ETSI EN 319 401 vs EN 319 403-1 TSP policy vs conformity assessment

EN 319 401 applies to general policy requirements for TSPs and is independent of the type of TSP; it defines requirements on operation and management practices.

EN 319 403-1 is identified as the standard for requirements for conformity assessment bodies assessing TSPs, not as another TSP operating-policy baseline.

Write the scope memo around the trust service and TSP first; add CAB assessment scope only after the assessor-facing standard is confirmed.

The TSP owns EN 319 401 implementation through management approval, policy ownership, trusted roles, personnel controls, operational controls, incident handling, continuity, termination planning, and supplier oversight.

The CAB-side owner is the conformity assessment body and its assessment process; the local reference does not support assigning detailed EN 319 403-1 duties to TSP staff.

Assign TSP evidence owners for EN 319 401 and keep assessor requests in a separate log with the CAB contact, date, standard version, and requested evidence.

EN 319 401 work starts when a provider is defining, operating, changing, assessing, or evidencing a trust service policy and the related TSP operation.

EN 319 403-1 becomes relevant when a conformity assessment body is assessing a trust service provider; detailed trigger facts should be confirmed in EN 319 403-1.

Rerun the comparison when the trust service, policy, significant systems, suppliers, incident history, or assessment scope changes.

Convert EN 319 401 into TSP controls for risk assessment, risk treatment, practice statements, terms and conditions, information security policy, personnel, assets, access control, cryptographic controls, physical security, operational security, network security, incidents, continuity, termination, compliance, and supply chain.

Convert EN 319 403-1 into assessment-body requirements only after direct clause review; this page supports the CAB-assessment context but does not restate detailed EN 319 403-1 obligations.

Use EN 319 401 as the provider evidence checklist and label EN 319 403-1 items as assessor-confirmed only when the clause has been checked.

Evidence should include the risk assessment, risk treatment records, practice statement, terms and conditions, information security policy, asset inventory, trusted-role appointments, access records, monitoring and incident records, continuity and crisis-management tests, termination plan, and supplier agreements.

Assessment evidence should be organized so a CAB can trace each TSP control to a source, owner, version, and record; EN 319 403-1-specific evidence fields require direct confirmation.

Maintain one source-to-evidence matrix with an EN 319 401 column and a separate EN 319 403-1 confirmation status column.

EN 319 401 requires recurring review patterns, including regular risk-assessment review and review of the information security policy and asset inventory at planned intervals or when significant changes occur.

The EN 319 403-1 assessment cadence is not grounded in the available local source set; confirm assessment planning and cycle details directly before stating them.

Use EN 319 401 to schedule internal evidence maintenance, and treat CAB assessment timing as a separate confirmed fact.

EN 319 401 compliance by TSPs operating under eIDAS is supervised through the national supervisory body for trust services in each Member State, which reviews whether TSP policies, practices, and security controls meet the relevant eIDAS and delegated-act requirements.

Conformity assessment under EN 319 403-1 is enforced through the CAB accreditation chain and the TSP audit cycle. A qualified TSP must obtain a conformity assessment from an accredited CAB before national supervisory body listing; ongoing assessments renew the compliance record.

Record the enforcement route separately: TSP supervisory correspondence, CAB audit scope, accreditation body, and any conditions attached to the conformity assessment report.

EN 319 401 evidence can be reused when the trust service boundary, version, policy, systems, suppliers, and assessment period match the claim being made.

CAB-facing reuse should be treated as conditional until the EN 319 403-1 assessment expectation and the CAB request are known.

Reuse evidence only with a visible boundary statement: trust service, policy, system, period, standard version, evidence owner, and assessment status.

If the task is to design, operate, document, or maintain a trust service provider control, start with EN 319 401.

If the task is to understand how a conformity assessment body assesses the TSP, confirm the relevant EN 319 403-1 clause and keep that assessor requirement separate.

A defensible comparison has three outputs: a TSP evidence map, a CAB assessment question list, and an explicit list of EN 319 403-1 details still requiring direct confirmation.