Legalize
Legalize / European Union / Implementing Regulation

Commission Implementing Regulation (EU) 2024/3210 of 18 December 2024 laying down rules for the application of Regulation (EU) 2023/956 of the European Parliament and of the Council as regards the CBAM registry

Type Implementing Regulation
Publication 2024-12-18
State In force
Department European Commission, TAXUD
Source EUR-Lex
Reform history JSON API

CHAPTER I

SUBJECT MATTER AND DEFINITIONS

Article 1

Subject matter

This Regulation lays down the rules concerning the infrastructure and specific processes and procedures of the CBAM registry.

Article 2

Definitions

For the purposes of this Regulation, the following definitions shall apply:

(1) ‘national component’ means a component of the electronic systems developed at national level, which is available in the Member State that created it;

(2) ‘trans-European system’ means a collection of collaborating systems with responsibilities distributed across the national administrations and the Commission, and developed in cooperation with the Commission;

(3) ‘applicant’ means an importer, or indirect customs representative, who applies for the status of authorised CBAM declarant.

CHAPTER II

CBAM REGISTRY

SECTION 1

CBAM registry

Article 3

Functions of the CBAM registry

Article 4

Structure of the CBAM registry

The CBAM registry shall consist of the following components:

(a) the CBAM Declarants Portal (CBAM DP);

(b) the CBAM National Competent Authorities Portal (CBAM NCA);

(c) the CBAM European Commission Portal (CBAM COM);

(d) the CBAM Operators Portal (CBAM Operator).

Article 5

Interoperability with customs systems

The CBAM registry shall be interoperable with the following systems:

(a) the Uniform User Management and Digital Signature (UUM & DS) system for users’ registration and access management referred to in Article 16 of Commission Implementing Regulation (EU) 2025/512 (1) for the Member States, the Commission, the authorised CBAM declarants, the applicants, the persons holding a revoked authorisation, and the persons delegated to act on behalf of and in the name of those persons;

(b) the Economic Operator Registration and Identification (EORI) system referred to in Article 30 of Implementing Regulation (EU) 2025/512 enabling the cross-checking of the EORI data set out in the Annex to this Regulation;

(c) the Surveillance system, developed through the UCC Surveillance 3 (SURV3) system referred to in Article 100 of Implementing Regulation (EU) 2025/512;

(d) the Integrated Tariff of the European Union (TARIC) referred to in Regulation (EEC) No 2658/87;

(e) the Customs Risk Management System (CRMS2) referred to in Article 36 of Implementing Regulation (EU) 2015/2447 and in Article 70 of Implementing Regulation (EU) 2025/512.

Article 6

Contact points for the electronic systems

The Commission and the national competent authorities shall designate contact points for each of the systems referred to in Articles 4 and 5 for exchanging information to ensure a coordinated development, operation, and maintenance of those components. The customs authorities shall also designate contact points for CBAM purposes. The competent authorities and customs authorities may use existing contact points.

The Commission and Member States shall communicate the details of the contact points to each other and shall inform each other immediately of any changes to those details.

Article 7

Terms of collaboration in the CBAM registry

The Commission shall propose the terms of collaboration, service level agreements and a security plan, which shall be subject to the agreement with the competent authorities. The Commission shall operate the CBAM registry in compliance with the terms of collaboration.

SECTION 2

Access management and portals

Article 8

CBAM User Access Management

Where the applicant, the authorised CBAM declarant, or the person for whom the status of authorised CBAM declarant was revoked, delegates access to the CBAM registry, thepersonshall be identified by the credentials used for the UUM & DS access management referred to in paragraphs 1 and 5.

That person may, at any time, ask to be deregistered from the CBAM registry. Upon such request, the competent authority of the Member State that granted access to the CBAM registry shall deactivate the access to the CBAM registry using the UUM & DS system.

Article 9

CBAM Declarants Portal

The CBAM Declarants Portal shall be used for the following actions:

(a) applications for the status of authorised CBAM declarant and for the revocation of that status;

(b) submissions of the CBAM declarations;

(c) notifications and communication related to CBAM obligations, including CBAM declaration management;

(d) using information provided by the CBAM Operators Portal.

Article 10

CBAM Operators Portal

The CBAM Operators Portal shall be used by operators, verifiers and independent persons in accordance with Articles 9, 10, and 10a of Regulation (EU) 2023/956, respectively, for the following actions:

(a) registering the information on that operator and on its installations;

(b) registering the information on the goods produced by an installation;

(c) registering the emission data and verification reports;

(ca) facilitating the verification and certification of the information registered by the operator, the verifier or the authorised CBAM declarant;

(cb) facilitating the exchange of information between the operator, the verifier, the independent person and the authorised CBAM declarant;

(d) receiving notifications and communication related to their registration and use of information in the CBAM registry.

The request for registration referred to in paragraph 4 shall contain the following information:

(a) the name and unique accreditation identification of the independent person;

(b) any scope of accreditation relevant for CBAM;

(c) the country of establishment of the independent person;

(d) the effective date of certification and expiry date of certification;

(e) any information on administrative measures imposed on the independent person relevant for CBAM;

(f) a copy of the accreditation certificate relevant for CBAM.

Article 11

CBAM National Competent Authorities Portal

Article 12

CBAM European Commission Portal

Article 13

Member States’ identity and access management systems

Member States shall set up a new UUM&DS identity and access management system or use their own existing customs UUM&DS for the following functions:

(a) secure registration and storage of identification data of authorised CBAM declarants, applicants and other persons having access to the CBAM registry;

(b) secure exchange of signed and encrypted identification data of authorised CBAM declarants, applicants and other persons having access to the CBAM registry.

