---
title: "ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1"
author: "Sorena AI"
description: "Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ETSI EN 319 401 vs EN 319 403-1"
  - "ETSI EN 319 401"
  - "ETSI EN 319 403-1"
  - "trust service provider policy requirements"
  - "conformity assessment bodies"
  - "TSP evidence"
  - "trust service provider"
  - "conformity assessment body"
  - "eIDAS"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment

Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits.

*Comparison Guide* *GLOBAL* *ETSI EN 319 401*

## ETSI EN 319 401 vs EN 319 403-1 TSP policy vs conformity assessment

A practical comparison for teams that need to separate a trust service provider's operating controls from the conformity-assessment context around those controls.

Grounded in ETSI EN 319 401 V3.1.1 and its references. EN 319 403-1 coverage is intentionally limited where the local reference only confirms its title and role.

Use this page when an audit plan, procurement question, trust service policy, or evidence request mentions both ETSI EN 319 401 and ETSI EN 319 403-1. EN 319 401 is the general policy baseline for the operation and management practices of trust service providers. EN 319 401 points to EN 319 403-1 for requirements for conformity assessment bodies assessing trust service providers, so the comparison should keep provider obligations and assessor-facing expectations separate.

## ETSI EN 319 401 vs ETSI EN 319 403-1: what changes operationally?

Use this table to keep the trust service provider's EN 319 401 operating evidence separate from the EN 319 403-1 conformity-assessment-body context.

- **ETSI EN 319 401**: General policy requirements for trust service providers, focused on the TSP's operation and management practices across trust service policy, risk, security, incidents, continuity, termination, and suppliers.
- **ETSI EN 319 403-1**: Referenced by EN 319 401 for requirements for conformity assessment bodies assessing trust service providers; this page limits 403-1 detail to that supported comparator role.

| Dimension | ETSI EN 319 401 | ETSI EN 319 403-1 | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | EN 319 401 applies to general policy requirements for TSPs and is independent of the type of TSP; it defines requirements on operation and management practices. | EN 319 403-1 is identified as the standard for requirements for conformity assessment bodies assessing TSPs, not as another TSP operating-policy baseline. | Write the scope memo around the trust service and TSP first; add CAB assessment scope only after the assessor-facing standard is confirmed. | [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports starting the comparison with TSP scope.<br>[ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Used only for the comparator role supported by the EN 319 401 reference. |
| Who owns the work | The TSP owns EN 319 401 implementation through management approval, policy ownership, trusted roles, personnel controls, operational controls, incident handling, continuity, termination planning, and supplier oversight. | The CAB-side owner is the conformity assessment body and its assessment process; the local reference does not support assigning detailed EN 319 403-1 duties to TSP staff. | Assign TSP evidence owners for EN 319 401 and keep assessor requests in a separate log with the CAB contact, date, standard version, and requested evidence. | [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports assigning TSP-side evidence owners.<br>[ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for the CAB-side role. |
| Trigger or threshold | EN 319 401 work starts when a provider is defining, operating, changing, assessing, or evidencing a trust service policy and the related TSP operation. | EN 319 403-1 becomes relevant when a conformity assessment body is assessing a trust service provider; detailed trigger facts should be confirmed in EN 319 403-1. | Rerun the comparison when the trust service, policy, significant systems, suppliers, incident history, or assessment scope changes. | [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports review after significant changes.<br>[ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for the assessment-body context. |
| Core obligations | Convert EN 319 401 into TSP controls for risk assessment, risk treatment, practice statements, terms and conditions, information security policy, personnel, assets, access control, cryptographic controls, physical security, operational security, network security, incidents, continuity, termination, compliance, and supply chain. | Convert EN 319 403-1 into assessment-body requirements only after direct clause review; this page supports the CAB-assessment context but does not restate detailed EN 319 403-1 obligations. | Use EN 319 401 as the provider evidence checklist and label EN 319 403-1 items as assessor-confirmed only when the clause has been checked. | [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports using EN 319 401 as the provider evidence checklist.<br>[ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for direct clause confirmation. |
| Evidence and records | Evidence should include the risk assessment, risk treatment records, practice statement, terms and conditions, information security policy, asset inventory, trusted-role appointments, access records, monitoring and incident records, continuity and crisis-management tests, termination plan, and supplier agreements. | Assessment evidence should be organized so a CAB can trace each TSP control to a source, owner, version, and record; EN 319 403-1-specific evidence fields require direct confirmation. | Maintain one source-to-evidence matrix with an EN 319 401 column and a separate EN 319 403-1 confirmation status column. | [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports traceable evidence and documentation.<br>[ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for assessing TSPs; detailed evidence fields should be confirmed in EN 319 403-1. |
| Timing and cadence | EN 319 401 requires recurring review patterns, including regular risk-assessment review and review of the information security policy and asset inventory at planned intervals or when significant changes occur. | The EN 319 403-1 assessment cadence is not grounded in the available local source set; confirm assessment planning and cycle details directly before stating them. | Use EN 319 401 to schedule internal evidence maintenance, and treat CAB assessment timing as a separate confirmed fact. | [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports internal evidence maintenance cadence.<br>[ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - External comparator source for assessment details that need direct confirmation. |
| Enforcement and supervisory context | EN 319 401 compliance by TSPs operating under eIDAS is supervised through the national supervisory body for trust services in each Member State, which reviews whether TSP policies, practices, and security controls meet the relevant eIDAS and delegated-act requirements. | Conformity assessment under EN 319 403-1 is enforced through the CAB accreditation chain and the TSP audit cycle. A qualified TSP must obtain a conformity assessment from an accredited CAB before national supervisory body listing; ongoing assessments renew the compliance record. | Record the enforcement route separately: TSP supervisory correspondence, CAB audit scope, accreditation body, and any conditions attached to the conformity assessment report. | [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the eIDAS mapping context in EN 319 401 Annex B.<br>[Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Use for legal-status claims rather than unsupported shorthand.<br>[ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source; this page does not infer legal status from EN 319 403-1 alone. |
| Overlap and reuse | EN 319 401 evidence can be reused when the trust service boundary, version, policy, systems, suppliers, and assessment period match the claim being made. | CAB-facing reuse should be treated as conditional until the EN 319 403-1 assessment expectation and the CAB request are known. | Reuse evidence only with a visible boundary statement: trust service, policy, system, period, standard version, evidence owner, and assessment status. | [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports boundary-specific evidence and change review.<br>[ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for assessment-context reuse decisions. |
| Practical decision rule | If the task is to design, operate, document, or maintain a trust service provider control, start with EN 319 401. | If the task is to understand how a conformity assessment body assesses the TSP, confirm the relevant EN 319 403-1 clause and keep that assessor requirement separate. | A defensible comparison has three outputs: a TSP evidence map, a CAB assessment question list, and an explicit list of EN 319 403-1 details still requiring direct confirmation. | [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the separation between TSP requirements and the referenced CAB standard.<br>[ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for unresolved assessor-side confirmation items. |

