ETSI EN 319 401Free Resource

ETSI EN 319 401 TSP Requirements

Use ETSI EN 319 401 V3.1.1 to orient trust service provider work across risk assessment, policy documents, terms and conditions, personnel controls, asset inventory, access control, network security, incident handling, evidence collection, continuity, termination, compliance, and supply chain controls.

The standard applies general policy requirements to trust service providers regardless of the service provided and includes Annex B mappings to eIDAS requirements such as Articles 19 and 24.

View EN 319 401 requirements
Publication details
Editorial metadata for this artifact
Author
Sorena AI
Published
Mar 4, 2026
Updated
Mar 4, 2026
Where to start
Requirements map
Read the clause-by-clause requirements covering risk assessment, policy statements, terms and conditions, security controls, evidence, continuity, termination, compliance, and supply chain.
Evidence records
Track records called out by the standard, including risk approvals, practice statement reviews, asset inventories, access reviews, vulnerability scans, incident documentation, audit logs, and backup tests.
eIDAS mapping
Use Annex B context to connect EN 319 401 clauses with eIDAS security and qualified trust service provider requirements.
ETSI EN 319 401 V3.1.1 (2024-06)Covers qualified and non-qualified trust servicesIncludes eIDAS Annex B mapping
Quick start
EN 319 401
ETSI EN 319 401 requirements
Start with clauses 5, 6, and 7 for risk assessment, policies and practices, and TSP management and operation.
ETSI EN 319 401 audit evidence pack
Organize proof around management approval, terms and conditions, asset classification, access changes, vulnerability scans, incident records, UTC-synchronized logs, and continuity tests.
ETSI EN 319 401 vs eIDAS
Compare the standard's controls with eIDAS Article 19 security requirements and Article 24 qualified trust service provider duties referenced in Annex B.
Use this EN 319 401 cluster to move from the standard text into scoped policy, control, evidence, and supplier-review work.
17
Topics
7
FAQs
2
Comparisons
V3.1.1
Version
Assess risk
Publish practices
Retain evidence

Topic guides

Deep dive pages for implementation planning, controls, reporting, and evidence.

1
ETSI EN 319 401 Audit and Conformity Assessment Evidence
How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses.
Read Guide
2
ETSI EN 319 401 Audit Evidence Pack
Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence.
Read Guide
3
ETSI EN 319 401 Audit Evidence Pack Workflow
Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence.
Read Guide
4
ETSI EN 319 401 compliance duties for TSPs
source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers.
Read Guide
5
ETSI EN 319 401 FAQ for trust service providers
source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence.
Read Guide
6
ETSI EN 319 401 Incident Evidence Workflow
Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review.
Read Guide
7
ETSI EN 319 401 Incident Reporting and Continuity Duties
Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning.
Read Guide
8
ETSI EN 319 401 Personnel, Asset, and Access Controls
Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence.
Read Guide
9
ETSI EN 319 401 policy and security requirements
source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence.
Read Guide
10
ETSI EN 319 401 requirements map
Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls.
Read Guide
11
ETSI EN 319 401 Risk Assessment and Treatment
Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning.
Read Guide
12
ETSI EN 319 401 Subcontractor Controls
Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence.
Read Guide
13
ETSI EN 319 401 Subcontractor Evidence Workflow
Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records.
Read Guide
14
ETSI EN 319 401 Trust Service Applicability Workflow
A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect.
Read Guide
15
ETSI EN 319 401 Trust Service Provider Applicability
Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document.
Read Guide
16
ETSI EN 319 401 vs eIDAS Article 19 and 24
Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning.
Read Guide
17
ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment
Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits.
Read Guide
Next step

Turn ETSI EN 319 401 requirements into accountable TSP control work

Use the EN 319 401 pages as the shared entry point for risk assessment, practice statements, policy controls, incident response, evidence records, continuity planning, and supplier oversight. Route execution into Assessment Autopilot for task ownership and into SSOT for governed evidence records.

What this unlocks
  • Assign owners for risk assessment approval, trust service practice statements, terms and conditions, information security policy, and supply chain reviews.
  • Use Assessment Autopilot to request evidence for access reviews, vulnerability scans, incident records, audit logs, backup tests, and termination-plan checks.
  • Use SSOT to keep policies, service agreements, supplier registers, continuity records, and control evidence in one governed system.
  • Keep the work aligned to the EN 319 401 clause structure so auditors and reviewers can trace each record back to the relevant requirement.
Recommended route
Open Assessment Autopilot
Turn EN 319 401 clauses into owned tasks, evidence requests, and review checkpoints for trust service provider controls.
Supporting route
Open SSOT
Keep practice statements, policies, terms, incident records, supplier registers, and audit evidence in one governed system.
Talk to Sorena
Talk through implementation
Review your current process, evidence model, and next implementation steps.
Discuss your setup