---
title: "eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements"
canonical_url: "https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-etsi-en-319-401"
source_url: "https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-etsi-en-319-401"
author: "Sorena AI"
description: "Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "eIDAS"
  - "ETSI EN 319 401"
  - "trust service provider"
  - "QTSP"
  - "conformity assessment"
  - "trusted lists"
  - "trust service providers"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# eIDAS vs ETSI EN 319 401: legal supervision and TSP policy requirements

Compare eIDAS and ETSI EN 319 401 for trust services: legal scope, QTSP supervision, conformity assessment, audits, incident evidence, and operational controls.

*Comparison* *EU trust services*

## eIDAS vs ETSI EN 319 401 legal framework vs trust-service policy standard

Use this comparison to separate eIDAS legal duties from ETSI EN 319 401 operational policy and security requirements for trust service providers.

The practical overlap is strongest for QTSP conformity assessments, audits, incident handling, risk management, termination planning, evidence retention, supplier controls, and trusted-list readiness.

eIDAS and ETSI EN 319 401 are not substitutes. eIDAS is the EU legal framework for electronic identification, trust services, qualified status, supervision, trusted lists, liability, and legal effects. ETSI EN 319 401 is a general policy and security requirements standard for trust service providers, including risk assessment, practice statements, information security, incident handling, continuity, termination, compliance, and supply-chain controls.

## eIDAS vs ETSI EN 319 401: what each one controls

Use this comparison to assign legal, supervisory, audit, and operational evidence work without treating the EU regulation and ETSI standard as interchangeable.

- **eIDAS Regulation**: Binding EU framework for electronic identification and trust services, including qualified trust-service status, supervision, conformity assessment reports, trusted lists, legal effects, liability, and notifications.
- **ETSI EN 319 401**: European Standard setting general policy and security requirements for trust service providers, including risk, practices, information security, incident handling, continuity, termination, compliance, and supply chain.

