Artifact GuideGLOBALETSI EN 319 401

ETSI EN 319 401 Conformity assessment bodies and TSP evidence scope

A focused answer on how to read conformity assessment body references in ETSI EN 319 401 without overstating what the standard covers.

Grounded in ETSI EN 319 401 V3.1.1. Use it as implementation guidance, not for legal interpretation or a substitute for an accredited assessment scheme.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
1

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

Short answer: a conformity assessment body is the independent party that assesses a trust service provider, but ETSI EN 319 401 is not the rulebook for that body. The standard sets general policy requirements for TSPs and says it does not specify how those requirements can be assessed by an independent party or what information must be made available to independent assessors. If you are preparing for a CAB review, use EN 319 401 to identify the TSP evidence that may be reviewed, then rely on ETSI EN 319 403-1 and the applicable assessment scheme for the CAB's own requirements.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

What does EN 319 401 say about conformity assessment bodies?

EN 319 401 V3.1.1 sets baseline policy requirements for the operation and management practices of Trust Service Providers, independent of the type of trust service. Its scope statement draws a clear boundary: the standard does not define how the requirements can be assessed by an independent party, the information that has to be made available to independent assessors, or the requirements imposed on those assessors.

The practical consequence is that a TSP should not cite EN 319 401 alone as proof that a conformity assessment body is qualified or that a particular audit method is prescribed. EN 319 401 can support the evidence package, while the conformity assessment body's requirements belong in ETSI EN 319 403-1 and the applicable assessment scheme.

  • Use EN 319 401 to define the TSP policy, practice, security, recordkeeping, continuity, compliance, and supplier evidence that may be reviewed.
  • Do not treat EN 319 401 as the source for CAB accreditation, independence, sampling, audit-method, or assessor-competence rules.
  • When a customer asks for CAB status, separate the TSP's conformance evidence from the assessor's own authority, scope, and conformity assessment scheme.
Citations
Question 2

What evidence can a TSP prepare for assessor review?

Even though EN 319 401 does not prescribe the CAB's process, it does identify evidence areas that matter when a TSP needs to demonstrate how its trust service policy is implemented. The strongest assessor-facing package starts with the trust service practice statement, the policies and practices approved by management, and the public documentation made available to subscribers and relying parties where necessary to demonstrate conformance.

The terms and conditions are also important because EN 319 401 requires them to state, for each supported trust service policy, whether the service has been assessed as conformant and, if so, through which conformity assessment scheme. That makes the assessment claim itself a controlled piece of public-facing evidence.

  • Map the assessed service to the trust service policy being applied and the practices used to address that policy.
  • Keep management approval, publication, review responsibilities, and change-notice decisions traceable to the practice statement.
  • For customer-facing claims, ensure the terms and conditions identify whether conformity has been assessed and the conformity assessment scheme used, when such an assessment exists.
  • Avoid disclosing sensitive implementation details publicly; EN 319 401 allows relevant documentation to demonstrate conformance without requiring disclosure of sensitive aspects.
Citations
Recommended next step

Prepare TSP evidence without overstating CAB coverage

Use this guidance to separate EN 319 401 evidence preparation from CAB accreditation, assessor methodology, and scheme-specific requirements.

Assessment workflow
Build the evidence map

Connect EN 319 401 requirements to practice statements, terms, records, supplier controls, and review triggers.

Explore next step
Research workflow
Resolve scope questions

Check whether a claim belongs in EN 319 401 evidence, an assessment scheme, or CAB-specific requirements.

Explore next step
Talk to Sorena
Talk through implementation

Review assessment scope, evidence gaps, owners, and customer-facing claims with Sorena.

Explore next step
Question 3

What should not be claimed from EN 319 401 alone?

Do not use EN 319 401 by itself to claim that a specific CAB is accredited, that a specific CAB procedure is mandatory, or that an assessment result covers products, services, suppliers, or locations outside the actual assessment scope. The available EN 319 401 grounding only supports the standard's own boundary statement and the TSP evidence requirements inside the standard.

Where a TSP relies on suppliers, outsourcing, cloud services, or trust service components provided by another party, EN 319 401 keeps overall conformance responsibility with the TSP under the stated conditions. The evidence should therefore include supplier agreements, security requirements, monitoring, change review, and the supplier register where those requirements apply.

  • Keep CAB qualifications, accreditation status, assessor competence, and audit methodology out of EN 319 401-only claims.
  • Do not imply that an assessment covers all services unless the trust service policy, assessment scope, and scheme say so.
  • For outsourced or subcontracted service parts, keep the TSP's responsibility, agreements, supplier security requirements, and monitoring evidence explicit.
  • Review the evidence package after practice-statement changes, information security policy changes, supplier changes, incidents, or changes to service provision.
Citations
Primary sources

References and citations

ETSI EN 319 401 V3.1.1 (2024-06)
etsi.org
Referenced sections
  • Primary ETSI source for the scope limit, supplier responsibility, security policy changes, and TSP evidence obligations.
"maintain overall responsibility for conformance"
Related guides

Explore more topics

CA and RA responsibilities under ETSI EN 319 401
How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries.
eIDAS Articles 19 and 24 in ETSI EN 319 401
See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence.
ETSI EN 319 401 Audit and Conformity Assessment Evidence
How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses.
ETSI EN 319 401 Audit Evidence Pack
Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence.
ETSI EN 319 401 Audit Evidence Pack Workflow
Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence.
ETSI EN 319 401 compliance duties for TSPs
source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers.
ETSI EN 319 401 FAQ for trust service providers
source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence.
ETSI EN 319 401 Incident Evidence Workflow
Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review.
ETSI EN 319 401 Incident Reporting and Continuity Duties
Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning.
ETSI EN 319 401 Personnel, Asset, and Access Controls
Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence.
ETSI EN 319 401 policy and security requirements
source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence.
ETSI EN 319 401 policy documentation: what is required?
How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review.
ETSI EN 319 401 requirements map
Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls.
ETSI EN 319 401 Risk Assessment and Treatment
Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning.
ETSI EN 319 401 Subcontractor Controls
Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence.
ETSI EN 319 401 Subcontractor Evidence Workflow
Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records.
ETSI EN 319 401 Subcontractor Requirements FAQ
How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility.
ETSI EN 319 401 Trust Service Applicability Workflow
A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect.
ETSI EN 319 401 Trust Service Provider Applicability
Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document.
ETSI EN 319 401 vs eIDAS Article 19 and 24
Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning.
ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment
Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits.
Security Incidents in ETSI EN 319 401
How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents.
Trust service provider scope under ETSI EN 319 401
How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components.