Sources for Scope and covered activity - ETSI EN 319 401:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the EN 319 401 scope and TSP focus.
  - Quote: "independent of the type of TSP"

Sources for Scope and covered activity - ETSI EN 319 403-1:

- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Used only for the comparator role supported by the EN 319 401 reference.
  - Quote: "requirements for conformity assessment bodies"

Sources for Scope and covered activity - operational implication:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports starting the comparison with TSP scope.
  - Quote: "Trust Service Providers"

Sources for Who owns the work - ETSI EN 319 401:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the TSP ownership and management-control framing.
  - Quote: "TSP management and operation"

Sources for Who owns the work - ETSI EN 319 403-1:

- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for the CAB-side role.
  - Quote: "conformity assessment bodies"

Sources for Who owns the work - operational implication:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports assigning TSP-side evidence owners.
  - Quote: "management shall approve the risk assessment"

Sources for Trigger or threshold - ETSI EN 319 401:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports changes to policy and inventory being reviewed at planned intervals or significant changes.
  - Quote: "if significant changes occur"

Sources for Trigger or threshold - ETSI EN 319 403-1:

- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for the assessment-body context.
  - Quote: "assessing Trust Service Providers"

Sources for Trigger or threshold - operational implication:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports review after significant changes.
  - Quote: "continuing suitability, adequacy and effectiveness"

Sources for Core obligations - ETSI EN 319 401:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the listed TSP controls and evidence categories.
  - Quote: "security controls and operating procedures"

Sources for Core obligations - ETSI EN 319 403-1:

- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for direct clause confirmation.
  - Quote: "Trust Service Provider Conformity Assessment"

Sources for Core obligations - operational implication:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports using EN 319 401 as the provider evidence checklist.
  - Quote: "applicable trust service policy"

Sources for Evidence and records - ETSI EN 319 401:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the named EN 319 401 evidence artifacts.
  - Quote: "documented, implemented and maintained"

Sources for Evidence and records - ETSI EN 319 403-1:

- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for assessing TSPs; detailed evidence fields should be confirmed in EN 319 403-1.
  - Quote: "assessing Trust Service Providers"

