No, we do not consider that a correct assumption. The contractor will have to define the EU root CA’s Certificate Practice Statement (CPS), that will in any case have to be in line with the European Certificate Policy. This EU Root CA CPS defined by the contractor (and audited by an accredited PKI Auditor) is then the specific CPS that external EAs and AAs have to be compliant to, since they want to be enrolled under the EU Root CA. It is not enough for an external EA and AA to be compliant only with the European Certificate Policy, as they must demonstrate the compliance with the specific CPS of the EU Root CA that will take particular implementation choices in its CPS. Hence, this entire process definition and coordination with external EAs and AAs is full part of this contract and duties of the contractor. Please also compare with Annex I – Part 2: Technical Specifications, page 9 - point 6 as well as Chapter 2.3.6., where it says: The CPS of the external EA or AA should be fully compliant with the CPS of the EU root CA provided by the contractor. The process to check the compliance of the external EAs and AAs shall be described and performed by the contractor of the EU root CA, in agreement with the contracting authority (i.e. JRC). The contractor shall describe the process by which the EU root CA receives the CPS of AAs/EAs, the audit report and issuance of the sub-CAs certificates, as well as the operation of all CA functionalities necessary for the external sub-CAs under the EU root CA according to .