| Dimension | eIDAS Regulation | ETSI EN 319 401 | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope boundary | Applies to notified electronic identification schemes, European Digital Identity Wallets, and trust service providers established in the Union, with separate rules for qualified and non-qualified trust services. | Applies as a general TSP policy and security requirements standard for qualified and non-qualified trust services; service-specific ETSI standards can add further requirements. | Start with eIDAS to classify the legal service and status, then use EN 319 401 to identify the baseline control evidence for the provider. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports using eIDAS first for legal classification and qualified-status consequences.<br>[ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports using the standard for TSP control evidence after legal scoping. |
| Covered actors | Defines qualified status, trusted-list consequences, liability rules, legal effects for electronic signatures and related trust services, and supervisory withdrawal of qualified status when requirements are not met. | Does not grant legal status by itself; it documents policy and security requirements that can support conformity assessment and operational assurance. | Do not tell customers that EN 319 401 conformance alone makes a service qualified. Qualified service status depends on the eIDAS supervisory and trusted-list route. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the point that qualified trust services may begin only after trusted-list indication.<br>[ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the standard's role as policy and security requirements rather than a legal grant of qualified status. |
| Trigger | A provider intending to start a qualified trust service notifies the supervisory body with a conformity assessment report; qualified services may start after qualified status is indicated in the trusted lists. | Requires provider-controlled documentation such as trust service practice statements, terms and conditions, security policy, and risk treatment evidence that can feed the conformity assessment. | Treat the ETSI evidence pack as input to assessment, not as the final market-access gate for a qualified trust service. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the distinction between assessment inputs and the eIDAS trusted-list gate.<br>[ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the need for operational policy documentation before assessment. |
| Core obligations | QTSPs are audited at their own expense at least every 24 months by a conformity assessment body and submit the resulting conformity assessment report to the supervisory body within three working days of receipt. | EN 319 401 references conformity assessment bodies and provides requirement-level material that an assessor can test, including risk assessment, security policy, logs, compliance, continuity, and suppliers. | Build audit workpapers around requirement evidence, but track eIDAS audit timing, report submission, and supervisory-body communication separately. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the QTSP audit frequency and conformity assessment report submission requirement.<br>[ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the assessment-ready control domains used as audit workpaper structure.<br>[ENISA guidelines on supervision of qualified trust services](https://www.enisa.europa.eu/publications/tsp-supervision?ref=sorena.io) - Supports the supervisory-review context for QTSP assessments under eIDAS Article 20. |
| Evidence record | For qualified providers, eIDAS requires relevant information concerning data issued and received to be recorded and kept accessible for an appropriate period, including after activities cease, to support legal evidence and service continuity. | EN 319 401 requires evidence such as practice statements, terms, log retention periods, risk assessments, incident documentation, continuity records, termination planning, compliance evidence, and supplier assurance records. | Store legal-status records and control-operation records together only if metadata makes the purpose clear: legal evidence, trusted-list status, conformity assessment, security operation, continuity, or supplier assurance. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the qualified-provider recordkeeping purpose for legal proceedings and continuity, including after cessation.<br>[ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports including log retention, incident documentation, compliance evidence, and supplier records in the evidence model. |
| Timing and deadlines | eIDAS requires notification of significant security breaches or disruptions affecting the trust service or maintained personal data without undue delay and no later than 24 hours after awareness. | EN 319 401 requires monitoring, logging, incident response, communication plans, stakeholder notification procedures, vulnerability handling, and documentation through the incident lifecycle. | Use EN 319 401 to operate detection and response, but use eIDAS to determine whether the supervisory body, affected persons, public, or other authorities must be notified. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the eIDAS notification trigger and 24-hour outside limit for significant trust-service security events.<br>[ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports using the standard for incident operating procedures while reserving legal notification decisions for applicable law. |
| Enforcement | Member State supervisory bodies supervise QTSPs, analyse conformity assessment reports, carry out audits or request assessments, grant or withdraw qualified status, and inform trusted-list bodies of status decisions. | ETSI EN 319 401 is not an enforcement authority. It creates a requirements baseline that management, assessors, supervisors, customers, and procurement teams can use to evaluate TSP controls. | Escalate legal-status failures through the supervisory route; escalate control gaps through remediation, assessment findings, customer assurance, or supplier governance. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the supervisory-body responsibilities for QTSPs, assessment reports, audits, qualified status, and trusted-list updates.<br>[ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the standard's role as an auditable requirements baseline rather than a public enforcement route.<br>[ENISA guidelines on supervision of qualified trust services](https://www.enisa.europa.eu/publications/tsp-supervision?ref=sorena.io) - Supports keeping supervisory issues separate from internal control remediation. |
| Overlap and reuse | eIDAS keeps the provider responsible for qualified-service compliance, change notifications, continuity, and supervisory outcomes even when technology or service components are supplied by others. | EN 319 401 requires supply-chain security policies, supplier-selection criteria, subcontracting agreements, security requirements, monitoring, component traceability, and audit or SLA mechanisms. | For QTSP procurement, require contracts to preserve eIDAS obligations while also demanding EN 319 401 evidence from suppliers and component providers. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports provider responsibility for qualified-service duties and supervisory-facing outcomes.<br>[ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports contract controls and audit mechanisms for outsourced or supplier-supported trust-service components. |
| Practical decision rule | eIDAS sets high-level trust-service duties, including security-risk management, qualified-service requirements, change notification, recordkeeping, and termination-plan expectations. | EN 319 401 makes those duties operational through management-approved risk assessment, trust service practice statement, terms and conditions, information security policy, access control, cryptographic controls, operations security, and network security. | Translate each legal duty into EN 319 401 control evidence where applicable, but keep the source label visible so an auditor can see which requirement is being tested. | [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the high-level legal duties for security, changes, records, and termination in trust-service operation.<br>[ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports mapping legal duties to concrete policy, practice, security, and risk-treatment evidence. |

Sources for Scope boundary - eIDAS Regulation:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the eIDAS scope statement for eID schemes, wallets, and EU-established trust service providers.
  - Quote: "trust service providers established in the Union"

Sources for Scope boundary - ETSI EN 319 401:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the EN 319 401 scope statement for general security management and cybersecurity requirements for trust services.
  - Quote: "qualified and non-qualified"

Sources for Scope boundary - operational implication:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports using eIDAS first for legal classification and qualified-status consequences.
  - Quote: "qualified trust service provider"
- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports using the standard for TSP control evidence after legal scoping.
  - Quote: "trust service policy"

