ETSI EN 319 401 FAQ

ETSI EN 319 401 is a European Standard that defines general policy requirements for Trust Service Providers. It covers how a TSP should manage risk, define policies and practices, run secure operations, detect/respond/report incidents, and retain evidence.

It's often used as an operational blueprint under legal frameworks like eIDAS and as a baseline for conformity assessment and procurement assurance.

The current release is ETSI EN 319 401 V3.1.1 (2024-06), adopted on 30 May 2024, with national endorsement and withdrawal milestones falling on 28 February 2025. The standard also states that the 2024 revision updates the document to take NIS2 into account and refreshes references such as ISO/IEC 27002:2022.

In practice, teams using older internal mappings should review requirement numbering, monitoring and incident-management language, and supply-chain expectations before reusing older audit packs.

EN 319 401 requires the TSP to have a statement of practices and procedures addressing applicable trust service policy requirements and to make relevant documentation available to subscribers and relying parties as necessary to demonstrate conformance.

Auditors care because it's the bridge between requirements and reality: it explains how your service is operated and what evidence exists (without exposing sensitive details).

REQ-5 requires risk assessment and risk treatment measures commensurate to risk, with management approval and regular review. The common failure is treating risk as a standalone document.

Make risk outputs drive control changes: monitoring coverage, scan cadence, segmentation changes, and incident response capacity.

EN 319 401 requires regular vulnerability scans and evidence that scans were performed by a competent and independent party. It also recommends that the scan should be performed once per quarter.

If you choose a different cadence, be prepared to justify it via risk assessment, exposure, and compensating controls. Quarterly is the defensible default for most TSP scopes.

EN 319 401 requires penetration testing after infrastructure or application upgrades/modifications that the TSP determines are significant.

The key is to define significance in your program, for example new trust service components, major network changes, or privileged access redesign, and prove you applied the trigger consistently.

EN 319 401 includes requirements to establish procedures to notify appropriate parties of significant-impact breaches within 24 hours of breach identification and to comply with reporting obligations in relevant legislative frameworks.

Operationally: you need detection, categorization, escalation, and a prepared communication and reporting workflow that can execute within the time window.

EN 319 401 requires synchronizing the time used to record audit log events with UTC at least once per day. This is about legal defensibility and incident reconstruction.

If time integrity is weak, your incident timelines and audit evidence can be challenged.

EN 319 401 does not let a TSP outsource responsibility. When suppliers, cloud providers, or external trust service components are used, the TSP remains responsible for conformance with the supply-chain policy, information security policy, and the applicable trust service policy.

Operationally, that means contracts, service levels, review cycles, and incident-response interfaces must all be part of the evidence system.