Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance)
What you need to know: Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance)
EU member states must implement the Digital Identity Wallet by 2026, as mandated by eIDAS 2 (Regulation 2024/1183). Organizations providing qualified trust services face significant compliance obligations that weren't present under the original eIDAS framework. Non-compliance cou
Commission Implementing Decision (EU) 2015/1505 — Trusted Lists Under eIDAS
Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 lays down the technical specifications and formats for trusted lists under Regulation (EU) 910/2014 on electronic identification and trust services (eIDAS). It is not a headline regulation, but for any organisation that creates, validates, or relies upon qualified electronic signatures, qualified electronic seals, or qualified trust services, it is the foundational technical instrument that makes the eIDAS framework function in practice.
This article explains what trusted lists are, why they exist, what the 2015 Decision specifies, which organisations are required to appear on them, how businesses use them for e-signature validation, and how the 2026 eIDAS 2.0 framework under Regulation (EU) 2024/1183 changes the picture.
What Are EU Trusted Lists?
A trusted list is a signed, machine-readable register maintained by each EU member state's supervisory body. It lists all trust service providers — and their individual trust services — that have been granted qualified status under eIDAS. Qualified status means the provider and its service have been assessed by an accredited conformity assessment body and have met the technical and security requirements specified in the eIDAS Regulation.
The legal foundation for trusted lists is Article 22 of eIDAS Regulation (EU) 910/2014. Article 22(1) requires each member state to establish, maintain, and publish trusted lists. Article 22(5) empowers the European Commission to establish the technical specifications and formats applicable to those lists. Commission Implementing Decision 2015/1505 is the exercise of that power.
The European Commission aggregates all national trusted lists into a central List of Trusted Lists, accessible via the European Union trusted list browser. When a business receives a document bearing a qualified electronic signature, it can validate that signature against the trusted list to confirm that the signing service used by the signer is genuinely qualified.
What Decision 2015/1505 Specifies
The Decision specifies three primary things: the format of trusted lists, the information that must appear in each entry, and the signature or seal that must be applied to the list itself.
On format, the Decision requires that trusted lists be provided in XML according to the ETSI TS 119 612 technical standard. This is the standard maintained by the European Telecommunications Standards Institute that defines the schema, the vocabularies, and the encoding rules for trusted list data. National supervisory bodies must publish lists that conform to this schema to ensure that validation tools built across the EU can process any member state's list.
On content, each entry in a trusted list must include the trust service provider's name and address, the specific trust services offered (for example: qualified electronic signature creation, qualified electronic seal creation, qualified time-stamping, qualified preservation), the status of each service (granted, withdrawn, or suspended), the date of status change, the service digital identity (the certificate or public key that identifies the service), and any applicable extensions relevant to specific use cases.
On signing, the trusted list itself must be signed or sealed by the supervisory body using a qualified electronic signature or qualified electronic seal. This creates a verifiable chain: the trusted list is itself a qualified trust service output, and its integrity can be verified using the tools that eIDAS establishes.
Which Trust Service Providers Must Be Listed?
Under eIDAS Article 22, the trusted list must contain all qualified trust service providers and their qualified trust services. A trust service provider achieves qualified status after a successful conformity assessment conducted by a conformity assessment body accredited under Article 3 of Regulation (EC) 765/2008.
Qualified trust services under eIDAS Article 3(17) include: the creation of qualified electronic signatures, qualified electronic seals, and qualified electronic time stamps; the validation of qualified electronic signatures and seals; the preservation of qualified electronic signatures and seals; the issuance of qualified certificates for website authentication; and (under eIDAS 2.0) the issuance of qualified electronic attestations of attributes.
Trust service providers that have not obtained qualified status — that is, the majority of trust service providers globally — do not appear on national trusted lists and cannot claim qualified status for their services. Their signatures are legally recognised under eIDAS as advanced or simple electronic signatures, but they do not carry the presumption of equivalence to handwritten signatures that Article 25(2) attaches to qualified electronic signatures.
How Businesses Use Trusted Lists for Validation
The practical use of trusted lists in business contexts is primarily in document validation workflows. When an EU organisation receives a contract, invoice, or regulatory submission bearing an electronic signature, it must determine whether that signature is qualified in order to rely on its legal presumption.
Validation against the trusted list proceeds as follows. First, the validating party extracts the signing certificate from the signed document. Second, a validation tool — either a commercial product or an open-source library — checks the certificate against the national trusted list of the country in which the trust service provider is established. If the certificate is associated with a currently granted qualified service, the signature is qualified. If the certificate is associated with a service that has been withdrawn or suspended since the signature was created, the validation tool checks whether the service was granted at the time of signing.
Decision 2015/1505 makes this process tractable because it standardises the format: a single ETSI TS 119 612-compliant validation library can process any EU member state's trusted list without country-specific modifications.
Supervisory bodies' obligations under Article 17 of eIDAS include keeping trusted lists current and publishing changes within three days of a status change. This ensures that validation tools querying the list have access to up-to-date status information.
