ANNEX III
Specifications for conformity assessment reports
The conformity assessment report as referred to in Article 7(1) shall
(1)
be accompanied by a clear certification decision in accordance with clause 7.6 of standard ETSI EN 319403-1 v2.3.1 (‘ETSI EN 319403-1’), confirming, whether the assessed trust service provider and the assessed qualified trust services it provides or aims to provide meet the requirements laid down in Regulation (EU) No 910/2014 and in Article 21 of Directive (EU) 2022/2555;
(2)
specify the name of the qualified trust service provider and, where applicable, its registration number, as stated in the official records, its official postal address, and its electronic address as well as, where applicable, the same information for all subsidiaries, affiliated legal entities, contractors and subcontractors that are operating trust service components in the scope of the provision of the qualified trust services by the qualified trust service provider;
(3)
include a detailed description of the scope of the assessment of the qualified trust service provider, including the specific qualified trust services covered by the assessment;
(4)
contain sufficient evidence to demonstrate that the qualified trust service provider and the qualified trust services it provides fulfil the requirements laid down in Regulation (EU) No 910/2014 and in Article 21 of Directive (EU) 2022/2555;
(5)
specify the name of the conformity assessment body, and, where applicable its registration number, as stated in the official records, its registered postal address, and its electronic address;
(6)
specify the following:
(a)
the name and country of the national accreditation body having accredited the conformity assessment body;
(b)
the names of the natural persons involved by the conformity assessment body in performing the conformity assessment and their respective role in that assessment;
(c)
the link to the official website of the national accreditation body and containing the accreditation certificate issued by the national accreditation body to the conformity assessment body;
(d)
where applicable, the digital accreditation symbol;
(e)
the conformity assessment scheme for which the conformity assessment body has been accredited in accordance with Article 2(1);
(f)
conformity assessment enquiries of the conformity assessment conducted, the rationale behind their selection, and the methodology employed, including sampling methodology and test procedures;
(g)
the accredited conformity assessment scheme and relevant documents or a link to the location from where that conformity assessment scheme and relevant documents are available;
(7)
contain at least one qualified electronic signature, where the report is provided in an electronic form, or handwritten signature, where provided paper-based, identifying the name and title of the responsible person or persons that authorised to adopt the certification decision on behalf of the conformity assessment body;
(8)
concern one qualified trust service provider;
(9)
identify, in accordance with clause 5.5.3 of standard ETSI TS 119612 v.2.4.1, the service digital identities per type of qualified trust service for which it confirms the conformity with the requirements laid down in Regulation (EU) No 910/2014 and in Article 21 of Directive (EU) 2022/2555, providing the following information:
(a)
when the qualified trust service is not public key infrastructure technology based, an identifier expressed as a URI that uniquely identifies the qualified trust service;
(b)
when the qualified trust service is based on public key infrastructure technology, at least the following:
—
the Subject Key Identifier as defined in IETF RFC 5280;
—
the Base64 PEM representation of the associated X.509v3 digital certificate;
—
where applicable, an indication whether specific sets or subsets of end-entity certificates issued by or under the service digital identity are excluded from or specifically included in the certification decision and on the basis of which criteria they may be identified;
—
an indication whether the service digital identity relates to an end-entity or a certification authority, clarifying whether it is an issuing, intermediate or root certificate;
—
a description on how the service digital identity is used in the context of the corresponding qualified trust service;
(10)
provide, where applicable, a detailed description of the public key infrastructure functional hierarchy, per type of qualified trust service and for all service digital identities identified in accordance with point 11, including at least:
(a)
the illustration of the public key infrastructure hierarchy identifying the root certification authorities, the intermediate certification authorities, the issuing certification authorities and the certification paths between them;
(b)
the identification of each certification authority illustrated in point (a) through the Subject Key Identifier as defined in IETF RFC 5280;
(c)