SECTION 3

Functioning of the CBAM registry

Article 14

Development, testing, deployment and management of the CBAM registry

Article 15

Maintenance of the CBAM registry and changes thereto

Article 16

Temporary failure of the CBAM registry

Article 17

Training and support on the use and functioning of the CBAM registry

CHAPTER III

SECURITY OF THE CBAM REGISTRY AND DATA PROTECTION

Article 18

Personal data protection

The personal data registered in the CBAM registry, and the components of electronic systems developed at national level, shall be processed by the competent authorities and the Commission for the following purposes:

(a) authentication purposes and access management;

(b) application processing and management;

(c) submission and management of CBAM declarations;

(d) monitoring, checks and review of CBAM declarations;

(e) operator, verifier and independent person management;

(f) CBAM certificates management;

(g) communication and notifications;

(h) for ensuring compliance;

(i) functioning of the IT infrastructure, including interoperability with national systems and trans-European decentralised systems under this Regulation;

(j) statistics and review of the functioning of Regulation (EU) 2023/956;

(k) risk analysis and circumvention monitoring;

(l) verification that the importation of goods and the re-export of goods, in the cases provided for in Article 2(2) of Regulation (EU) 2023/956 is performed by an authorised CBAM declarant.

Article 19

Specific role of the Commission and the competent authorities

The Commission shall be the controller for:

(a) the processing of personal data for the access management for the Commission Portal in accordance with Article 12 of this Regulation;

(b) the processing of personal data registered in the CBAM Operators Portal;

(c) the use, validation and retrieving of EORI or other data for the purpose of the risk analysis and circumvention monitoring as provided for in Articles 15, and 27 of Regulation (EU) 2023/956.

The competent authority shall be the controller for:

(a) the personal data processing to take decisions on the granting and revocation of authorisations of CBAM declarants in accordance with Regulation (EU) 2023/956;

(b) the personal data processing to take decisions regarding penalties in accordance with Article 26 of Regulation (EU) 2023/956;

(c) the processing of personal data for the access management of the authorised CBAM declarants, applicants, persons for whom the status of authorised CBAM declarants was revoked, and persons delegated to act on behalf of and in the name of those persons, established within their Member State in accordance with Articles 8, 11 and 13 of this Regulation;

(d) the processing of personal data of accredited verifiers.

The competent authority and the Commission shall be joint controllers for:

(a) management of the CBAM registry;

(b) the personal data processing for the management of CBAM declarations in accordance with Regulation (EU) 2023/956;

(c) the personal data processing for the CBAM certificates management in accordance with Regulation (EU) 2023/956;

(d) the personal data processing for the monitoring of the single mass-based threshold in accordance with Article 2a of Regulation (EU) 2023/956.

Article 20

Responsibility of the controllers towards data subjects

Where a controller receives a data subject request that does not fall under its responsibility in accordance with Article 19, it shall forward that request promptly and at the latest within 3 working days from the receipt to the responsible controller.

Article 21

Limitation of data access, data processing and confidentiality

The authorised CBAM declarants, applicants, persons for whom the status of authorised CBAM declarants was revoked, and persons delegated to act on behalf of and in the name of those persons may access their personal data registered in the CBAM registry after their registration in the registry.

The Commission and the competent authorities may access and otherwise process the data from the EORI system, in accordance with Articles 15, 19 and 27 of Regulation (EU) 2023/956.

Article 22

System security

The technical measures and organisational measures referred to in paragraphs 1 and 2 of this Article shall be designed to:

(a) ensure the security, integrity, confidentiality, availability and continuity of the personal data processed;

(b) protect against any unauthorised or unlawful processing, alteration, loss, use, disclosure of, or access to any personal data in their possession;

(c) restrict disclosure or access to personal data to anyone other than the intended recipients in accordance with this Regulation and Regulation (EU) 2023/956.

Article 23

Data retention period

The date of registration of the personal data referred to in the first subparagraph shall be the earliest of the following dates:

(a) the competent authority refuses to grant the status of authorised CBAM declarant;

(b) the status of authorised CBAM declarant is revoked;

(c) an operator, verifier, independent person or the person delegated to act on behalf of and in the name of those persons was deregistered from the CBAM registry.

CHAPTER IV

FINAL PROVISIONS

Article 24

Entry into force and application

This Regulation shall enter into force on the day following that of its publication in the Official Journal of the European Union.

It shall apply from 31 December 2024.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

ANNEX

Customer Identification
EORI country + EORI national number
EORI country
EORI start date
EORI expiry date
Customs Customer Information
EORI short name
EORI full name
EORI language
EORI establishment date
EORI person type
EORI economic activity
List of EORI establishment addresses
Establishment addresses
EORI address
EORI language
EORI name
Establishment in Union
Facility address
EORI address start date
EORI address end date
VAT or TIN numbers
‘VAT’ or ‘TIN’
EORI legal status
EORI legal status language
EORI legal status
EORI legal status begin date & end date
Contact list
Contact
EORI contact address
EORI contact language
EORI contact full name
EORI contact name
Publication agreement flag
Address fields description
Street and number
Postcode
City
Country code
List of communication details
Communication type

Reading this document does not replace reading the official text published in the Official Journal of the European Union. We assume no responsibility for any inaccuracies arising from the conversion of the original to this format.