Pursuant to Article 4(3) of Commission Implementing Decision (EU) 2015/1505 as amended by Implementing Decision (EU) 2025/2164, the European Commission (hereafter “the Commission”) makes available to the public, through a secure channel to an authenticated web server, the information notified by Member States under Articles 4(1) and 4(2) of Implementing Decision (EU) 2015/1505, in a signed or sealed form suitable for automated processing.
The information notified by Member States is compiled and made available as a signed or sealed XML machine-processable form, called the “list of trusted lists” (hereafter the “LOTL”).
Prior to any interpretation of the LOTL, its authenticity and integrity shall be verified by relying parties. To that end, relying parties should:
The verification referred to in point 2. above may involve the processing of so-called “pivot LOTLs”, defined in section 3 with its mechanism described in section 4.
The present text intends to provide to relying parties explanative information on:
For the purpose of the next sections, the following definitions and abbreviations apply:
A pivot LOTL is a publicly available historized specific instance of a LOTL, whose location is referenced in the current LOTL <SchemeInformationURI>. When a pivot LOTL is created, it has the exact same content as that of the LOTL which is in force at the time.
The important characteristics of a pivot LOTL are only the:
A pivot LOTL is created when there is a change in:
In order to support the verification of the authenticity and integrity of the LOTL by relying parties, the Commission publishes in the OJEU, the LOTL-signing certificates and a URL signifying the LOTL location.
Note 1: At any point in time, the Commission may replace this URL and set of certificates via a new OJEU publication, in particular in case of any security-related events or abrupt changes related to the LOTL deemed fit by the Commission. However as will be seen in the ensuing explanations, for planned cases the pivot mechanism mitigates the impact resulting from sudden changes for relying parties.
The Commission may decide at any point in time to change the LOTL location or the set of LOTL-signing certificates. Such a change may, as a machine-processable approach, be done by publishing the related modifications in the LOTL itself. Upon such modifications in the LOTL, an instance of the modified LOTL is immediately archived and the location of that archived LOTL is referenced in the LOTL itself. Such an archived LOTL is referred to as a “pivot LOTL”, as it represents a pivot point in the historical values of the LOTL location and/or the LOTL-signing certificates.
From a technical perspective, the LOTL location, LOTL-signing certificates, and the location of archived pivot LOTLs are included in the LOTL as such:
This first part in the <SchemeInformationURI> may be followed by, in reverse chronological order:
In this respect, once the decision of the Commission to modify the LOTL-signing certificates or LOTL location is reflected in a publication of a pivot LOTL, relying parties may detect such a modification in a machine processable way in the LOTL, namely from changes of:
In order to introduce the concept of the pivot LOTL mechanism, the present document defines three states in which the LOTL can be:
Those states are defined purely to support the explanations that follow and are not intended to formally define in any way new terms to be used outside of this text.
The subsequent sections describe how to verify the authenticity and integrity of the LOTL when it is either in:
When the LOTL is in a direct state, the LOTL location is the URL published in the latest relevant OJEU publication, and the set of LOTL-signing certificates is the exact set of certificates in that publication.
The procedure for verifying the authenticity and integrity of the LOTL when it is in an anchored state is described in the next two subsections, depending on whether the pivot LOTLs reflect a change of:
The Commission can make the decision to add new LOTL-signing certificates and remove old ones. The announcement of these changes in the LOTL-signing certificates is made by the publication of a pivot LOTL.
A description of the procedure followed by the Commission for announcing and making effective changes to the LOTL-signing certificates is provided below:
The pivot LOTL is then referenced at a separate location whose URL is added, in reverse chronological order – that is showing first – in the field <SchemeInformationURI> of this instance of the LOTL and all future instances of the LOTL.
This pivot LOTL includes:
The list of pivot LOTLs forms a virtual chain of changes regarding the LOTL-signing certificates, starting from the initial situation where the LOTL was in a “direct state” up to the current one.
When verifying the authenticity and integrity of the LOTL, relying parties should, starting from the LOTL available from the LOTL location specified in the latest relevant publication in the OJEU, reconstruct the chain of changes from the list of pivot LOTLs to conclude on the current set of LOTL-signing certificates to validate the signature of the LOTL:
After the publication of the pivot LOTL announcing changes in LOTL-signing certificates, relying parties have 15 days (the duration of the transition period) to take these changes into account.
It is highly recommended to take these changes into account during the transition period rather than after it, as:
The LOTL location must be retrieved in the latest OJEU publication. However, the Commission can make the decision to change the location where the instance of the current LOTL is published.
