and procedures applicable for the purpose of paragraph 1 of this Article. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).’;
Article 32 is amended as follows:
(a) in paragraph 1, the following subparagraph is added:
‘Compliance with the requirements laid down in the first subparagraph of this paragraph shall be presumed where the validation of qualified electronic signatures complies with the standards, specifications and procedures referred to in paragraph 3.’;
(b) paragraph 3 is replaced by the following:
‘3. By 21 May 2025, the Commission shall, by means of implementing acts, establish a list of reference standards and, where necessary, establish specifications and procedures for the validation of qualified electronic signatures. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).’;
The following article is inserted:
‘Article 32a, Requirements for the validation of advanced electronic signatures based on qualified certificates
1. The process for the validation of an advanced electronic signature based on a qualified certificate shall confirm the validity of an advanced electronic signature based on a qualified certificate, provided that:
(a) the certificate that supports the signature was, at the time of signing, a qualified certificate for electronic signature complying with Annex I;
(b) the qualified certificate was issued by a qualified trust service provider and was valid at the time of signing;
(c) the signature validation data corresponds to the data provided to the relying party;
(d) the unique set of data representing the signatory in the certificate is correctly provided to the relying party;
(e) the use of any pseudonym is clearly indicated to the relying party if a pseudonym was used at the time of signing;
(f) the integrity of the signed data has not been compromised;
(g) the requirements provided for in Article 26 were met at the time of signing.
2. The system used for validating the advanced electronic signature based on qualified certificate shall provide to the relying party the correct result of the validation process and shall allow the relying party to detect any security relevant issues.
3. By 21 May 2025, the Commission shall, by means of implementing acts, establish a list of reference standards and, where necessary, establish specifications and procedures for the validation of advanced electronic signatures based on qualified certificates. Compliance with the requirements laid down in paragraph 1 of this Article shall be presumed where the validation of advanced electronic signature based on qualified certificates complies with those standards, specifications and procedures. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).’;
Note: This is the final text of Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024, establishing the European Digital Identity Framework.