---
title: "CA and RA responsibilities under ETSI EN 319 401"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities"
author: "Sorena AI"
description: "How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ETSI EN 319 401"
  - "CA responsibilities"
  - "RA responsibilities"
  - "trust service provider"
  - "certification practice statement"
  - "registration authority"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# CA and RA responsibilities under ETSI EN 319 401

How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries.

*Artifact Guide* *GLOBAL* *ETSI EN 319 401*

## ETSI EN 319 401 CA and RA responsibilities

A focused answer for teams mapping certification authority and registration authority work into ETSI EN 319 401 governance evidence.

Grounded in ETSI source material. Use it as implementation guidance, not for legal interpretation.

Short answer: ETSI EN 319 401 does not provide a detailed CA/RA responsibility matrix. It requires the TSP to define and approve the policies and practices for the trust services it provides, identify external organizations supporting those services, segregate conflicting duties, document security roles and trusted roles, and retain responsibility where parts of the service are provided through other parties.

## What does EN 319 401 require for CA and RA responsibility?

Treat CA and RA responsibility as part of the TSP's documented practice system, not as an informal team chart. EN 319 401 requires the TSP to specify appropriate policies and practices, have a practice statement addressing the applicable trust service policy, obtain management approval, implement those practices, and define a review process with responsibilities for maintaining the practice statement.

For CA or RA activities performed by external organizations, the practice statement should not hide the dependency. EN 319 401 requires the trust service practice statement to identify obligations of external organizations supporting the TSP's services, including applicable policies and practices.

- Map CA and RA activities to the TSP practice statement or certificate-specific CPS rather than leaving them only in private working notes.
- Show management approval and a named review process for the practices that govern certificate issuance, registration support, revocation support, and related service components.
- Identify any external organization, registration service provider, component provider, outsourcer, or subcontractor that supports the CA or RA process.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for TSP practice statement, management approval, external organization obligations, and review-process requirements.
- [ETSI EN 319 411-1 V1.5.1 certificate TSP requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Certificate-service context explaining that a CPS states how the TSP creates and maintains certificates and can include operational procedures for tasks and responsibilities.

## Where should teams draw the CA/RA boundary?

EN 319 401 names certification services and registration services as examples of trust services, but it stays at the general TSP-policy level. For certificate services, ETSI EN 319 411-1 provides the more specific vocabulary: a CA is an authority trusted to create and assign certificates, and an RA is responsible mainly for identification and authentication of certificate subjects.

Use that certificate-specific vocabulary to label the work, then use EN 319 401 to govern the evidence: policy scope, approved practices, role assignment, segregation of conflicting duties, competence, external obligations, and supplier controls. Do not claim that EN 319 401 alone defines every CA or RA procedure.

- Separate CA certificate-generation and certificate-status responsibilities from RA identification, authentication, certificate-application, and revocation-support responsibilities.
- Document who performs the work, whether the role is internal or external, which trust service policy or certificate policy applies, and which practice statement governs it.
- If the RA function is delegated or outsourced, retain evidence that the TSP remains accountable for conformance and has a documented agreement covering the relevant security obligations.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the TSP-level requirement to define policies, segregate duties, document roles, and maintain responsibility when using other parties.
- [ETSI EN 319 411-1 V1.5.1 certificate TSP requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides certificate-service definitions for Certification Authority, Registration Authority, Certification Practice Statement, and registration officers.

## What evidence should support the responsibility map?

The useful artifact is a responsibility map that connects each CA or RA activity to the policy, practice statement, role, approval record, and evidence location. EN 319 401 supports this by requiring policies and practices to be approved, communicated where relevant, maintained, and made available to subscribers and relying parties as necessary to demonstrate conformance, while allowing sensitive details to remain undisclosed.

For certificate services, keep the public-facing CPS or terms aligned with the private operating evidence. EN 319 411-1 explains that low-level operational procedures can hold specific task and responsibility details that are useful for daily operation and process review, even if they are not publicly disclosed.

