Preamble 71 to 78
(71) This Regulation provides for a harmonised level of quality, trustworthiness and security of qualified trust services, regardless of where the operations are conducted. Thus, a qualified trust service provider should be allowed to outsource its operations related to the provision of a qualified trust service in a third country, where that third country provides adequate guarantees, ensuring that supervisory activities and audits can be enforced as if they were carried out in the Union.
When the compliance with this Regulation cannot be fully assured, the supervisory bodies should be able to adopt proportionate and justified measures including the withdrawal of the qualified status of the trust service provided.
(72) To ensure legal certainty as regards the validity of advanced electronic signatures based on qualified certificates, it is essential that the assessment by the relying party carrying out the validation of that advanced electronic signature based on qualified certificates be specified.
(73) Trust service providers should use cryptographic methods reflecting current best practices and trustworthy implementations of those algorithms in order to ensure security and reliability of their trust services.
(74) This Regulation lays down an obligation for qualified trust service providers to verify the identity of a natural or legal person to whom the qualified certificate or the qualified electronic attestation of attribute is issued based on various harmonised methods across the Union.
To ensure that qualified certificates and qualified electronic attestations of attributes are issued to the person to whom they belong and that they attest the correct and unique set of data representing the identity of that person, qualified trust service providers issuing qualified certificates or issuing qualified electronic attestations of attributes should, at the moment of the issuance of those certificates and attestations, ensure with complete certainty the identification of that person.
Moreover, in addition to the mandatory verification of the identity of the person, if applicable for the issuance of qualified certificates and when issuing a qualified electronic attestation of attributes, qualified trust service providers should ensure with complete certainty the correctness and accuracy of the attested attributes of the person to whom the qualified certificate or the qualified electronic attestation of attributes is issued.
Those obligations of result and complete certainty in verifying the attested data should be supported by appropriate means, including by using one or, where required, a combination of specific methods provided for in this Regulation. It should be possible to combine those methods to provide an appropriate basis for the verification of the identity of the person to whom the qualified certificate or a qualified electronic attestation of attributes is issued.
It should be possible for such a combination to include reliance on electronic identification means which meet the requirements of assurance level substantial in combination with other means of identity verification. Such electronic identification would allow the fulfilment of the harmonised requirements set out in this Regulation as regards assurance level high as part of additional harmonised remote procedures, ensuring identification with a high level of confidence.
Those methods should include the possibility for the qualified trust service provider issuing a qualified electronic attestation of attributes to verify the attributes to be attested by electronic means at the request of the user, in accordance with Union or national law, including against authentic sources.
(75) To keep this Regulation in line with global developments and to follow the best practices on the internal market, the delegated and implementing acts adopted by the Commission should be reviewed and if necessary updated on a regular basis. The assessment of the necessity of those updates should take into account new technologies, practices, standards or technical specifications.
(76) Since the objectives of this Regulation, namely the development of the Union-wide European Digital Identity Framework and of a trust service framework, cannot be sufficiently achieved by the Member States but can rather, by reason of their scale and effects, be better achieved at Union level, the Union may adopt measures, in accordance with the principle of subsidiarity as set out in Article 5 of the Treaty on European Union. In accordance with the principle of proportionality as set out in that Article, this Regulation does not go beyond what is necessary in order to achieve those objectives.
(77) The European Data Protection Supervisor has been consulted pursuant to Article 42(1) of Regulation (EU) 2018/1725.
(78) Regulation (EU) No 910/2014 should therefore be amended accordingly,
HAVE ADOPTED THIS REGULATION:
Note: This is the final text of Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024, establishing the European Digital Identity Framework.