How does Article 45 enable the interception of web traffic?

Under the eIDAS regulation, each member state of the EU (as well as recognised third party countries) is able to designate Qualified Trust Service Providers (Qualified TSPs) for the distribution of Qualified Website Authentication Certificates (QWACs). Outside the EU, these TSPs and QWACs are more typically known as Certificate Authorities (CAs) and TLS Certificates, respectively. Article 45 requires browsers to recognise these certificates. 

This is particularly troubling because any malicious CA has the ability to intercept all the web traffic of affected browsers. This is because any CA trusted by a browser has the capability to issue a certificate to any website, even a website using certificates provided by a different CA. If the CA issues a certificate containing cryptographic keys not actually under the control of the website operator, the party who actually controls the keys can use them to intercept web traffic to that website.  

Consequently, CAs are subject to stringent security and safety checks. Currently, browsers vet the CAs they trust and monitor them carefully for compliance through audits, incident reporting, and other controls like Certificate Transparency. In the event a CA misbehaves or substantiated concerns emerge regarding their behavior, browsers act swiftly to remove the CA’s certificate and prevent any further harm to users or websites. 

Article 45 appears to block the removal of CAs selected by European governments. Browsers are banned from withdrawing these CAs without the permission of the government concerned. Some member states directly operate or own these CAs, making them simultaneously the suspect, the jury and the judge in the event of any misbehavior. If this comes to pass it would enable any EU government or recognised third party country to begin intercepting web traffic and makes it impossible to stop without their permission. There is no independent check or balance on this process described in the proposed text.

Even worse, this regulation allows the government of every EU member state to add CA certificates to a central list and only the member state responsible for adding the CA to the list can remove it, yet these CAs will be distributed to every European citizen. As a result, ineptitude or malice by one EU member state will impact the security of every European citizen. This means that EU citizens need not only be concerned with their own governments, but are forced to place their online security in the hands of every member state and recognised third party country, each of whom can individually act in order to intercept their traffic. 

There is long history of mis-issued certificates by government agencies being used to compromise encrypted web traffic:

In all of these cases, certificates that were mis-issued by the CA were used by attackers to intercept and inspect encrypted web traffic for popular websites.  In each case, browsers responded by  revoking trust, denying inclusion, or actively blocking the use of these certificate authorities.