ANNEX II
Information to be included in the annual reports of supervisory bodies of trust services
The annual reports of supervisory bodies shall include at least the following information:
(1)
the name, address and contact details of the supervisory body submitting the annual report;
(2)
where more than one supervisory body has been designated in accordance with Article 46b(1) of Regulation (EU) No 910/2014, the scope of the supervisory activities of the supervisory body submitting the annual report;
(3)
a description of the organisation, structure, resources and capabilities of the supervisory authority submitting the annual report;
(4)
a description of supervisory activities carried out pursuant to Article 46b(3), point (a) and point (b), during the reported calendar year in relation to non-qualified and qualified trust service providers established in the territory of the designating Member State and the trust services they provide, including cases of suspected or potential infringements of Regulation (EU) No 910/2014 and a summary of main challenges identified;
(5)
a summary of on-site inspections and off-site supervision activities carried out by the supervisory body submitting the annual report, including at least the following information:
(a)
the identification of the qualified trust service provider or providers;
(b)
the affected trust service or services;
(c)
a description of the supervision activity;
(d)
a summary of the outcome;
(e)
any measures imposed;
(f)
actions undertaken by the supervisory body.
(6)
a description of any additional action taken by the supervisory body pursuant to Article 46b(3), of Regulation (EU) No 910/2014;
(7)
a description of any significant security breach or loss of integrity notifications made by the supervisory body submitting the annual report to the competent authorities of the Member State or Member States concerned designated or established pursuant to Article 8(1) of Directive (EU) 2022/2555, to the single points of contact of the Member State or Member States concerned designated or established pursuant to Article 8(3) of Directive (EU) 2022/2555, to the single points of contact in the other Member States concerned designated pursuant to Article 46c(1) of Regulation (EU) No 910/2014, or to the public;
(8)
a description of the scope of cooperation with other supervisory bodies established in other Member States and a description of assistance provided in accordance with Article 46c and Article 46e of Regulation (EU) No 910/2014 and an overview of outcomes of such cooperation;
(9)
a description of the frequency and nature of cooperation of the supervisory bodies for trust services with competent supervisory authorities established pursuant to Article 51 of Regulation (EU) 2016/679 where personal data protection rules appear to have been breached and about security breaches which appear to constitute personal data breaches as regards trust service providers and the trust services they provide;
(10)
a summary of the result of verifying the existence of provisions on termination plans and of verifying their correct application where a supervised qualified trust service provider ceases its activities, including an indication on how information is kept accessible in accordance with Article 24(2), point (h) of Regulation (EU) No 910/2014;
(11)
a description of any investigations of claims made by providers of web browsers that they were investigating during the reporting period pursuant to Article 45a of Regulation (EU) No 910/2014 and on any other consequential actions taken in that context;
(12)
a description of activities relating to trusted lists referred to in Article 22 of Regulation (EU) No 910/2014, including noticeable updates following supervisory activities, relevant experience or compliance issues with Commission Implementing Decision (EU) 2015/1505 ( 1 ) , in particular with availability requirements;
(13)
information about national accreditation schemes of conformity assessment bodies, national conformity assessment schemes or related guidance to conformity assessment schemes, or information about related initiatives;
(14)
a description, where applicable, of any trust infrastructure established, maintained and updated by a supervisory body at a Member State’s request and in accordance with national law.
( 1 ) Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market ( OJ L 235, 9.9.2015, p. 26 , ELI: http://data.europa.eu/eli/dec_impl/2015/1505/oj ).