EIDAS 2014/0910 EN

1. Qualified trust_service providers shall be audited at their own expense at least every 24 months by a conformity_assessment_body. The purpose of the audit shall be to confirm that the qualified trust_service providers and the qualified trust_services provided by them fulfil the requirements laid down in this Regulation. The qualified trust_service providers shall submit the resulting conformity assessment report to the supervisory body within the period of three working days after receiving it.

2. Without prejudice to paragraph 1, the supervisory body may at any time audit or request a conformity_assessment_body to perform a conformity assessment of the qualified trust_service providers, at the expense of those trust_service providers, to confirm that they and the qualified trust_services provided by them fulfil the requirements laid down in this Regulation. Where personal data protection rules appear to have been breached, the supervisory body shall inform the data protection authorities of the results of its audits.

3. Where the supervisory body requires the qualified trust_service provider to remedy any failure to fulfil requirements under this Regulation and where that provider does not act accordingly, and if applicable within a time limit set by the supervisory body, the supervisory body, taking into account, in particular, the extent, duration and consequences of that failure, may withdraw the qualified status of that provider or of the affected service it provides and inform the body referred to in Article 22(3) for the purposes of updating the trusted lists referred to in Article 22(1). The supervisory body shall inform the qualified trust_service provider of the withdrawal of its qualified status or of the qualified status of the service concerned.

4. The Commission may, by means of implementing acts, establish reference number of the following standards:

(a)	accreditation of the conformity assessment bodies and for the conformity assessment report referred to in paragraph 1;

(b)	auditing rules under which conformity assessment bodies will carry out their conformity assessment of the qualified trust_service providers as referred to in paragraph 1.

Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).

Article 47

Exercise of the delegation

1. The power to adopt delegated acts is conferred on the Commission subject to the conditions laid down in this Article.

2. The power to adopt delegated acts referred to in Article 30(4) shall be conferred on the Commission for an indeterminate period of time from 17 September 2014.

3. The delegation of power referred to in Article 30(4) may be revoked at any time by the European Parliament or by the Council. A decision to revoke shall put an end to the delegation of the power specified in that decision. It shall take effect the day following the publication of the decision in the Official Journal of the European Union or at a later date specified therein. It shall not affect the validity of any delegated acts already in force.

4. As soon as it adopts a delegated act, the Commission shall notify it simultaneously to the European Parliament and to the Council.

5. A delegated act adopted pursuant to Article 30(4) shall enter into force only if no objection has been expressed either by the European Parliament or the Council within a period of two months of notification of that act to the European Parliament and the Council or if, before the expiry of that period, the European Parliament and the Council have both informed the Commission that they will not object. That period shall be extended by two months at the initiative of the European Parliament or of the Council.

whereas

(9) In most cases, citizens cannot use their electronic_identification to authenticate themselves in another Member State because the national electronic_identification schemes in their country are not recognised in other Member States.
That electronic barrier excludes service providers from enjoying the full benefits of the internal market.
Mutually recognised electronic_identification means will facilitate cross-border provision of numerous services in the internal market and enable businesses to operate on a cross-border basis without facing many obstacles in interactions with public authorities.

- = -

(57) To ensure legal certainty as regards the validity of the signature, it is essential to specify the components of a qualified electronic_signature, which should be assessed by the relying_party carrying out the validation.
Moreover, specifying the requirements for qualified trust_service providers that can provide a qualified validation service to relying parties unwilling or unable to carry out the validation of qualified electronic_signatures themselves, should stimulate the private and public sector to invest in such services.
Both elements should make qualified electronic_signature validation easy and convenient for all parties at Union level.

- = -

(63) Electronic documents are important for further development of cross-border electronic transactions in the internal market.
This Regulation should establish the principle that an electronic_document should not be denied legal effect on the grounds that it is in an electronic form in order to ensure that an electronic transaction will not be rejected only on the grounds that a document is in electronic form.

- = -

(67) Website authentication services provide a means by which a visitor to a website can be assured that there is a genuine and legitimate entity standing behind the website.
Those services contribute to the building of trust and confidence in conducting business online, as users will have confidence in a website that has been authenticated.
The provision and the use of website authentication services are entirely voluntary.
However, in order for website authentication to become a means to boosting trust, providing a better experience for the user and furthering growth in the internal market, this Regulation should lay down minimal security and liability obligations for the providers and their services.
To that end, the results of existing industry-led initiatives, for example the Certification Authorities/Browsers Forum — CA/B Forum, have been taken into account.
In addition, this Regulation should not impede the use of other means or methods to authenticate a website not falling under this Regulation nor should it prevent third country providers of website authentication services from providing their services to customers in the Union.
However, a third country provider should only have its website authentication services recognised as qualified in accordance with this Regulation, if an international agreement between the Union and the country of establishment of the provider has been concluded.

- = -

keyboard_tab EIDAS 2014/0910 EN

EIDAS 2014/0910 EN