ETSI EN 319 401 FAQ for TSPs

ETSI EN 319 401 specifies general policy requirements for Trust Service Providers that are independent of the type of trust service. Its scope is the operation and management practices of TSPs, including baseline security-management and cybersecurity requirements for qualified and non-qualified trust services.

The standard is not a service-specific rulebook for every trust service. It says other specifications refine and extend the requirements for particular forms of TSP, and it does not specify how an independent party assesses the requirements or what information assessors must receive. Use EN 319 401 as the general TSP baseline, then add the service-specific ETSI standard, legal obligation, customer requirement, or assessment scheme that applies to the actual service.

The standard defines a Trust Service Provider as an entity that provides one or more trust services. It also defines a trust service policy as rules indicating applicability to a community or class of application with common security requirements, and a trust service practice statement as the practices the TSP employs in providing a trust service.

In practical terms, this FAQ is for teams that run or support a trust service and need to turn EN 319 401 into owned controls. The standard's overview gives examples of TSPs such as public-key certificate issuers, time-stamping service providers, and providers of remote electronic signature generation or validation services. If your organization only consumes a trust service, the useful question is usually supplier assurance and relying-party obligations rather than full TSP implementation.

Clause 6 makes documentation central. A TSP has to specify policies and practices appropriate for the trust services it provides, have a trust service practice statement covering the applicable trust service policy requirements, identify obligations of external organizations supporting the service, and make the practice statement and relevant documentation available to subscribers and relying parties as needed to demonstrate conformance to the trust service policy.

Terms and conditions are also explicit. EN 319 401 expects them to be available to subscribers and relying parties and to cover, for each supported trust service policy, items such as the policy applied, service-use limits, subscriber obligations, relying-party information, event-log retention, liability limits, applicable legal system, complaint and dispute procedures, conformity assessment status and scheme if assessed, contact information, and availability undertakings.

Risk assessment is the starting point for defensible implementation. Clause 5 requires the TSP to identify, analyse, and evaluate trust-service risks while taking business and technical issues into account, select risk treatment measures based on the assessment results, and ensure that the level of security is commensurate with the degree of risk.

The risk assessment should not sit apart from policy work. EN 319 401 requires the TSP to determine the security requirements and operational procedures needed to implement the selected risk treatment measures and document them in the information security policy and trust service practice statement. The assessment also has to be regularly reviewed and revised, with management approving it and accepting residual risk.

Incident evidence should cover monitoring, detection, response, reporting, event classification, and post-incident review. EN 319 401 calls for monitoring and logging mechanisms, regular log review, incident response procedures for containment, eradication, and recovery, comprehensive documentation during detection and response, stakeholder communications according to agreed plans, and root-cause review after incidents.

Record evidence is broader than incident files. Clause 7.10 requires the TSP to record and keep accessible relevant information about data issued and received by the TSP, including after the TSP's activities cease, for legal-evidence and service-continuity purposes. It also requires confidentiality and integrity of current and archived records, UTC-synchronized audit-log time at least once a day, stated retention periods in terms and conditions, and logging that cannot be easily deleted or destroyed during the required retention period.

Continuity evidence should show that the TSP can act during disasters and recover according to its own continuity plan. EN 319 401 requires a continuity plan, restoration within the delay established in that plan after a disaster, backup copies and sufficient resources aligned with risk assessment and the business continuity plan, integrity checks on backups, documented backup recovery tests, and crisis-management processes with roles, authority communications, and security controls.

Termination and supplier evidence are part of the same assurance picture. EN 319 401 requires an up-to-date termination plan, notices before termination, subcontractor authorization termination, transfer or maintenance of evidence needed to verify correct operation, private-key destruction or withdrawal where applicable, and arrangements for public keys or trust service tokens. For suppliers and cloud services, it requires supply-chain risk processes, supplier criteria, cybersecurity requirements, supplier monitoring, documented agreements, SLAs or audit mechanisms, and a supplier register showing where TSP information is managed or archived.