Today has been published the final text adopted for EIDAS2 Regulation in the last Triloge meeting, last week.

This is the text of Article 45

Article 45 – Requirements for qualified certificates for website authentication

1. Qualified certificates for website authentication shall meet the requirements laid down in Annex IV. Evaluation of compliance with those requirements shall be carried out in accordance with the standards and the specifications referred to in paragraph 3.
2. Qualified certificates for website authentication issued in accordance with paragraph 1 shall be recognised by web-browsers. ▌Web-browsers shall ensure that the identity data attested in the certificate and additional attested attributes are displayed in a user-friendly manner. Web-browsers shall ensure support and interoperability with qualified certificates for website authentication referred to in paragraph 1, with the exception of enterprises ▌ considered to be microenterprises and small enterprises in accordance with Commission Recommendation 2003/361/EC during the first 5 years of operating as providers of web-browsing services.
   ▌
   2b. Qualified certificates for website authentication shall not be subject to any mandatory requirements other than the requirements laid down in paragraph 1
3. By … [12 months after the date of the entering into force of this amending Regulation], the Commission shall, by means of implementing acts, establish a list of reference standards and when necessary, establish specifications and procedures for qualified certificates for website authentication, referred to in paragraph 1. ▌ Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 48(2).”

Article 45a-1 – Cybersecurity precautionary measures

1. Web-browsers shall not take any measures contrary to their obligations set out in Article 45, notably the requirement to recognise Qualified Certificates for Website Authentication, and to display the identity data provided in a user friendly manner.
2. By way of derogation to paragraph 1 and only in case of substantiated concerns related to breaches of security or loss of integrity of an identified certificate or set of certificates, web-browsers may take precautionary measures in relation to that certificate or set of certificates.
3. Where measures are taken, web-browsers shall notify their concerns in writing without undue delay, jointly with a description of the measures taken to mitigate those concerns, to the Commission, the competent supervisory authority, the entity to whom the certificate was issued and to the qualified trust service provider that issued that certificate or set of certificates. Upon receipt of such a notification, the competent supervisory authority shall issue an acknowledgement of receipt to the web-browser in question.
4. The competent supervisory authority shall consider the issues raised in the notification in accordance with Article 17(3)(c). When the outcome of that investigation does not result in the withdrawal of the qualified status of the certificate(s), the supervisory authority shall inform the web-browser accordingly and request it to put an end to the precautionary measures referred to in paragraph 2.