for each of the issuing certification authorities identified in accordance with point (b), the list of the different policy sets of certificates that each certification authority is issuing, together with for each set:
—
criteria that unambiguously identify the certificates of the set, being either a list of certificate policy identifiers to match with the content of the certificate policy certificate extension as defined in IETF RFC 5280 or other criteria as set out in implementing acts adopted pursuant to Article 22(5) of Regulation (EU) No 910/2014;
—
an indication of whether the certificates of the set are either qualified or non-qualified;
—
an indication of whether the certificates of the set are either for electronic signatures, or for electronic seals, or for web site authentication or for none of those purposes and, in the latter case, for which other purposes their use is intended;
—
an indication of whether the private key corresponding to the public key certified in the certificates of the sets resides in a local or remote qualified signature or seal creation device;
(11)
include, in accordance with point 2
(a)
an exhaustive list of third parties, including subcontractors, which provide qualified trust service components or service components by indicating their name, as identified in point 2, together with the location of the sites where the corresponding component services are operated;
(b)
an indication whether those third parties and sites have been subject to the conformity assessment and to which extent;
(12)
describe, where appropriate, the content of the entry to be included, or to be updated, in the relevant national trusted list, in accordance with the result of the assessment;
(13)
include an exhaustive list of public and qualified trust service providers’ internal documents, which are properly identified including versioning, which have been part of the scope of the conformity assessment, including at least the following documentation as referred to in point 8, for which a copy shall be either provided together with the conformity assessment report or made otherwise available to the competent supervisory body on its request:
(a)
the declaration of the practices used by the qualified trust service provider to provide the qualified trust services;
(b)
the set of rules that indicates the applicability of the qualified trust services to a particular community or class of application with common security requirements (‘qualified trust service policies’);
(c)
the terms and conditions related to subscriber agreements;
(d)
the termination plan of the qualified trust services;
(e)
the documentation which is related to the assessment of risks and which aims to demonstrate that the requirements of Article 24(2), points (fa) and (fb) of Regulation (EU) No 910/2014 and Article 21 of Directive (EU) 2022/2555 have been fulfilled;
(f)
the security breaches notification plan which aims to demonstrate that the requirements of Article 24(2), points (fa) and (fb) of Regulation (EU) No 910/2014 and Article 21 of Directive (EU) 2022/2555 have been fulfilled;
(g)
the list of all internal documents supporting the effective implementation of the practices declared and used by the qualified trust service provider to provide the qualified trust services;
(h)
the memorandum and articles of incorporation or statutes of the qualified trust service provider, in accordance with the applicable national laws, together with the following elements:
—
statement of business activities not relating to the provision of trust services;
—
organisational chart;
—
ownership structure information;
—
where applicable and available, report of the accounts of the accounts auditor for the previous two accounting years, or from the date of its incorporation until the date of signing the conformity assessment report, whichever period is shorter;
(i)
evidence that the qualified trust service provider, in accordance with applicable national laws, maintains sufficient financial resources and, where applicable, has obtained appropriate liability insurance with regard to the provision of the qualified trust services;
(j)
the list of standards with which the operations are claimed to be compliant;
(k)
the list of standards with which the operations are audited, evaluated, certified, or assessed to be compliant, together with details about the underlying audit, evaluation, certification or assessment scheme, as applicable;
(l)
the list of qualified electronic signature creation devices or qualified electronic seal creation devices and their certification related information when the qualified trust service provider delivers or makes available such devices to its users;
(m)
the list of devices used by the qualified trust service provider as trustworthy system or product, including hardware security modules or secure cryptographic devices, to protect its own keys, and information related to their certification, when the qualified trust service provider uses such devices to secure the processes supporting the qualified trust services it provides;
(14)