Sources for Evidence and records - operational implication:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports traceable evidence and documentation.
  - Quote: "demonstrate conformance to the trust service policy"

Sources for Timing and cadence - ETSI EN 319 401:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports regular risk review and planned-interval or significant-change review.
  - Quote: "regularly reviewed and revised"

Sources for Timing and cadence - ETSI EN 319 403-1:

- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - External comparator source for assessment details that need direct confirmation.
  - Quote: "conformity assessment bodies"

Sources for Timing and cadence - operational implication:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports internal evidence maintenance cadence.
  - Quote: "planned intervals"

Sources for Enforcement and supervisory context - ETSI EN 319 401:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the eIDAS mapping context in EN 319 401 Annex B.
  - Quote: "Mapping ETSI EN 319 401 requirements with eIDAS Regulation"
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal source for trust service and qualified trust service provider claims.
  - Quote: "security requirements applicable to trust service providers"

Sources for Enforcement and supervisory context - ETSI EN 319 403-1:

- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source; this page does not infer legal status from EN 319 403-1 alone.
  - Quote: "Trust Service Provider Conformity Assessment"

Sources for Enforcement and supervisory context - operational implication:

- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Use for legal-status claims rather than unsupported shorthand.
  - Quote: "qualified trust service providers"

Sources for Overlap and reuse - ETSI EN 319 401:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports maintaining evidence around policies, assets, suppliers, incidents, continuity, and changes.
  - Quote: "applicable policy and practices"

Sources for Overlap and reuse - ETSI EN 319 403-1:

- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for assessment-context reuse decisions.
  - Quote: "conformity assessment"

Sources for Overlap and reuse - operational implication:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports boundary-specific evidence and change review.
  - Quote: "significant changes occur"

Sources for Practical decision rule - ETSI EN 319 401:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for provider operation and management controls.
  - Quote: "General Policy Requirements"

Sources for Practical decision rule - ETSI EN 319 403-1:

- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for CAB confirmation.
  - Quote: "conformity assessment bodies assessing Trust Service Providers"

Sources for Practical decision rule - operational implication:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the separation between TSP requirements and the referenced CAB standard.
  - Quote: "See ETSI EN 319 403-1"
- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source for unresolved assessor-side confirmation items.
  - Quote: "Trust Service Provider Conformity Assessment"

### How should teams decide whether a task belongs in EN 319 401 or EN 319 403-1?

- Use EN 319 401 when designing, implementing, documenting, or maintaining trust service policies, practices, controls, incident procedures, or security evidence.
- Use EN 319 403-1 when scoping a conformity assessment engagement, agreeing assessment scope with a CAB, preparing evidence for an auditor, or interpreting an audit report.
- Keep TSP implementation evidence and CAB assessment evidence in separate folders so each reviewer can trace their own requirements without reading across both standards.
- Escalate when EN 319 403-1 audit scope or sampling decisions raise questions that need TSP policy clarification, because the two standards interact at the assessment boundary.

Sources for the practical decision rule:

- [ETSI EN 319 401 V3.1.1 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Binding source for TSP policy and security requirements under EN 319 401.
  - Quote: "general policy requirements for Trust Service Providers"
- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Binding source for conformity assessment requirements for TSPs under EN 319 403-1.
  - Quote: "requirements for conformity assessment bodies"

## Why compare ETSI EN 319 401 with ETSI EN 319 403-1?

ETSI EN 319 401 V3.1.1 specifies general policy requirements for trust service providers, independent of the type of trust service. It covers the provider's risk assessment, policy documents, information security policy, management and operation, incident handling, continuity, termination, and supply-chain controls.

The same ETSI EN 319 401 grounding identifies ETSI EN 319 403-1 as the standard for requirements for conformity assessment bodies assessing trust service providers. That makes the comparison useful, but it does not make the two standards interchangeable: one is the TSP operating-policy baseline; the other is the conformity-assessment-body context.

- Use EN 319 401 to build or review TSP policy, practice, risk, security, operational, incident, continuity, and supplier evidence.
- Use EN 319 403-1 references to identify where a conformity assessment body may need different assessment records or procedures.
- Do not copy a TSP control narrative into a CAB assessment file without confirming which side actually asks for that evidence.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for the scope, policy, risk assessment, management, incident, continuity, termination, and supply-chain requirements for trust service providers.
- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Referenced by ETSI EN 319 401 for requirements for conformity assessment bodies assessing trust service providers; detailed 403-1 clause coverage should be checked in the standard.

