How to Delegate CBAM O3CI Access Rights to Employees

The Delegation Hierarchy

Step-by-Step: Delegating Access to a New Employee

1. Employee creates EU Login account: The new employee goes to webgate.ec.europa.eu/cas/login → "Create an account". They use their company email address and set up 2FA with their mobile phone.
2. Employee provides EU Login username to External Administrator: The EU Login username is the email address used during registration. The employee sends this to the External Administrator.
3. External Administrator logs in to EU Access Admin-Ext: Navigate to webgate.ec.europa.eu/admin-ext.
4. Find or create the user: "User Management" → "Find User" → search by email. If the user is found, proceed to step 5. If not found, create the user: "User Management" → "Create User" → enter name, email, phone.
5. Link user to organisation: Click the user's account → "Link to Organisation" → select your company → Save.
6. Assign role: "Role Assignment" → select the user → "Assign Role" → select "CBAM — O3CI Portal" from the service list → select "Admin Operator" or "Simple Operator" → Confirm.
7. Wait 24 hours: Role propagation takes up to 24 hours. Inform the employee to wait before attempting portal access.
8. Employee tests access: The employee logs in to the O3CI portal at cbam.ec.europa.eu using their EU Login credentials. If they see the portal dashboard, delegation is complete.

Delegating to an External Consultant

External consultants (e.g., CBAM compliance advisors, carbon accountants) can be granted Simple Operator access to assist with data entry. The process is identical to delegating to an employee, with these differences:

• The consultant must use their own EU Login account — you cannot share your credentials
• Assign Simple Operator (not Admin Operator) to limit their access to data entry only
• Set a calendar reminder to revoke access when the consulting engagement ends
• Consultants with access to multiple clients' O3CI accounts must maintain separate EU Login accounts for each client — one EU Login account cannot be linked to multiple organisations

Critical: Offboarding — What to Do When an Employee Leaves

This is the most commonly neglected step in O3CI access management. When an employee with O3CI portal access leaves your company, their EU Login account remains active until explicitly revoked. A former employee retains the ability to log in to the O3CI portal and view or modify your CBAM data until their access is revoked.

Offboarding procedure — must be completed on the employee's last day:

1. External Administrator logs in to EU Access Admin-Ext
2. "Role Assignment" → find the departing employee's account → remove all role assignments for the CBAM O3CI portal service
3. "User Management" → find the employee's account → "Unlink from Organisation"
4. If the employee was the only Admin Operator: immediately assign the Admin Operator role to another user before completing the offboarding
5. If the employee was the External Administrator: contact the EU Commission IT helpdesk to transfer the External Administrator role to a new person
6. Document the access revocation with a timestamp for your compliance records

If you cannot revoke access immediately (e.g., the External Administrator is also leaving): contact the EU Commission CBAM helpdesk at taxation-customs.ec.europa.eu to request emergency access suspension.

Business Continuity: Avoiding Single Points of Failure

A common mistake is having only one person with Admin Operator access. If that person is ill, on leave, or leaves the company, your organisation cannot submit CBAM reports or manage authorisations until access is restored — which can take weeks. Best practice: