Commission Implementing Regulation (EU) 2025/2527 of 16 December 2025 laying down rules for the application of Regulation (EU) No 910/2014 of the European Parliament and of the Council as regards reference standards for qualified certificates for website authentication

THE EUROPEAN COMMISSION,

Having regard to the Treaty on the Functioning of the European Union,

Having regard to Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (1), and in particular Article 45(2) thereof,

Whereas:

(1) Qualified certificates for website authentication are essential for ensuring trust and transparency in online interactions. They make it possible to authenticate a website and link the website to the natural or legal person to whom the certificate is issued. The Commission is to establish a list of reference standards for such certificates.

(2) The reference standards should allow for the implementation of different types of qualified certificates for website authentication for various use cases, including their use under Directive (EU) 2015/2366 of the European Parliament and of the Council (2). They should reflect established practices and be widely recognised within the relevant sectors. To enable innovation and accommodate diverse technical and operational needs, the reference standards should also allow for issuance of qualified certificates for website authentication in different ways, i.e. as standalone certificates, as certificates bound to other certificates, or in other configurations meeting the requirements of Regulation (EU) No 910/2014. Such flexibility regarding the issuance of qualified certificates for website authentication ensures that the certificates can be adapted to meet the needs of a wide range of use cases, which maintain trust and interoperability across Member States, while not affecting the freedom of providers of web-browsers to ensure web security, domain authentication and the encryption of web traffic in the manner and by the means of technology that they consider to be the most appropriate.

(3) With a view to ensuring sufficient time for the audit of qualified trust service providers as regards compliance with the requirements of this Regulation, this Regulation should apply from 12 months as of its entry into force.

(4) The Commission regularly assesses new technologies, practices, standards or technical specifications. In accordance with Recital 75 of Regulation (EU) 2024/1183 of the European Parliament and of the Council (3), the Commission should review and, if necessary, update this Regulation, to keep it in line with global developments, new technologies, practices, standards or technical specifications and to follow the best practices on the internal market.

(5) Regulation (EU) 2016/679 of the European Parliament and of the Council (4) and, where relevant, Directive 2002/58/EC of the European Parliament and of the Council (5) apply to the personal data processing activities under this Regulation.

(6) The European Data Protection Supervisor was consulted in accordance with Article 42(1) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (6) and delivered its opinion on 21 October 2025 (7).

(7) The measures provided for in this Regulation are in accordance with the opinion of the committee established by Article 48 of Regulation (EU) No 910/2014,

HAS ADOPTED THIS REGULATION:

Article 1

The reference standards referred to in Article 45(2) of Regulation (EU) No 910/2014 are set out in the Annex to this Regulation.

Article 2

This Regulation shall enter into force on the twentieth day following that of its publication in the Official Journal of the European Union.

It shall apply from 6 January 2027.

This Regulation shall be binding in its entirety and directly applicable in all Member States.

Done at Brussels, 16 December 2025.

For the Commission The President Ursula VON DER LEYEN

(1) OJ L 257, 28.8.2014, p. 73, ELI: http://data.europa.eu/eli/reg/2014/910/oj.

(2) Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, (OJ L 337, 23.12.2015, p. 35, ELI: http://data.europa.eu/eli/dir/2015/2366/oj).

(3) Regulation (EU) 2024/1183 of the European Parliament and of the Council of 11 April 2024 amending Regulation (EU) No 910/2014 as regards establishing the European Digital Identity Framework (OJ L, 2024/1183, 30.4.2024, ELI: http://data.europa.eu/eli/reg/2024/1183/oj).

(4) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1, ELI: http://data.europa.eu/eli/reg/2016/679/oj).

(5) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37, ELI: http://data.europa.eu/eli/dir/2002/58/oj).

(6) Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39, ELI: http://data.europa.eu/eli/reg/2018/1725/oj).

(7) EDPS Formal comments on the draft Implementing Regulation laying down rules for the application of Regulation (EU) No 910/2014 as regards reference standards for qualified certificates for website authentication.