On November 17, 2025, Commission Implementing Regulation (EU) 2025/2160 of October 27, 2025 (hereinafter referred to as IUK) entered into force. This regulation is part of a broader legislative package of implementing acts accompanying the revised eIDAS and represent one of the most significant regulatory shifts in trust services in the past decade. They set out reference standards, technical specifications, and risk management procedures for the provision of non-qualified trust services, directly affecting many digital service providers and users across the EU, as it is directly applicable in all Member States. Trust service providers, public authorities, and economic operators will need to make extensive adjustments over the next two years, which will, in the long term:
- increase the security of digital transactions,
- ensure greater interoperability within the EU,
- enable more reliable operation of digital services.
Article 19a of eIDAS 2.0: requirements for providers of non-qualified trust services
The new IUK operationalizes Article 19a of eIDAS 2.0, which for the first time comprehensively regulates the obligations of providers of non-qualified trust services. These providers are recognized as important entities under Slovenian law in accordance with ZInfV-1 and are therefore subject to demanding organizational, technical, and security standards, resulting in a significantly higher level of expected compliance and information protection. This allows for more in-depth verification of provider reliability and a clearer understanding of the guaranteed availability, integrity, and confidentiality of information. The IUK takes effect immediately, requiring rapid adaptation by all relevant providers. ZInfV-1 stipulates that obligated parties – essential and important entities and their suppliers – must establish the following by December 19, 2026:
- a documented information security management system (ISMS),
- a documented business continuity management system (BCMS),
- and take measures to manage risks.
New standards for advanced e-signature and e-seal formats
From the perspective of electronic business between companies, public authorities, and cross-border e-communication, the IUK proposal on advanced and qualified e-signature and e-seal formats, which will have to be recognized by the public administrations of Member States, is also important. The proposal stipulates that:
- qualified e-signatures or advanced e-signatures created with a qualified certificate shall be used as a priority in the public sector,
- the formats used must comply with ETSI technical specifications,
- the ability to verify the validity of signatures must be ensured.
This direction has already been indicated in Slovenia by the amendment to the ZUP, which prescribes the use of such signatures for the submission of electronic applications.
Alternative methods for validating advanced e-signatures and e-seals
For cases where public authorities do not require e-signatures created with qualified certificates for e-signatures (the same applies mutatis mutandis to advanced e-seals), the IUK proposal sets out the technical specifications for the formats of such e-signatures and the requirements for establishing alternative mechanisms for verifying their validity. The aim is to improve legal certainty for all parties relying on such signatures, particularly in online and cross-border procedures.
A transitional period of 24 months from the entry into force of the IUK is envisaged, meaning implementation in early 2028.
Although the draft IUK under consideration relates to the use of e-signatures in the context of online transactions by public authorities, the proposed solution is also expected to impact e-business in the private sector. By specifying reference formats also for advanced electronic signatures that are not supported by a qualified certificate and by introducing a requirement for alternative methods of confirming their validity, their use will become significantly less attractive in terms of cost-effectiveness and user experience.