A description of the procedure followed by the Commission for announcing and making effective changes to the LOTL location is provided below:
Relying parties can detect a change of the LOTL location by monitoring the value of the <TSLLocation> element in the element <OtherTSLPointer> with EU <SchemeTerritory> of the field <PointersToOtherTSL>.
Although a formal transition period (explained in next Sections 8 and 9) will follow a change of LOTL location, relying parties may decide to begin to configure their systems as soon as they detect this change. After the publication of the pivot LOTL announcing the change in LOTL location, relying parties can now access the LOTL at the new location. They can also access the LOTL at the old location:
The Commission may decide to publish a new notice in the OJEU referencing the current LOTL location and LOTL-signing certificates, to simplify the list of pivot LOTLs contained in LOTL (i.e. to “reset” that list).
In case of change of LOTL location, this new OJEU publication is actually needed and shall take place before the discontinuation of the old LOTL location, so that relying parties can find and trust the LOTL after the old LOTL location is discontinued.
There is a 15-day transition period that starts when the LOTL enters the “transition state”, i.e. when a LOTL referencing two OJEU URLs is published. From a technical perspective, the <SchemeInformationURI> field of the current instance of the LOTL reflects the coexistence of two successive relevant OJEU publications, as described in the definition of the transition state in Section 5.
During this period, the LOTL can be accessed by starting from any of the two OJEU publications, and applying the mechanism explained in Section 7:
Note 2: Because the list of URLs in the field <SchemeInformationURI> is in reverse chronological order, a pivot LOTL published after another element (e.g. pivot LOTL or OJEU publication), will appear before (“on top of it”) in that list.
Consequently, relying parties may update their configuration files at any moment during this period without impacting the processing of the LOTL. Furthermore, relying parties can also detect that the latest OJEU publication has occurred by monitoring the field <SchemeInformationURI> and be alerted that the 15-day transition period during which a change of configuration should be performed has begun.
At the end of the transition period, a LOTL resetting the old chain of pivot (keeping any new pivot created) will be published, referencing only the new OJEU publication (further described in Sections 9 and 10).
Resetting the pivot occurs upon publication of a new LOTL instance that removes:
And leaves the following information only:
The reset of the chain of pivot LOTLs follows immediately when the 15-day transition period ends. The result of the reset is a LOTL back to the direct state (if there are no pivot LOTLs associated with the latest relevant OJEU publication), or possibly anchored state (if there are one or more pivot LOTLs associated with the latest relevant OJEU publication), as defined in Section 5.
After this transition period, if configuration files have not been updated according to the latest relevant OJEU publication, there may be an impact on the ability to verify the authenticity and integrity of the LOTL, due to the absence of the old pivot LOTLs and/or the old LOTL location.
The procedure described below in Table 1, implemented by the Commission, illustrates the pivot LOTL mechanism and an application of the pivot reset mechanism in the context of the change of LOTL location and the transition period that precedes the pivot reset.
| Time | Event |
|---|---|
| T1 |
The decision is taken to change the location where the current instance of the LOTL is published. |
| T2 |
That LOTL new location is known and ready for use. |
| T3 |
The current instance of the LOTL is published at that LOTL new (future) location in addition to being published at the LOTL old (current) location. From that time T3, any new instance of the LOTL will be published at both locations. |
| T4 |
A new instance of the LOTL is published (at both locations) as a pivot LOTL, in order to formally establish the existence of the LOTL new location. This pivot instance, like any pivot instance of the LOTL, is archived at a separate location whose URL is added, in reverse chronological order – that is, showing the most recent publication first – to the values of the field <SchemeInformationURI> of this instance of the LOTL and all future instances of the LOTL. This pivot LOTL includes:
|
| T5 |
A new OJEU publication has been written, translated in all languages, and sent for publication. The new OJEU publication is published. Note 1: This publication is expected to occur within the 15 days of the publication of the pivot LOTL announcing the new location (or at least before the date and time where the old location is no longer used by the Commission to publish the LOTL when this occurs after the 15 days starting from the realisation of Time T4 event above). The location of this new publication is obviously determined but still is not widely known. This OJEU publication:
|
| T6 |
The transition period starts with the publication of a new LOTL with the addition, as first value in its field <SchemeInformationURI>, of the location of the new OJEU publication. This is the LOTL that references 2 OJEU locations in its field <SchemeInformationURI> as referred to in bullet T5.c.(i) above. Note 1: From the publication referred to in point T6.a:
Note 2: If there is a need to change to the list of LOTL-signing certificates after the new OJEU publication has occurred (Event (T5) above) and before Event (T6) occurs, this change has to wait for Event (T6) to take effect. The publication of the corresponding pivot LOTL has to wait for Event (T6) to occur, so that in the field <SchemeInformationURI> this pivot LOTL appears before (on top of) the location of the new OJEU publication. This ensures that the content of the new OJEU publication is indeed in sync with the LOTL and the list of pivot LOTLs. Note 3: Once the new OJEU publication appears in the field <SchemeInformationURI> (i.e. from this publication resulting from Event (T6)), one or more new pivot LOTLs might be published to communicate new LOTL-signing certificates. |
| T7 |
The transition period ends with the publication of a new LOTL, which resets the pivots (i.e. removing the URI indicating the old OJEU publication and the pivot LOTLs added between the two OJEU location URIs. This LOTL has only one OJEU location in its field <SchemeInformationURI> (and potentially no, one or more pivot LOTL “on top of it” in the field <SchemeInformationURI>). |
Table 1: LOTL location change timeline
Table 2 below, provides an example that illustrates the procedure. In that table, each cell on the left represents an instance of a LOTL with:
The right column represents events that occur when the LOTL instance in the left column is in force.
| LOTL into force at that time | Event |
|---|---|
|
LOTL Sn 998 “Siu”: P969, P811, OJEUxyz, … “PTOTSLEU”: Old-LOC // C2, C4, C5 Signature (C4) |
T1. Decision taken to change the LOTL location |
| LOTL Sn 999 “Siu”: P969, P811, OJEUxyz, … “PTOTSLEU”: Old-LOC // C2, C4, C5 Signature (C2) |
T2. New LOTL location ready |
|
LOTL Sn 999 “Siu”: P969, P811, OJEUxyz, … “PTOTSLEU”: Old-LOC // C2, C4, C5 Signature (C2) |
T3. LOTL published at both locations |
|
LOTL Sn 1000 “Siu”: P1000, P969, P811, OJEUxyz, … “PTOTSLEU”: New-LOC // C2, C4, C5 Signature (C5) |
T4. New pivot LOTL changing the LOTL location |
| LOTL Sn 1001 to Sn 1009 | New instances of the LOTL publishing changes notified by the Member States (in the corresponding Member States entry of the LOTL PTOTSLs element) |
|
LOTL Sn 1010 “Siu”: P1010, P1000, P969, P811, OJEUxyz, … “PTOTSLEU”: New-LOC // C4, C6, C7 Signature (C4) |
New pivot due to the need for changing LOTLSO certificates |
| LOTL Sn 1011 to Sn 1017 | New instances of the LOTL publishing changes notified by the Member States (in the corresponding MS entry of the LOTL PTOTSLs element) |
|
LOTL Sn 1018 “Siu”: P1010, P1000, P969, P811, OJEUxyz, … “PTOTSLEU”: New-LOC // C4, C6, C7 Signature (C6) |
T5. Publication of the new OJEU. |
| LOTL Sn 1018 to Sn 1019 | No publication of pivot LOTL between Event (T5) and Event (T6). New instances of the LOTL publishing changes notified by the Member States. |
|
LOTL Sn 1020 “Siu”: OJEUabc, P1010, P1000, P969, P811, OJEUxyz, … “PTOTSLEU”: New-LOC // C4, C6, C7 Signature (C7) |
T6. Publication of a new LOTL with, as first value in its <SchemeInformationURI> element, the location of the new OJEU publication Transition period starts now. |
|
LOTL Sn 1021 “Siu”: P1021, OJEUabc, P1010, P1000, P969, P811, OJEUxyz, … “PTOTSLEU”: New-LOC // C7, C8, C9 Signature (C7) |
New pivot due to the need for changing LOTLSO certificates |
| LOTL Sn 1022 to Sn 1026 | New instances of the LOTL publishing changes notified by the Member States (in the corresponding Member States entry of the LOTL PTOTSLs element) |
|
LOTL Sn 1027 “Siu”: P1022, P1021, OJEUabc, … “PTOTSLEU”: New-LOC // C7, C8, C9 Signature (C9) |
T7. Publication of a new LOTL which resets the pivots (“below” the OJEUabc entry in the “Siu”). Transition period ends now. The old location of the LOTL may be (is) disabled. |
|
LOTL Sn 1028 “Siu”: P1028, P1021, OJEUabc, … “PTOTSLEU”: New-LOC // C7, C8, C10 Signature (C8) |
New pivot due to the need for changing LOTLSO certificates |
| LOTL Sn 1029 to Sn … | … |
Table 2: Illustration of change in LOTL location