Skip to main content
Version status: Inserted | Document consolidation status: Updated to reflect all known changes
Version date: 20 May 2024 - onwards
Version 2 of 2

Article 19a Requirements for non-qualified trust service providers

1. A non-qualified trust service provider providing non-qualified trust services shall:

(a) have appropriate policies and take corresponding measures to manage legal, business, operational and other direct or indirect risks to the provision of the non-qualified trust service, which shall, notwithstanding Article 21 of Directive (EU) 2022/2555, include at least measures relating to:

(i) registration and onboarding procedures for a trust service;

(ii) procedural or administrative checks needed to provide trust services;

(iii) the management and implementation of trust services;

(b) notifying the supervisory body, the identifiable affected individuals, the public if it is of public interest and, where applicable, other relevant competent authorities, of any security breaches or disruptions in the provision of the service or the implementation of the measures referred to in point (a)(i), (ii) or (iii), that have a significant impact on the trust service provided or on the personal data maintained therein, without undue delay and in any case no later than 24 hours of having become aware of any security breaches or disruptions.