ETSI EN 319 401 Audit and conformity assessment evidence

ETSI EN 319 401 applies to Trust Service Providers and defines general policy requirements for their operation and management, independent of the specific trust service type. It also states that other specifications refine those requirements for particular forms of TSP.

For audit planning, this means the EN 319 401 evidence pack should not claim that the standard itself defines an independent-party assessment method. The standard explicitly says it does not specify how requirements are assessed by an independent party, and points readers to ETSI EN 319 403-1 for conformity assessment bodies assessing TSPs.

The most useful EN 319 401 audit file is a traceable set of policies, practice statements, terms, records, and review decisions. Clause 6 requires the TSP to specify policies and practices for the trust services it provides, have management approval, communicate them to relevant employees and external parties, and maintain a review process for the practice statement.

The terms and conditions are especially important because EN 319 401 requires them to identify the trust service policy, limitations on use, subscriber obligations, relying-party information, event-log retention, liability limitations, applicable legal system, complaints and dispute procedures, conformity-assessment status and scheme where applicable, and TSP contact information.

A clause-to-evidence index should make the EN 319 401 control story inspectable without relying on tribal knowledge. At minimum, map risk assessment, information security policy, management and operations, incident management, continuity, termination planning, compliance with legal requirements, and supply-chain controls to owners and current evidence.

Clause 7.10 is central for audit readiness because it requires relevant information concerning data issued and received by the TSP to be recorded and kept accessible for an appropriate period, including after TSP activities have ceased, for legal evidence and service continuity purposes. It also requires confidentiality and integrity of current and archived records, disclosed archival practices, availability for evidence of correct operation in legal proceedings, precise timing of significant events, and UTC synchronization for audit-log event times at least once a day.

EN 319 401 includes an informative mapping to Regulation (EU) No 910/2014. That mapping connects eIDAS Article 19 security requirements to EN 319 401 clauses on risk, information security, management, operations, incident handling, and continuity. It also maps Article 24 qualified trust service provider duties to specific EN 319 401 areas, including terms and conditions, changes in qualified trust services, trustworthy systems, records, and continuity.

For public-facing evidence, use this mapping as context rather than a standalone legal conclusion. A page can say which EN 319 401 evidence supports an eIDAS-related control area, but it should not claim qualified status, trusted-list inclusion, supervisory approval, or legal compliance unless those facts are separately evidenced.

Most weak EN 319 401 audit files fail because the evidence is either too broad or too detached from the service being assessed. A generic security policy is not enough if it cannot be traced to the trust service practice statement, the applicable trust service policy, the service records, and the disclosed terms.

The other common failure is claiming more than the source supports. EN 319 401 can support a disciplined evidence model for TSP operation and management, but conformity assessment details, assessor competence, scheme rules, certificate-service policies, and qualified-service status must come from the relevant external scheme, service-specific ETSI standard, or legal evidence.