Sources for Covered actors - eIDAS Regulation:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the legal-status, liability, supervisory withdrawal, and trusted-list aspects of eIDAS.
  - Quote: "withdraw the qualified status"

Sources for Covered actors - ETSI EN 319 401:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the standard's role as policy and security requirements rather than a legal grant of qualified status.
  - Quote: "policies and practices"

Sources for Covered actors - operational implication:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the point that qualified trust services may begin only after trusted-list indication.
  - Quote: "trusted lists"

Sources for Trigger - eIDAS Regulation:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the notification, conformity assessment report, supervisory verification, and trusted-list start condition for qualified services.
  - Quote: "after the qualified status has been indicated"

Sources for Trigger - ETSI EN 319 401:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the TSP documentation and risk-treatment records that are relevant to assessment preparation.
  - Quote: "Trust Service Practice statement"

Sources for Trigger - operational implication:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the distinction between assessment inputs and the eIDAS trusted-list gate.
  - Quote: "trusted lists"
- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the need for operational policy documentation before assessment.
  - Quote: "terms and conditions"

Sources for Core obligations - eIDAS Regulation:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the QTSP audit frequency and conformity assessment report submission requirement.
  - Quote: "at least every 24 months"

Sources for Core obligations - ETSI EN 319 401:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the assessment-ready control domains used as audit workpaper structure.
  - Quote: "conformity assessment bodies"

Sources for Core obligations - operational implication:

- [ENISA guidelines on supervision of qualified trust services](https://www.enisa.europa.eu/publications/tsp-supervision?ref=sorena.io) - Supports the supervisory-review context for QTSP assessments under eIDAS Article 20.
  - Quote: "pursuant to Art.20"

Sources for Evidence record - eIDAS Regulation:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the qualified-provider recordkeeping purpose for legal proceedings and continuity, including after cessation.
  - Quote: "providing evidence in legal proceedings"

Sources for Evidence record - ETSI EN 319 401:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the specific operational evidence categories for TSP controls and assessments.
  - Quote: "provide evidence"

Sources for Evidence record - operational implication:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports including log retention, incident documentation, compliance evidence, and supplier records in the evidence model.
  - Quote: "event logs are retained"

Sources for Timing and deadlines - eIDAS Regulation:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the eIDAS notification trigger and 24-hour outside limit for significant trust-service security events.
  - Quote: "no later than 24 hours"

Sources for Timing and deadlines - ETSI EN 319 401:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the operational incident-management evidence categories: monitoring, logs, response procedures, reporting, communications, and post-incident records.
  - Quote: "Vulnerabilities and Incident management"

Sources for Timing and deadlines - operational implication:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports using the standard for incident operating procedures while reserving legal notification decisions for applicable law.
  - Quote: "supervisory authorities and CSIRTs"

Sources for Enforcement - eIDAS Regulation:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the supervisory-body responsibilities for QTSPs, assessment reports, audits, qualified status, and trusted-list updates.
  - Quote: "grant qualified status"

Sources for Enforcement - ETSI EN 319 401:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the standard's role as an auditable requirements baseline rather than a public enforcement route.
  - Quote: "Compliance"

Sources for Enforcement - operational implication:

- [ENISA guidelines on supervision of qualified trust services](https://www.enisa.europa.eu/publications/tsp-supervision?ref=sorena.io) - Supports keeping supervisory issues separate from internal control remediation.
  - Quote: "facilitating the implementation"

Sources for Overlap and reuse - eIDAS Regulation:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports provider responsibility for qualified-service duties and supervisory-facing outcomes.
  - Quote: "qualified trust service provider"

Sources for Overlap and reuse - ETSI EN 319 401:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the supplier, outsourcing, cloud, SLA, traceability, and audit-mechanism controls for TSP operations.
  - Quote: "direct suppliers and service providers"

Sources for Overlap and reuse - operational implication:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports contract controls and audit mechanisms for outsourced or supplier-supported trust-service components.
  - Quote: "documented agreement"

Sources for Practical decision rule - eIDAS Regulation:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the high-level legal duties for security, changes, records, and termination in trust-service operation.
  - Quote: "termination plan"

Sources for Practical decision rule - ETSI EN 319 401:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the listed operational control domains and the requirement for management-approved risk assessment.
  - Quote: "management shall approve the risk assessment"

