Statement

eIDAS Implementing Acts

Bitkom underlines the need for substantial improvements across several draft Implementing Acts under the eIDAS Regulation (EU) No. 2024/1183. Regarding the accreditation of conformity assessment bodies, Bitkom calls for clearer roles and responsibilities, consistent terminology, and proportionate, flexible procedures aligned with eIDAS and ETSI standards to avoid confusion and implementation delays. On the draft Act concerning risk management for non-qualified trust service providers, Bitkom stresses the importance of removing redundancies, clarifying provisions on user risk communication, identity verification and data retention, as well as ensuring harmonization with security standards and granting sufficient transition time. Finally, Bitkom highlights the need to extend the deadline for entry into force from six to twelve months, to give providers and supervisory bodies the necessary time to adapt without jeopardizing trust or existing infrastructures.

Batch 5

Requirements for Qualified Trust Service Providers (QTSPs)
Practicable and proportionate requirements for qualified trust service providers are necessary to ensure legal certainty and efficient processes. Excessive reporting obligations and unclear regulations should be avoided. A transition period of at least twelve months should allow for adjustments to procedures and systems.

Qualified Website Authentication Certificates (QWACs)
Certificates used in payment services outside the browser context should be explicitly included to ensure the continuity and legal certainty of existing PSD2 QWACs. In addition, Certificate Transparency should be introduced once a European infrastructure and corresponding standards are in place, in order to strengthen the trust and stability of Europe’s payment and trust infrastructure.

Qualified Electronic Archiving Services
A clear distinction between archiving and retention services in accordance with the eIDAS Regulation (Regulation (EU) No 910/2014) is necessary. The regulatory framework should be based on modern standards such as OAIS (ISO 14721:2025) and CEN/TS 18170:2025 to ensure coherence, interoperability, and cross-border recognition. Outdated standards such as ISO 14641:2018 should be removed to create a future-proof European framework.

Qualified Electronic Registers (Qualified Ledgers)
Precise, technically accurate, and practicable rules for qualified electronic registers are essential. Clear definitions, consistent terminology, and realistic supervisory requirements—especially regarding security updates—should establish a legally sound, coherent, and implementable regulatory framework that combines innovation with high security standards.

Advanced Electronic Signatures and Seals
The current draft implementing act on advanced electronic signatures and seals is welcomed. However, the proposed amendment to the JAdES Baseline Profile for ETSI TS 119 182-1 V1.2.1 should be removed in order to preserve compatibility and technical consistency.

Batch 4

A cc reditat i o n of C onformity As s essm en t Bodies (CABs)
Bitkom calls for clearer roles, consistent terminology, and flexible, proportionate procedures in the draft eIDAS Implementing Act on the Accreditation of Conformity Assessment Bodies to ensure legal alignment and avoid implementation delays.

Risk management proce du re s f o r non-qualified trust s e rv i c e provider s (QTSPs)
Bitkom calls for clearer, streamlined, and proportionate rules in the draft Implementing Act on Risk Management for Non-Qualified Trust Service Providers to ensure legal clarity, security, and sufficient transition time.

T rusted Lists
Bitkom calls for extending the application deadline of the eIDAS Implementing Act on Trusted Lists from 6 to 12 months to ensure a smooth transition and protect trust and existing infrastructures.

Download now

Trust Services & Digital Identitiy Data Protection & Security