ETSI EN 319 401 compliance duties

Clause 7.13 is the center of the compliance topic: the TSP has to operate in a legal and trustworthy manner and provide evidence showing how it meets applicable legal requirements. The same clause also calls out accessibility for trust services and end-user products where feasible, consideration of ETSI EN 301 549, and protection of personal data through appropriate technical and organizational measures.

The scope matters because EN 319 401 is a baseline for TSP operation and management practices independent of the specific trust service. It does not supersede service-specific standards or define how an independent party assesses the requirements. Treat this page as a control-and-evidence guide for the EN 319 401 baseline, not as proof of qualified status or operational guidance.

A defensible EN 319 401 compliance file starts with the risk assessment in clause 5. The TSP has to identify, analyse, and evaluate trust-service risks, choose risk treatment measures, document the necessary security requirements and operational procedures, review the assessment regularly, and have management approve the assessment and residual risk.

Clauses 6.1 through 6.3 then turn that risk work into governance evidence. The practice statement identifies how the TSP addresses the applicable trust service policy, the terms and conditions tell subscribers and relying parties what service policy, limits, liabilities, log-retention period, assessment status, contact details, and availability commitments apply, and the information security policy sets the organization's approach to information security.

The compliance claim is weak if it is not tied to operational controls. EN 319 401 requires segregation of conflicting duties, trained and reliable personnel, identified trusted roles, asset inventory and classification, least-privilege access administration, privileged-account controls, critical-application authentication, accountability through logs, key lifecycle controls, physical protection for critical systems, secure development analysis, and change control for operational software and configurations.

For review purposes, summarize those controls by evidence type rather than by department. A visitor should be able to see which asset register, role appointment record, access review, change ticket, key-management record, physical access record, or software-release approval supports the compliance statement.

EN 319 401 makes incident and record evidence concrete. The TSP has to establish monitoring and logging mechanisms, detect abnormal activities, maintain and review logs, establish incident response procedures, document incident detection and response, report significant breaches according to applicable rules, assess and classify events, and perform post-incident reviews that identify root cause and reduce recurrence risk.

Records and continuity are also compliance evidence. Clause 7.10 requires relevant information about data issued and received by the TSP to be recorded and kept accessible for an appropriate period, including after the TSP's activities cease, for legal evidence and service continuity. Clause 7.11 requires continuity, backup, recovery, and crisis-management planning; clause 7.12 requires termination planning for subscriber, relying-party, subcontractor, key, evidence-transfer, and service-transfer issues.

Supply-chain evidence is not optional background context when a supplier, cloud provider, subcontractor, outsourcer, or trust service component provider is involved. EN 319 401 requires processes and procedures for security risks associated with supplier products and services, including the ICT supply chain, and it requires the TSP to maintain overall responsibility when other parties provide parts of the service.

For practical review, keep the supplier file close to the compliance file. It should show selection criteria, cybersecurity requirements, supplier agreements, service levels or audit mechanisms, critical-component traceability, cloud shared-responsibility expectations, monitoring of supplier changes, and a register of suppliers and agreements showing where TSP information is managed or archived.