The 2026 Update: eIDAS 2.0
Regulation (EU) 2024/1183, known as eIDAS 2.0, entered into force on 20 May 2024 and amends eIDAS Regulation 910/2014 significantly. It introduces the European Digital Identity Wallet, expands the scope of qualified trust services, and adds new trust service categories including qualified electronic attestations of attributes and electronic ledger services.
Article 5 of eIDAS 2.0 extends the scope of trusted lists by requiring member states to include the new wallet-enabled trust services in their lists. As qualified electronic attestation of attributes issuers come into operation from 2026 onwards, national trusted lists will expand substantially to cover these new service types.
Decision 2015/1505 is expected to be replaced or updated by a new Commission implementing act that covers the eIDAS 2.0 service categories. The European Commission's standardisation mandate to ETSI includes updating ETSI TS 119 612 to accommodate the new entry types and data fields required by eIDAS 2.0. Organisations that build trusted list processing into their compliance tooling should track the publication of the replacement implementing act, which is expected in the second half of 2026.
Business Implications for 2026
For organisations that accept qualified electronic signatures as binding — including financial institutions, legal services providers, public authorities, and regulated businesses — the key obligation is to ensure that their signature validation processes actually query current trusted lists, not cached or outdated copies.
Validation tools that rely on bundled trusted list data rather than live queries may validate signatures against stale information. With the expansion of trusted list content under eIDAS 2.0, the risk of outdated cached lists causing validation errors will increase.
Businesses operating cross-border should also ensure their validation tools cover all 27 EU member state trusted lists, not only the lists of the countries where they primarily operate. A contract signed by a German counterparty using a French qualified trust service provider requires validation against the French trusted list.
Frequently Asked Questions
Is a signature from a non-EU trust service provider ever treated as qualified? Not under EU eIDAS. Qualified status is granted exclusively by EU member state supervisory bodies under the eIDAS framework. Non-EU signatures may be legally recognised under Article 14 of eIDAS via equivalence decisions between the EU and third countries, but they do not carry the Article 25(2) presumption without such a decision.
What happens when a trust service provider is removed from a trusted list? Removal or withdrawal of a service means that signatures created after the withdrawal date do not benefit from qualified status. Signatures created before the withdrawal date remain qualified if the service was granted at the time of signing, provided the validation tool correctly applies the "status at time of signing" rule.
Who is responsible for maintaining national trusted lists? Each member state designates a supervisory body under Article 17 of eIDAS. In Germany this is the Bundesnetzagentur; in France it is ANSSI; in Ireland it is NSAI. These bodies are responsible for the accuracy and currency of their national trusted lists.
Do I need to implement trusted list validation myself? Most commercial document management, e-signing, and contract lifecycle management platforms that claim eIDAS compliance implement trusted list validation internally. If you procure such a platform, verify that it queries live trusted lists and not bundled snapshots, and that it covers all relevant member state lists.
Sources
- Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014
- Regulation (EU) 910/2014 (eIDAS), Article 3(17) (Definition of qualified trust service), Article 17 (Supervisory body obligations), Article 22 (Trusted lists), Article 25(2) (Legal effect of qualified electronic signatures)
- Regulation (EU) 2024/1183 (eIDAS 2.0), Article 5 (European Digital Identity Wallet and trust services)
- ETSI TS 119 612 — Electronic Signatures and Infrastructures; Trusted Lists
- Regulation (EC) 765/2008 on accreditation and market surveillance
Key takeaways: Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance)
This article covers: What Are EU Trusted Lists?, What Decision 2015/1505 Specifies, Which Trust Service Providers Must Be Listed?.
- What Are EU Trusted Lists?
- What Decision 2015/1505 Specifies
- Which Trust Service Providers Must Be Listed?
- How Businesses Use Trusted Lists for Validation
- The 2026 Update: eIDAS 2.0
EuroComply Editorial Team
EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.
For informational purposes only. Consult qualified legal counsel.
Get the weekly EU compliance briefing — 2 minutes, every Thursday.
Related Posts
Commission Implementing Regulation (EU) 2026/1027 of 8 May 2026 extending the derogation from Council Regulation (EC) No 1967/2006 as regards the minimum distance from coast and the minimum sea depth for the volantina trawlers fishing in the territorial waters of Slovenia
31 May
Commission Implementing Regulation (EU) 2026/1027 of 8 May 2026 extending the derogation from Council Regulation (EC) No 1967/2006 as regards the minimum distance from coast and the minimum sea depth for the volantina trawlers fishing in the territorial waters of Slovenia
31 May
Commission Implementing Decision (EU) 2015/1505 of 8 September 2015 laying down technical specifications and formats relating to trusted lists pursuant to Article 22(5) of Regulation (EU) No 910/2014 of the European Parliament and of the Council on electronic identification and trust services for electronic transactions in the internal market (Text with EEA relevance)
31 May