ETSI EN 319 401 vs eIDAS

EN 319 401 covers general policy requirements for Trust Service Providers, independent of trust service type, and does not define every service-specific assessment requirement.

The source-linked comparator is the Annex B mapping to selected eIDAS provisions, not the full eIDAS Regulation.

Define the trust service first, then state whether the work is only the EN 319 401 baseline, an Annex B eIDAS mapping, or a service-specific qualified trust service assessment.

EN 319 401 assigns work to the TSP and its management, including approval of risk assessment, information security policy, role allocation, personnel competence, and supplier control.

Annex B maps qualified trust service provider duties in Article 24.2 for staff and subcontractors, change or cessation notification, terms, records, and termination planning.

Assign both operational control owners and legal or supervisory owners; the same artifact may support both, but accountability should not be collapsed.

EN 319 401 triggers operational review when risk assessments, information security policy, assets, suppliers, incidents, continuity plans, or service termination facts change.

Annex B makes the clearest eIDAS trigger explicit for Article 19.2: a breach of security or loss of integrity with significant impact on the trust service or maintained personal data.

Keep a trigger register that distinguishes planned reviews, significant changes, supplier incidents, service termination, and reportable Article 19.2 events.

EN 319 401 requires the TSP to assess risks, select treatment measures, document policies and procedures, manage personnel and assets, operate security controls, handle incidents, maintain continuity, keep records, and manage suppliers.

Annex B ties Article 19 to risk and security measures, incident prevention and impact reduction, notification, and continuity; it ties selected Article 24.2 points to staff, terms, financial resources or insurance, records, and termination planning.

Build a crosswalk row only when the ETSI control and the eIDAS mapped duty point to the same service boundary and evidence artifact.

EN 319 401 evidence should include the risk assessment, residual-risk approval, Trust Service Practice statement, terms and conditions, security policy, asset inventory, monitoring logs, incident records, continuity tests, and supplier agreements.

The mapped eIDAS evidence should show the Article 19 security and incident path, plus any selected Article 24.2 evidence such as pre-contract terms, staff competence, records retained for legal proceedings, or termination plan.

Label each artifact by source: EN 319 401 baseline, Annex B Article 19 support, selected Article 24.2 support, or service-specific qualified trust service evidence.

EN 319 401 uses planned review cycles and event-driven reviews, including regular risk assessment review, planned information security policy review, incident procedure testing, continuity plan testing, and supplier monitoring.

Annex B reproduces the Article 19.2 notification clock for significant breaches as without undue delay and in any event within 24 hours after awareness.

Do not let an internal annual review cadence hide a reportable breach clock; keep planned control reviews and incident notification timing separate.

EN 319 401 states that it does not specify how requirements are assessed by an independent party and points to EN 319 403-1 for conformity assessment bodies.

For eIDAS, Annex B references supervisory bodies and other relevant bodies in the Article 19.2 mapping, and qualified-service change or cessation notices in Article 24.2(a).

Use EN 319 401 to build assessor-ready operational evidence, but confirm the legal notification path and any conformity assessment route from the applicable eIDAS and service-specific sources.

EN 319 401 evidence can be reused where it proves the same TSP operation, control, and review result for the same service boundary.

Annex B supports reuse only for the mapped Article 19 and selected Article 24.2 points; unmapped eIDAS duties need their own source analysis.

Reuse evidence with a bridge note that names the EN 319 401 clause family, the mapped eIDAS provision, the artifact, the owner, and any remaining legal gap.

Use EN 319 401 as the control baseline when the task is to operate and evidence a TSP management, security, incident, continuity, record, or supplier control.

Use the eIDAS side when the decision is about a legal duty, supervisory notification, qualified trust service obligation, or an unmapped eIDAS provision.

The crosswalk is useful for implementation evidence, but it is not a legal conclusion that EN 319 401 alone satisfies eIDAS.