- Practice statement or CPS section identifying CA, RA, registration officer, revocation-support, and external-support responsibilities.
- Management approval record, review cadence, and change-notice trigger for practice-statement changes that may affect subjects, subscribers, or relying parties.
- Role and access evidence showing segregation of conflicting duties, documented trusted roles, personnel competence, and contractor or supplier obligations.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports evidence expectations for practice statement approval, publication, maintenance, role documentation, and duty segregation.
- [ETSI EN 319 411-1 V1.5.1 certificate TSP requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the split between public CPS information and internal operational procedures containing detailed tasks and responsibilities.

## Primary sources

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for the TSP-level requirements used in this FAQ: policies and practices, practice statements, management responsibility, segregation of duties, documented roles, external support, and subcontracted-service accountability.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-1 V1.5.1 certificate TSP requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Certificate-service context for CA, RA, CPS, registration, certificate generation, revocation management, and related responsibility vocabulary.
  - Quote: "Policy and Security Requirements for Trust Service Providers issuing certificates"

## Topic Guides

- [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md): See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence.
- [ETSI EN 319 401 Audit and Conformity Assessment Evidence](/artifacts/global/etsi-en-319-401/audit-and-conformity-assessment.md): How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses.
- [ETSI EN 319 401 Audit Evidence Pack](/artifacts/global/etsi-en-319-401/audit-evidence-pack.md): Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence.
- [ETSI EN 319 401 Audit Evidence Pack Workflow](/artifacts/global/etsi-en-319-401/audit-evidence-pack-workflow.md): Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence.
- [ETSI EN 319 401 compliance duties for TSPs](/artifacts/global/etsi-en-319-401/compliance.md): source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers.
- [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md): Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation.
- [ETSI EN 319 401 FAQ for trust service providers](/artifacts/global/etsi-en-319-401/faq.md): source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence.
- [ETSI EN 319 401 Incident Evidence Workflow](/artifacts/global/etsi-en-319-401/incident-and-continuity-evidence-workflow.md): Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review.
- [ETSI EN 319 401 Incident Reporting and Continuity Duties](/artifacts/global/etsi-en-319-401/incident-and-continuity-duties.md): Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning.
- [ETSI EN 319 401 Personnel, Asset, and Access Controls](/artifacts/global/etsi-en-319-401/personnel-asset-and-access-controls.md): Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence.
- [ETSI EN 319 401 policy and security requirements](/artifacts/global/etsi-en-319-401/policy-and-security-requirements.md): source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence.
- [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md): How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review.
- [ETSI EN 319 401 requirements map](/artifacts/global/etsi-en-319-401/requirements.md): Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls.
- [ETSI EN 319 401 Risk Assessment and Treatment](/artifacts/global/etsi-en-319-401/risk-management.md): Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning.
- [ETSI EN 319 401 Subcontractor Controls](/artifacts/global/etsi-en-319-401/subcontractor-controls.md): Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence.
- [ETSI EN 319 401 Subcontractor Evidence Workflow](/artifacts/global/etsi-en-319-401/subcontractor-evidence-workflow.md): Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records.
- [ETSI EN 319 401 Subcontractor Requirements FAQ](/artifacts/global/etsi-en-319-401/faq/subcontractors.md): How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility.
- [ETSI EN 319 401 Trust Service Applicability Workflow](/artifacts/global/etsi-en-319-401/trust-service-applicability-workflow.md): A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect.
- [ETSI EN 319 401 Trust Service Provider Applicability](/artifacts/global/etsi-en-319-401/trust-service-provider-applicability.md): Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document.
- [ETSI EN 319 401 vs eIDAS Article 19 and 24](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-eidas.md): Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning.
- [ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1.md): Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits.
- [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md): How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents.
- [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md): How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components.

*Recommended next step*

*Placement: after practical guidance*

## Operationalize CA and RA responsibilities under ETSI EN 319 401

Use this FAQ to turn CA and RA ownership into scoped policies, practice-statement sections, role evidence, supplier obligations, and review triggers.

- [Map the control evidence](/solutions/assessment.md): Convert CA and RA ownership into accountable controls, evidence requests, and assessment checkpoints.
- [Resolve source boundaries](/solutions/research-copilot.md): Use cited research support when EN 319 401, EN 319 411-1, and certificate-policy scope need to be separated.
- [Talk through implementation](/contact.md): Review CA/RA scope, delegated roles, supplier evidence, and next compliance actions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities