Supervisory Body

A Supervisory Body is the national authority designated by each EU Member State to oversee and enforce compliance with the eIDAS regulation within its jurisdiction. Under eIDAS 2.0, the supervisory body's role is expanded and strengthened.

Its core responsibilities include: supervising Qualified Trust Service Providers (QTSPs) and their services; granting or withdrawing qualified status; maintaining the national Trusted List of qualified trust services and providers; handling incident and breach notifications from trust service providers; conducting or commissioning audits and conformity assessments; and taking enforcement action in case of non-compliance. The supervisory body also plays a role in the wallet ecosystem under eIDAS 2.0.

It oversees the registration of relying parties that wish to access wallet data, ensuring that they declare their intended attribute requests and purposes. It also participates in the certification process for wallet solutions and monitors the overall security and trustworthiness of the national digital identity infrastructure. Each Member State must notify the European Commission of its designated supervisory body.

Some Member States assign this role to an existing regulatory authority (such as a telecommunications regulator or a data protection authority), while others create a dedicated body. The European Commission publishes a list of all national supervisory bodies, facilitating cross-border cooperation and mutual assistance. For organisations operating as or working with QTSPs, the supervisory body is the primary regulatory point of contact.

Understanding the supervisory body's requirements, reporting obligations, and enforcement powers is essential for compliance planning, particularly for organisations seeking to obtain or maintain qualified status for their trust services.