Artifact GuideGLOBALETSI EN 319 401

ETSI EN 319 401 CA and RA responsibilities

A focused answer for teams mapping certification authority and registration authority work into ETSI EN 319 401 governance evidence.

Grounded in ETSI source material. Use it as implementation guidance, not for legal interpretation.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Short answer: ETSI EN 319 401 does not provide a detailed CA/RA responsibility matrix. It requires the TSP to define and approve the policies and practices for the trust services it provides, identify external organizations supporting those services, segregate conflicting duties, document security roles and trusted roles, and retain responsibility where parts of the service are provided through other parties.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

What does EN 319 401 require for CA and RA responsibility?

Treat CA and RA responsibility as part of the TSP's documented practice system, not as an informal team chart. EN 319 401 requires the TSP to specify appropriate policies and practices, have a practice statement addressing the applicable trust service policy, obtain management approval, implement those practices, and define a review process with responsibilities for maintaining the practice statement.

For CA or RA activities performed by external organizations, the practice statement should not hide the dependency. EN 319 401 requires the trust service practice statement to identify obligations of external organizations supporting the TSP's services, including applicable policies and practices.

  • Map CA and RA activities to the TSP practice statement or certificate-specific CPS rather than leaving them only in private working notes.
  • Show management approval and a named review process for the practices that govern certificate issuance, registration support, revocation support, and related service components.
  • Identify any external organization, registration service provider, component provider, outsourcer, or subcontractor that supports the CA or RA process.
Citations
Recommended next step

Operationalize CA and RA responsibilities under ETSI EN 319 401

Use this FAQ to turn CA and RA ownership into scoped policies, practice-statement sections, role evidence, supplier obligations, and review triggers.

Assessment workflow
Map the control evidence

Convert CA and RA ownership into accountable controls, evidence requests, and assessment checkpoints.

Explore next step
Research workflow
Resolve source boundaries

Use cited research support when EN 319 401, EN 319 411-1, and certificate-policy scope need to be separated.

Explore next step
Talk to Sorena
Talk through implementation

Review CA/RA scope, delegated roles, supplier evidence, and next compliance actions with Sorena.

Explore next step
Question 2

Where should teams draw the CA/RA boundary?

EN 319 401 names certification services and registration services as examples of trust services, but it stays at the general TSP-policy level. For certificate services, ETSI EN 319 411-1 provides the more specific vocabulary: a CA is an authority trusted to create and assign certificates, and an RA is responsible mainly for identification and authentication of certificate subjects.

Use that certificate-specific vocabulary to label the work, then use EN 319 401 to govern the evidence: policy scope, approved practices, role assignment, segregation of conflicting duties, competence, external obligations, and supplier controls. Do not claim that EN 319 401 alone defines every CA or RA procedure.

  • Separate CA certificate-generation and certificate-status responsibilities from RA identification, authentication, certificate-application, and revocation-support responsibilities.
  • Document who performs the work, whether the role is internal or external, which trust service policy or certificate policy applies, and which practice statement governs it.
  • If the RA function is delegated or outsourced, retain evidence that the TSP remains accountable for conformance and has a documented agreement covering the relevant security obligations.
Citations
Question 3

What evidence should support the responsibility map?

The useful artifact is a responsibility map that connects each CA or RA activity to the policy, practice statement, role, approval record, and evidence location. EN 319 401 supports this by requiring policies and practices to be approved, communicated where relevant, maintained, and made available to subscribers and relying parties as necessary to demonstrate conformance, while allowing sensitive details to remain undisclosed.

For certificate services, keep the public-facing CPS or terms aligned with the private operating evidence. EN 319 411-1 explains that low-level operational procedures can hold specific task and responsibility details that are useful for daily operation and process review, even if they are not publicly disclosed.

  • Practice statement or CPS section identifying CA, RA, registration officer, revocation-support, and external-support responsibilities.
  • Management approval record, review cadence, and change-notice trigger for practice-statement changes that may affect subjects, subscribers, or relying parties.
  • Role and access evidence showing segregation of conflicting duties, documented trusted roles, personnel competence, and contractor or supplier obligations.
Citations
Primary sources

References and citations

Related guides

Explore more topics

eIDAS Articles 19 and 24 in ETSI EN 319 401
See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence.
ETSI EN 319 401 Audit and Conformity Assessment Evidence
How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses.
ETSI EN 319 401 Audit Evidence Pack
Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence.
ETSI EN 319 401 Audit Evidence Pack Workflow
Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence.
ETSI EN 319 401 compliance duties for TSPs
source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers.
ETSI EN 319 401 conformity assessment bodies: what is covered?
Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation.
ETSI EN 319 401 FAQ for trust service providers
source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence.
ETSI EN 319 401 Incident Evidence Workflow
Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review.
ETSI EN 319 401 Incident Reporting and Continuity Duties
Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning.
ETSI EN 319 401 Personnel, Asset, and Access Controls
Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence.
ETSI EN 319 401 policy and security requirements
source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence.
ETSI EN 319 401 policy documentation: what is required?
How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review.
ETSI EN 319 401 requirements map
Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls.
ETSI EN 319 401 Risk Assessment and Treatment
Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning.
ETSI EN 319 401 Subcontractor Controls
Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence.
ETSI EN 319 401 Subcontractor Evidence Workflow
Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records.
ETSI EN 319 401 Subcontractor Requirements FAQ
How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility.
ETSI EN 319 401 Trust Service Applicability Workflow
A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect.
ETSI EN 319 401 Trust Service Provider Applicability
Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document.
ETSI EN 319 401 vs eIDAS Article 19 and 24
Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning.
ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment
Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits.
Security Incidents in ETSI EN 319 401
How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents.
Trust service provider scope under ETSI EN 319 401
How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components.