contain an assessment of the fulfilment of the requirements that apply to the relevant qualified trust services pursuant to Regulation (EU) No 910/2014, and, where applicable, as set out in the implementing and delegated acts that apply to that qualified trust service as adopted in accordance with:
—
Article 24(1c) of Regulation (EU) No 910/2014 with respect to the verification of the identity and attributes of persons to whom the qualified certificate or the qualified electronic attestation is to be issued;
—
Article 24(5) of Regulation (EU) No 910/2014 with respect to the requirements for qualified trust service providers providing qualified trust services;
—
Article 28(6) of Regulation (EU) No 910/2014 with respect to the issuance of qualified certificates for electronic signatures;
—
Article 38(6) of Regulation (EU) No 910/2014 with respect to the issuance of qualified certificates for electronic seals;
—
Article 45(2) of Regulation (EU) No 910/2014 with respect to the issuance of qualified certificates for website authentication;
—
Article 33(2) of Regulation (EU) No 910/2014 with respect to the qualified validation service for qualified electronic signatures;
—
Article 33(2) and Article 40 of Regulation (EU) No 910/2014 with respect to the qualified validation service for qualified electronic seals,
—
Article 34(2) of Regulation (EU) No 910/2014 with respect to the qualified preservation service for qualified electronic signatures;
—
Article 34(2) and Article 40 of Regulation (EU) No 910/2014 with respect to the qualified preservation service for qualified electronic seals;
—
Article 42(2) of Regulation (EU) No 910/2014 with respect to the creation of qualified electronic timestamps;
—
Article 44(2) of Regulation (EU) No 910/2014 with respect to the provision of qualified electronic registered delivery services;
—
Article 29a(2) of Regulation (EU) No 910/2014 with respect to the qualified service for the management of remote qualified electronic signature creation devices;
—
Article 29a(2) and Article 39a of Regulation (EU) No 910/2014 with respect to the qualified service for the management of remote qualified electronic seal creation devices;
—
Article 45j(2) of Regulation (EU) No 910/2014 with respect to the provision of qualified electronic archiving services
—
Article 45d(5) of Regulation (EU) No 910/2014 with respect to the issuance of qualified electronic attestation of attributes;
—
Article 45l(3) of Regulation (EU) No 910/2014 with respect to the recording of electronic data in a qualified electronic ledger;
(15)
contains an assessment of the fulfilment of the requirements that apply to qualified trust service provider and to the relevant qualified trust services pursuant to Article 21 of Directive (EU) 2022/2555, and under the implementing acts that apply to that qualified trust service as adopted in accordance with of Article 21(5) of that Directive;
(16)
contains a statement declaring, where applicable, the absence of any non-conformities, irrespective of their level of criticality; where any non-conformity is identified in the report, the report shall provide a plan of corrective actions and their timescale, provided by the qualified trust service provider and agreed by the conformity assessment body, together with the description of the planned evaluation tasks the conformity assessment body shall undertake to evaluate that those non-conformities have been corrected;
(17)
contains, where appropriate and necessary, an indication of opportunities for improvement concerning the fulfilment by the qualified trust service provider and the qualified trust services it provides of relevant requirements;
(18)
identify, for each stage of the conformity assessment, including documentation audit, implementation assessment and onsite inspections, the period in relation to which the assessment has been conducted and the time taken by the conformity assessment body in person-days to conduct the assessment;
(19)
identify in the corresponding specific requirement report the detailed conformity assessment controls and control objectives that have been conducted during the assessment or include a reference to separately available assessment reports in which such information is included, provided that such separated assessment reports are:
(a)
issued by conformity assessment bodies accredited in accordance with Regulation (EU) No 910/2014;
(b)
endorsed by the conformity assessment bodies issuing the conformity assessment report;
(20)
include the scope, the description, and the results of a significant set of tests or production samples and their assessment for all relevant and applicable types of outputs from the assessed qualified trust services;
(21)
indicate the following deadlines:
(a)
the deadline within which the next surveillance conformity assessment must be conducted;
(b)
the deadline within which the next conformity assessment must be conducted in accordance with Article 20(1) of Regulation (EU) No 910/2014;
(22)
contain an explicit declaration stating that the certification documents, including the conformity assessment report, are also intended for the use by the competent national supervisory body.