Sources for Practical decision rule - operational implication:

- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports mapping legal duties to concrete policy, practice, security, and risk-treatment evidence.
  - Quote: "security requirements and operational procedures"

### How should teams use the comparison?

- For a new or changed trust service, first write the eIDAS classification: service type, qualified or non-qualified status, supervisory body, trusted-list consequence, notification duty, and legal-status evidence.
- Then write the ETSI EN 319 401 control plan: risk assessment owner, practice statement owner, terms owner, security-policy owner, incident owner, continuity owner, supplier owner, and evidence location.
- Before audit or procurement review, cross-reference each shared artifact to both sources when it genuinely supports both, and leave it single-labelled when it supports only one side.

Sources for the practical decision rule:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the legal classification, supervisory, trusted-list, and notification items in the recommended use of the comparison.
  - Quote: "supervisory body"
- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the control-plan items for risk, practice statements, terms, security policy, incident handling, continuity, suppliers, and evidence.
  - Quote: "TSP management and operation"

## The short answer for trust-service teams

Use eIDAS to decide whether a service is a trust service, whether qualified status is involved, which supervisory body route applies, what must be notified, and when trusted-list status controls market availability.

Use ETSI EN 319 401 to build the control evidence that a trust service provider can show during assessment or supervisory review: risk assessment, trust service practice statement, terms and conditions, security policy, logs, incident records, business continuity, termination planning, compliance evidence, and supplier governance.

- A QTSP cannot treat EN 319 401 conformance as a replacement for eIDAS qualified status; eIDAS requires supervisory-body verification and trusted-list indication for qualified service provision.
- A TSP cannot treat eIDAS scope analysis as an operational control set; EN 319 401 turns trust-service obligations into auditable management, security, incident, continuity, and supplier records.
- The strongest reuse pattern is a single evidence pack with separate labels for the eIDAS article, ETSI requirement, owner, assessment status, and trusted-list or supervisory consequence.

Sources for this answer:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the legal distinction between trust services, qualified status, supervisory bodies, conformity assessment reports, and trusted lists.
- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the operational-control side of the comparison: TSP risk assessment, practice statements, security policy, incidents, continuity, compliance, and supply chain.

## Where the frameworks overlap in practice

The overlap is not a choice between law and standard. It is the place where legal supervision needs technical and organisational evidence. eIDAS requires QTSP audits, conformity assessment reports, supervisory-body verification, breach or disruption notification, qualified-status decisions, and trusted-list updates. EN 319 401 supplies a structured way to document many of the controls behind those outcomes.

For example, eIDAS Article 20 audits and Article 21 initiation rely on conformity assessment and supervisory review. EN 319 401 points teams toward the material an assessor or supervisor will expect to see, such as approved practice statements, risk treatment, policy publication, incident procedures, logs, termination plans, and compliance records.

- Keep the eIDAS record focused on legal status, supervisory communications, trusted-list state, notification obligations, and qualified-service permissions.
- Keep the EN 319 401 record focused on requirement-level control design and operating evidence.
- When the same artifact serves both, cite both sides separately; do not describe a standard requirement as if it were a statutory fine or a legal authorisation.

Sources for this answer:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the supervision, QTSP audit, conformity assessment, initiation, and trusted-list claims used in this overlap section.
- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the evidence categories used for assessor-ready TSP controls, including risk assessment, practice statements, incidents, compliance, and supply chain.
- [ENISA guidelines on supervision of qualified trust services](https://www.enisa.europa.eu/publications/tsp-supervision?ref=sorena.io) - Supports the supervisory context for qualified trust services and Article 20 supervision without adding a separate legal obligation.

## Evidence that should not be confused

An eIDAS evidence folder should answer legal and supervisory questions: is the provider qualified, is the service qualified, has the conformity assessment report been submitted, has the supervisory body granted or withdrawn status, is the service shown on the trusted list, and were significant incidents notified through the required route.

An EN 319 401 evidence folder should answer operational control questions: has management approved the risk assessment, are policy and practice statements maintained, are subscribers and relying parties given service terms, are logs reviewed, are incident procedures tested, are critical vulnerabilities handled, are termination arrangements documented, and are suppliers governed by security requirements and agreements.

- Do not use an ETSI control checklist as proof that a qualified service may start; eIDAS ties that start to trusted-list indication.
- Do not use a trusted-list entry as proof that every EN 319 401 control is operating effectively; keep control evidence current.
- For procurement, require both legal status evidence and standard-based control evidence when buying qualified trust services or trust-service components.

Sources for this answer:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the need to distinguish qualified status, trusted-list indication, supervisory reports, and incident notification from control-level evidence.
- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the operational evidence list for TSP risk, policies, terms, incidents, continuity, termination, compliance, and suppliers.

*Recommended next step*

*Placement: before sources*

## Separate eIDAS status evidence from ETSI EN 319 401 control evidence

Sorena can help structure eIDAS and ETSI EN 319 401 records so legal, security, procurement, product, and audit reviewers can see which evidence supports qualified status, supervision, conformity assessment, incident handling, and TSP controls.

- [Open Research Copilot for eIDAS](/solutions/research-copilot.md): Ask source-linked questions about eIDAS supervision, QTSP status, trusted lists, and ETSI EN 319 401 evidence.
- [Talk through implementation](/contact.md): Review your trust-service evidence model, supplier questions, and conformity assessment preparation with Sorena.

## Primary sources

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj?ref=sorena.io) - Supports the legal classification, supervisory, trusted-list, and notification items in the recommended use of the comparison.
  - Quote: "supervisory body"
- [ETSI EN 319 401 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the control-plan items for risk, practice statements, terms, security policy, incident handling, continuity, suppliers, and evidence.
  - Quote: "TSP management and operation"
- [ENISA guidelines on supervision of qualified trust services](https://www.enisa.europa.eu/publications/tsp-supervision?ref=sorena.io) - Supports keeping supervisory issues separate from internal control remediation.
  - Quote: "facilitating the implementation"
- [ETSI publishes European Standards to support eIDAS regulation](https://www.etsi.org/newsroom/news/1111-2016-07-etsi-publishes-european-standards-to-support-eidas-regulation?ref=sorena.io) - ETSI source for the role of ETSI standards in supporting eIDAS trust services, signature formats, interoperability, and conformance testing.
  - Quote: "supporting electronic signatures"