## What ETSI EN 319 401 controls before assessment starts

Start the EN 319 401 side with the trust service boundary. The standard defines policy requirements on the operation and management practices of TSPs and says the requirements are independent of the type of TSP.

A useful implementation file should therefore name the trust service policy, the TSP practice statement, terms and conditions, information security policy, risk assessment, management approvals, trusted roles, asset inventory, access controls, incident procedures, continuity plans, termination plan, and supplier controls that support the service.

- Document the risk assessment and management approval of residual risk before treating a control set as complete.
- Keep the TSP practice statement and terms and conditions aligned with the trust service policy being offered.
- Tie evidence to named TSP systems, facilities, personnel roles, suppliers, and service components rather than broad claims of compliance.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the TSP-side controls: risk assessment, trust service practice statement, terms and conditions, information security policy, TSP management and operation, and supply chain.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal context referenced by EN 319 401, including security requirements and qualified trust service provider requirements mapped in EN 319 401 Annex B.

## Where EN 319 403-1 enters the workflow

In the available EN 319 401 grounding, EN 319 403-1 appears as an informative reference for requirements for conformity assessment bodies assessing trust service providers. That is enough to justify a comparison, but not enough to restate EN 319 403-1 audit procedures clause by clause.

Treat EN 319 403-1 as the assessor-side reference point: it helps teams ask what a conformity assessment body needs in order to assess the TSP's EN 319 401 evidence. For detailed CAB competence, audit, reporting, impartiality, or decision requirements, confirm the current EN 319 403-1 text directly before publishing claims.

- Keep a separate assessment index for the conformity assessment body rather than embedding assessor assumptions in the TSP policy.
- Mark any EN 319 403-1-specific requirement as unconfirmed until the exact clause is checked in EN 319 403-1.
- When a customer asks for both standards, answer with two columns: TSP control evidence and CAB assessment evidence.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - EN 319 401 explicitly points to EN 319 403-1 for conformity assessment body requirements.
- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - External ETSI source for the comparator standard; this page does not infer detailed EN 319 403-1 provisions without local reference.

## Evidence that usually belongs on the EN 319 401 side

EN 319 401 evidence should show that the TSP has translated policy requirements into working operations. The source material supports evidence around risk assessment, risk treatment, trust service practice statements, terms and conditions, information security policy, trusted roles, access control, physical and environmental security, operational security, network security, vulnerability and incident management, business continuity, termination, compliance, and supply chain.

Visitor-facing pages should avoid unsupported labels such as assessed, certified, qualified, or conformant unless they also identify the assessment scheme, boundary, service, version, and source that supports the claim.

- Risk file: risk identification, analysis, evaluation, risk treatment measures, management approval, and review cadence.
- Policy file: trust service policy mapping, practice statement, terms and conditions, and information security policy.
- Operations file: trusted roles, personnel evidence, asset inventory, access reviews, monitoring logs, incident records, continuity tests, termination plan, and supplier agreements.
- Assessment handoff: an evidence index that tells the CAB where each EN 319 401 requirement is implemented and maintained.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for EN 319 401 evidence topics, including risk, policies, operations, incidents, continuity, termination, compliance, and supply chain.

*Recommended next step*

*Placement: after comparison checklist*

## Turn the EN 319 401 and EN 319 403-1 comparison into an evidence map

Use this comparison to assign TSP control owners, identify assessor-facing evidence, and flag EN 319 403-1 claims that still need direct clause confirmation.

- [Open Assessment Autopilot for ETSI EN 319 401](/solutions/assessment.md): Convert EN 319 401 controls into accountable tasks, evidence requests, and assessment handoff records.
- [Research ETSI source questions](/solutions/research-copilot.md): Resolve scope, applicability, evidence, and comparison questions before publishing compliance claims.
- [Talk through TSP assessment readiness](/contact.md): Review the trust service boundary, evidence owners, and unresolved EN 319 403-1 confirmation items with Sorena.

## Decision checklist for implementation teams

Use this checklist when the comparison is blocking an audit package, procurement response, or internal release decision. Each item should be answerable from the evidence file, not from memory.

- Name the trust service and the applicable trust service policy before mapping EN 319 401 controls.
- Identify whether the user question is about TSP operations, CAB assessment, or both.
- Attach each EN 319 401 claim to a source-linked evidence artifact and owner.
- Flag every EN 319 403-1-specific claim that still needs direct clause confirmation.
- Review evidence after significant changes to services, systems, information security policy, suppliers, incidents, or termination arrangements.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the checklist items around trust service policy, risk assessment, policy documentation, change review, and operational evidence.
- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Comparator source to verify direct CAB-side requirements before relying on them.

