Commission Implementing Regulation (EU) 2025/1571 of 29 July 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards the formats and procedures for annual reports by supervisory bodies

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 46a(7) and Article 46b(7) thereof,

Whereas:

(1) Supervisory bodies for the European Digital Identity Wallets designated pursuant to Article 46a(1) of Regulation (EU) No 910/2014 and supervisory bodies for trust services designated pursuant to Article 46b(1) of that Regulation (‘supervisory bodies’) are to provide relevant information on their supervisory activities to the Commission pursuant to Article 46a(6) and Article 46b(6) of that Regulation.

(2) To establish a transparent and reliable source of information regarding the supervisory activities of the supervisory bodies, to ensure that data exchanges with the Commission are secure and verifiable, and to reduce administrative complexity, supervisory bodies should submit the annual reports in a specified format which is machine-readable and suitable for automated processing.

(3) To facilitate the exchange of good practices between supervisory bodies and to ensure consistent and efficient supervision in all Member States, it is essential that the annual reports of supervisory bodies contain comprehensive and relevant information. In particular, supervisory bodies should report on their activities entailing elements that could enhance cooperation, including, among others, details on conducted and intended supervisory activities, identified challenges, inspections, any significant security breach or loss of integrity notifications made by the supervisory body to the competent authorities of the Member State concerned pursuant to Directive (EU) 2022/2555 of the European Parliament and of the Council (2), and assistance among supervisory bodies pursuant to Articles 46c and 46d of Regulation (EU) No 910/2014. Moreover, since this information in the annual reports is to be made available to the European Parliament and the Council pursuant to Articles 46a(6) and 46b(6) of Regulation (EU) No 910/2014, the information to be provided would serve the purpose of transparency and accessibility of information. Therefore, all supervisory bodies should submit the information as set out in Annexes I and II to this Regulation.

(4) Regulation (EU) 2016/679 of the European Parliament and of the Council (3) and, where relevant, Regulation (EU) 2018/1725 of the European Parliament and of the Council (4) and Directive 2002/58/EC of the European Parliament and of the Council (5) apply to all personal data processing activities under this Regulation.

(5) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 and delivered its opinion on 28 May 2025.

(6) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

Format and procedures of annual reports

Article 2

Entry into force

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 29 July 2025.

For the Commission The President Ursula VON DER LEYEN

(1) OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj.

(2) Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (OJ L 333, 27.12.2022, p. 80, ELI: http://data.europa.eu/eli/dir/2022/2555/oj).

(3) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(4) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

(5) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37, ELI: http://data.europa.eu/eli/dir/2002/58/oj).