## Related Topic Guides

- [eIDAS 2 deadlines and compliance calendar for EUDI Wallet and trust services](/artifacts/eu/electronic-identification-and-trust-services-regulation/deadlines-and-compliance-calendar.md): Calendar of grounded eIDAS and eIDAS 2 milestones for EUDI Wallet delivery, implementing acts, annual supervision reports, QTSP transitions, pilots, and ARF evidence.
- [eIDAS 2.0 vs eIDAS: EUDI Wallet and trust-service changes](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas2-vs-eidas.md): Compare the original eIDAS electronic identification and trust-service framework with the eIDAS 2.0 amendments for EUDI Wallets, relying parties, attestations, QWACs, and supervision.
- [eIDAS Certificates and Authentication: qualified certificates, QWACs, and validation checks](/artifacts/eu/electronic-identification-and-trust-services-regulation/certificates-and-authentication.md): Grounded guide to eIDAS qualified certificates, website authentication certificates, trusted lists, relying-party checks, and validation evidence.
- [eIDAS checklist and evidence pack for trust services, signatures, and EUDI Wallet relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/checklist-and-evidence.md): Build an eIDAS evidence pack for qualified trust services, electronic signatures, trusted-list checks, certificate validation, supervisory records, and EUDI Wallet relying-party controls.
- [eIDAS compliance guide for trust services, QTSPs, signatures, and EUDI Wallet relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/compliance.md): Grounded eIDAS compliance guide for trust-service classification, QTSP supervision evidence, qualified signatures, seals, time stamps, certificates, trusted-list validation, and EUDI Wallet relying-party records.
- [eIDAS electronic signatures: SES, AES, QES legal effect and evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/electronic-signatures-and-legal-effect.md): A grounded guide to eIDAS electronic-signature legal effect: SES, AES, QES, qualified certificates, QTSP trusted-list checks, validation, recognition, and evidence records.
- [eIDAS penalties and fines for trust service providers](/artifacts/eu/electronic-identification-and-trust-services-regulation/penalties-and-fines.md): Grounded guide to eIDAS Article 16 penalties, administrative fine mechanics, supervisory bodies, qualified-status withdrawal, and trusted-list evidence.
- [eIDAS QES validation checks for relying parties](/artifacts/eu/electronic-identification-and-trust-services-regulation/qes-validation.md): How to validate a qualified electronic signature under eIDAS: certificate, QTSP, trusted-list, QSCD, integrity, validation result, and evidence records.
- [eIDAS Qualified Trust Services: QTSP Selection](/artifacts/eu/electronic-identification-and-trust-services-regulation/qualified-trust-services-and-qtsp-selection.md): How to select an EU eIDAS qualified trust service provider: identify the qualified service type, verify trusted-list status, review supervision evidence, and retain certificate-policy records.
- [eIDAS remote signature and cloud HSM controls for QTSPs](/artifacts/eu/electronic-identification-and-trust-services-regulation/remote-signature-and-cloud-hsm-controls.md): Grounded guide to eIDAS remote signature controls: remote QSCD scope, server-side signing, QTSP evidence, signer authentication, certificate validation, and trusted-list checks.
- [eIDAS signature legal effect selector: SES, AES, AES-QC, or QES](/artifacts/eu/electronic-identification-and-trust-services-regulation/signature-legal-effect-selector-workflow.md): Select the right eIDAS signature level by legal effect, risk, qualified certificate status, QTSP evidence, QSCD use, validation result, and cross-border recognition.
- [eIDAS trust service role scoping workflow: TSP, QTSP, validator, relying party, or QTSP customer](/artifacts/eu/electronic-identification-and-trust-services-regulation/trust-service-role-scoping-workflow.md): Classify an eIDAS role by evidence: trust service provider, qualified trust service provider, signature or seal validator, EUDI Wallet relying party, relying party, or customer of a QTSP.
- [eIDAS trusted list validation: LOTL, QTSP status, and evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/trust-list-validation.md): How to validate EU eIDAS trusted-list evidence: start from the Commission LOTL, confirm QTSP and qualified-service status, check certificate path and revocation data, and retain validation reports.
- [eIDAS vs ESIGN and UETA: EU qualified signatures vs U.S. e-signature laws](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-esign-and-ueta.md): Compare eIDAS with ESIGN and UETA for electronic signatures, qualified certificates, trust services, cross-border recognition, validation evidence, and source gaps.
- [eIDAS vs GDPR for identity data: wallet, trust-service, and privacy obligations](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-gdpr-identity-data.md): Compare eIDAS identity, trust-service, and EUDI Wallet rules with GDPR duties for personal-data processing, minimisation, lawful basis, evidence, security, and user rights.
- [eIDAS vs NIS2 for trust service providers: QTSP and cybersecurity obligations](/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-nis2-trust-services.md): Compare eIDAS trust-service and QTSP duties with NIS2 cybersecurity risk-management, incident reporting, supervision, and evidence duties for trust service providers.
- [Electronic Attestations of Attributes under EU eIDAS: EAA, QEAA, issuers, wallets, and validation](/artifacts/eu/electronic-identification-and-trust-services-regulation/electronic-attestations-of-attributes.md): Grounded guide to electronic attestations of attributes under amended EU eIDAS: EAA, QEAA, public-sector authentic-source attestations, wallet use, issuer checks, relying-party validation, revocation, and legal effect.