## Common mistakes in this comparison

The most common mistake is treating EN 319 401 and EN 319 403-1 as two labels for the same evidence. The safer approach is to keep the TSP operating evidence, the legal context, and the conformity-assessment evidence visibly separate.

Another common mistake is overstating eIDAS or qualified-status claims. EN 319 401 includes an informative mapping to eIDAS requirements and references qualified trust service context, but public claims still need the exact legal, service, and assessment basis.

- Do not state that a service is qualified, certified, assessed, or conformant unless the evidence file proves the boundary and scheme.
- Do not cite EN 319 403-1 as support for a TSP operational control unless the specific CAB-side requirement has been checked.
- Do not mix generic cybersecurity controls with EN 319 401 evidence unless the control is mapped to a trust service risk, policy, or operation.
- Do not publish local source filenames, draft notes, or internal evidence paths as public sources.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the distinction between EN 319 401 TSP policy requirements, eIDAS mapping, and EN 319 403-1 assessment-body context.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal source for eIDAS trust service context; use it directly before making legal-status or qualified-service claims.

## Primary sources

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the separation between TSP requirements and the referenced CAB standard.
  - Quote: "See ETSI EN 319 403-1"
- [ETSI EN 319 403-1: Trust Service Provider Conformity Assessment; Part 1: Requirements for conformity assessment bodies assessing Trust Service Providers](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/02.03.01_60/en_31940301v020301p.pdf?ref=sorena.io) - Binding source for conformity assessment requirements for TSPs under EN 319 403-1.
  - Quote: "requirements for conformity assessment bodies"
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Use for legal-status claims rather than unsupported shorthand.
  - Quote: "qualified trust service providers"
- [ETSI EN 319 401 V3.1.1 general policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Binding source for TSP policy and security requirements under EN 319 401.
  - Quote: "general policy requirements for Trust Service Providers"

## Related Topic Guides

- [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md): How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries.
- [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md): See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence.
- [ETSI EN 319 401 Audit and Conformity Assessment Evidence](/artifacts/global/etsi-en-319-401/audit-and-conformity-assessment.md): How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses.
- [ETSI EN 319 401 Audit Evidence Pack](/artifacts/global/etsi-en-319-401/audit-evidence-pack.md): Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence.
- [ETSI EN 319 401 Audit Evidence Pack Workflow](/artifacts/global/etsi-en-319-401/audit-evidence-pack-workflow.md): Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence.
- [ETSI EN 319 401 compliance duties for TSPs](/artifacts/global/etsi-en-319-401/compliance.md): source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers.
- [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md): Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation.
- [ETSI EN 319 401 FAQ for trust service providers](/artifacts/global/etsi-en-319-401/faq.md): source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence.
- [ETSI EN 319 401 Incident Evidence Workflow](/artifacts/global/etsi-en-319-401/incident-and-continuity-evidence-workflow.md): Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review.
- [ETSI EN 319 401 Incident Reporting and Continuity Duties](/artifacts/global/etsi-en-319-401/incident-and-continuity-duties.md): Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning.
- [ETSI EN 319 401 Personnel, Asset, and Access Controls](/artifacts/global/etsi-en-319-401/personnel-asset-and-access-controls.md): Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence.
- [ETSI EN 319 401 policy and security requirements](/artifacts/global/etsi-en-319-401/policy-and-security-requirements.md): source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence.
- [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md): How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review.
- [ETSI EN 319 401 requirements map](/artifacts/global/etsi-en-319-401/requirements.md): Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls.
- [ETSI EN 319 401 Risk Assessment and Treatment](/artifacts/global/etsi-en-319-401/risk-management.md): Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning.
- [ETSI EN 319 401 Subcontractor Controls](/artifacts/global/etsi-en-319-401/subcontractor-controls.md): Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence.
- [ETSI EN 319 401 Subcontractor Evidence Workflow](/artifacts/global/etsi-en-319-401/subcontractor-evidence-workflow.md): Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records.
- [ETSI EN 319 401 Subcontractor Requirements FAQ](/artifacts/global/etsi-en-319-401/faq/subcontractors.md): How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility.
- [ETSI EN 319 401 Trust Service Applicability Workflow](/artifacts/global/etsi-en-319-401/trust-service-applicability-workflow.md): A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect.
- [ETSI EN 319 401 Trust Service Provider Applicability](/artifacts/global/etsi-en-319-401/trust-service-provider-applicability.md): Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document.
- [ETSI EN 319 401 vs eIDAS Article 19 and 24](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-eidas.md): Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning.
- [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md): How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents.
- [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md): How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1