- [EU eIDAS Applicability Test for Trust Services, Wallets, and Certificates](/artifacts/eu/electronic-identification-and-trust-services-regulation/applicability-test.md): A grounded eIDAS scope test for QTSPs, trust services, electronic signatures, seals, timestamps, QWACs, EUDI Wallet relying parties, and cross-border recognition evidence.
- [EU eIDAS attribute attestations: EAA, QEAA, wallet, and relying party checks](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/attribute-attestations.md): What electronic attestations of attributes mean under eIDAS, how QEAAs differ from public-sector and non-qualified attestations, and what issuers, wallets, and relying parties should verify.
- [EU eIDAS checklist for signatures, trust services, and wallets](/artifacts/eu/electronic-identification-and-trust-services-regulation/checklist.md): Checklist for eIDAS trust-service and EUDI Wallet controls: qualified status, trusted lists, certificates, signatures, seals, timestamps, validation evidence, and relying-party records.
- [EU eIDAS FAQ: signatures, QTSPs, trusted lists, QWACs, wallets, and validation](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq.md): FAQ on eIDAS trust services and the European Digital Identity framework, covering advanced and qualified electronic signatures, QTSP status, trusted lists, QWACs, EUDI Wallet relying parties, attestations of attributes, and validation evidence.
- [EU eIDAS QTSP authorization and supervision guide](/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-authorization-and-supervision.md): How qualified trust service providers obtain and keep qualified status under eIDAS, including conformity assessment reports, supervision, trusted lists, incidents, and evidence.
- [EU eIDAS QTSP Due Diligence Workflow for Trusted Lists, Certificates, and Evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/qtsp-due-diligence-workflow.md): Check a qualified trust service provider under eIDAS by validating trusted-list status, qualified service scope, certificates, policies, supervision, audits, and retained evidence.
- [EU eIDAS Requirements for Trust Services, Signatures, Seals, Wallets, and Evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/requirements.md): Grounded guide to core eIDAS requirements for trust service providers, qualified trust services, electronic signatures, seals, time stamps, trusted lists, and EUDI Wallet relying parties.
- [EU eIDAS Trusted Lists FAQ: LOTL, QTSP status, and validation evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/trusted-lists.md): How EU eIDAS Trusted Lists and the Commission LOTL support QTSP and qualified trust-service validation, with practical evidence checks for relying parties.
- [EUDI Wallet readiness for service providers under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-readiness.md): Readiness guide for organisations preparing to request or verify data from European Digital Identity Wallets: roles, registration, ARF alignment, selective disclosure, implementing acts, and evidence.
- [EUDI Wallet Relying Parties under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/eudi-wallet-relying-party.md): What EUDI Wallet relying parties must do under eIDAS: register, declare intended wallet use and requested data, identify themselves to users, and keep request evidence.
- [EUDI Wallet Relying Party Onboarding Workflow under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/wallet-onboarding-workflow.md): A grounded onboarding workflow for organisations that want to request data from European Digital Identity Wallet users as eIDAS wallet relying parties.
- [EUDI Wallet Relying Party Registration Under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-relying-party-registration.md): What eIDAS Article 5b and the EUDI Wallet ARF say about wallet relying party registration, intended uses, attribute requests, certificates, evidence, and Member State gaps.
- [EUDI Wallet Technical Architecture Guide under eIDAS](/artifacts/eu/electronic-identification-and-trust-services-regulation/eudi-wallet-technical-architecture-guide.md): Technical guide to the EUDI Wallet architecture: ARF roles, wallet units, PID and attestations, relying parties, trust model, certificates, protocols, privacy, and security controls.
- [QES vs AdES under EU eIDAS: legal effect, certificates, QTSPs, and validation evidence](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qes-vs-ades.md): Compare qualified electronic signatures (QES) and advanced electronic signatures (AdES) under EU eIDAS, including legal effect, qualified certificates, QTSP status, QSCDs, and validation evidence.
- [QWACs under eIDAS: website authentication certificates](/artifacts/eu/electronic-identification-and-trust-services-regulation/qwacs.md): A grounded guide to qualified website authentication certificates under eIDAS, covering Annex IV data, trusted lists, browser recognition, validation evidence, and QTSP checks.
- [What eIDAS Covers: eID, Trust Services, EUDI Wallet, and QWACs](/artifacts/eu/electronic-identification-and-trust-services-regulation/what-eidas-covers.md): A grounded guide to the systems and services covered by EU eIDAS: notified electronic identification, trust services, signatures, seals, time stamps, registered delivery, website authentication, trusted lists, the EUDI Wallet, and attribute attestations.
- [What is a qualified trust service provider under eIDAS?](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qualified-trust-service-provider.md): How to verify QTSP status under eIDAS using the qualified service, supervisory body decision, trusted list entry, conformity assessment evidence, and service-specific records.
- [What is a QWAC under the EU eIDAS Regulation?](/artifacts/eu/electronic-identification-and-trust-services-regulation/faq/qwac.md): Plain-language FAQ on qualified website authentication certificates under eIDAS, including website identity, QTSP trusted-list checks, browser recognition, and validation evidence.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/eu/electronic-identification-and-trust-services-regulation/eidas-vs-etsi-en-319-401