--- title: "ETSI EN 319 401 conformity assessment bodies: what is covered?" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies" author: "Sorena AI" description: "Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "ETSI EN 319 401 conformity assessment bodies" - "TSP conformity assessment" - "trust service provider evidence" - "EN 319 401 assessment scope" - "ETSI EN 319 401" - "conformity assessment bodies" - "trust service providers" - "TSP evidence" - "FAQ" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 401 conformity assessment bodies: what is covered? Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation. *Artifact Guide* *GLOBAL* *ETSI EN 319 401* ## ETSI EN 319 401 Conformity assessment bodies and TSP evidence scope A focused answer on how to read conformity assessment body references in ETSI EN 319 401 without overstating what the standard covers. Grounded in ETSI EN 319 401 V3.1.1. Use it as implementation guidance, not for legal interpretation or a substitute for an accredited assessment scheme. Short answer: a conformity assessment body is the independent party that assesses a trust service provider, but ETSI EN 319 401 is not the rulebook for that body. The standard sets general policy requirements for TSPs and says it does not specify how those requirements can be assessed by an independent party or what information must be made available to independent assessors. If you are preparing for a CAB review, use EN 319 401 to identify the TSP evidence that may be reviewed, then rely on ETSI EN 319 403-1 and the applicable assessment scheme for the CAB's own requirements. ## What does EN 319 401 say about conformity assessment bodies? EN 319 401 V3.1.1 sets baseline policy requirements for the operation and management practices of Trust Service Providers, independent of the type of trust service. Its scope statement draws a clear boundary: the standard does not define how the requirements can be assessed by an independent party, the information that has to be made available to independent assessors, or the requirements imposed on those assessors. The practical consequence is that a TSP should not cite EN 319 401 alone as proof that a conformity assessment body is qualified or that a particular audit method is prescribed. EN 319 401 can support the evidence package, while the conformity assessment body's requirements belong in ETSI EN 319 403-1 and the applicable assessment scheme. - Use EN 319 401 to define the TSP policy, practice, security, recordkeeping, continuity, compliance, and supplier evidence that may be reviewed. - Do not treat EN 319 401 as the source for CAB accreditation, independence, sampling, audit-method, or assessor-competence rules. - When a customer asks for CAB status, separate the TSP's conformance evidence from the assessor's own authority, scope, and conformity assessment scheme. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for EN 319 401 scope and TSP policy requirements. ## What evidence can a TSP prepare for assessor review? Even though EN 319 401 does not prescribe the CAB's process, it does identify evidence areas that matter when a TSP needs to demonstrate how its trust service policy is implemented. The strongest assessor-facing package starts with the trust service practice statement, the policies and practices approved by management, and the public documentation made available to subscribers and relying parties where necessary to demonstrate conformance. The terms and conditions are also important because EN 319 401 requires them to state, for each supported trust service policy, whether the service has been assessed as conformant and, if so, through which conformity assessment scheme. That makes the assessment claim itself a controlled piece of public-facing evidence. - Map the assessed service to the trust service policy being applied and the practices used to address that policy. - Keep management approval, publication, review responsibilities, and change-notice decisions traceable to the practice statement. - For customer-facing claims, ensure the terms and conditions identify whether conformity has been assessed and the conformity assessment scheme used, when such an assessment exists. - Avoid disclosing sensitive implementation details publicly; EN 319 401 allows relevant documentation to demonstrate conformance without requiring disclosure of sensitive aspects. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for practice statements, public documentation, and terms-and-conditions assessment disclosures. ## What should not be claimed from EN 319 401 alone? Do not use EN 319 401 by itself to claim that a specific CAB is accredited, that a specific CAB procedure is mandatory, or that an assessment result covers products, services, suppliers, or locations outside the actual assessment scope. The available EN 319 401 grounding only supports the standard's own boundary statement and the TSP evidence requirements inside the standard. Where a TSP relies on suppliers, outsourcing, cloud services, or trust service components provided by another party, EN 319 401 keeps overall conformance responsibility with the TSP under the stated conditions. The evidence should therefore include supplier agreements, security requirements, monitoring, change review, and the supplier register where those requirements apply. - Keep CAB qualifications, accreditation status, assessor competence, and audit methodology out of EN 319 401-only claims. - Do not imply that an assessment covers all services unless the trust service policy, assessment scope, and scheme say so. - For outsourced or subcontracted service parts, keep the TSP's responsibility, agreements, supplier security requirements, and monitoring evidence explicit. - Review the evidence package after practice-statement changes, information security policy changes, supplier changes, incidents, or changes to service provision. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for the scope limit, supplier responsibility, security policy changes, and TSP evidence obligations. ## Primary sources - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for EN 319 401 scope, TSP policy requirements, assessor boundary language, terms-and-conditions assessment disclosure, records, compliance evidence, and supplier controls. - Quote: "General Policy Requirements for Trust Service Providers" ## Topic Guides - [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md): How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries. - [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md): See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence. - [ETSI EN 319 401 Audit and Conformity Assessment Evidence](/artifacts/global/etsi-en-319-401/audit-and-conformity-assessment.md): How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses. - [ETSI EN 319 401 Audit Evidence Pack](/artifacts/global/etsi-en-319-401/audit-evidence-pack.md): Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence. - [ETSI EN 319 401 Audit Evidence Pack Workflow](/artifacts/global/etsi-en-319-401/audit-evidence-pack-workflow.md): Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence. - [ETSI EN 319 401 compliance duties for TSPs](/artifacts/global/etsi-en-319-401/compliance.md): source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers. - [ETSI EN 319 401 FAQ for trust service providers](/artifacts/global/etsi-en-319-401/faq.md): source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence. - [ETSI EN 319 401 Incident Evidence Workflow](/artifacts/global/etsi-en-319-401/incident-and-continuity-evidence-workflow.md): Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review. - [ETSI EN 319 401 Incident Reporting and Continuity Duties](/artifacts/global/etsi-en-319-401/incident-and-continuity-duties.md): Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning. - [ETSI EN 319 401 Personnel, Asset, and Access Controls](/artifacts/global/etsi-en-319-401/personnel-asset-and-access-controls.md): Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence. - [ETSI EN 319 401 policy and security requirements](/artifacts/global/etsi-en-319-401/policy-and-security-requirements.md): source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence. - [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md): How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review. - [ETSI EN 319 401 requirements map](/artifacts/global/etsi-en-319-401/requirements.md): Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls. - [ETSI EN 319 401 Risk Assessment and Treatment](/artifacts/global/etsi-en-319-401/risk-management.md): Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning. - [ETSI EN 319 401 Subcontractor Controls](/artifacts/global/etsi-en-319-401/subcontractor-controls.md): Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence. - [ETSI EN 319 401 Subcontractor Evidence Workflow](/artifacts/global/etsi-en-319-401/subcontractor-evidence-workflow.md): Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records. - [ETSI EN 319 401 Subcontractor Requirements FAQ](/artifacts/global/etsi-en-319-401/faq/subcontractors.md): How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility. - [ETSI EN 319 401 Trust Service Applicability Workflow](/artifacts/global/etsi-en-319-401/trust-service-applicability-workflow.md): A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect. - [ETSI EN 319 401 Trust Service Provider Applicability](/artifacts/global/etsi-en-319-401/trust-service-provider-applicability.md): Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document. - [ETSI EN 319 401 vs eIDAS Article 19 and 24](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-eidas.md): Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning. - [ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1.md): Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits. - [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md): How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents. - [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md): How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components. *Recommended next step* *Placement: after practical guidance* ## Prepare TSP evidence without overstating CAB coverage Use this guidance to separate EN 319 401 evidence preparation from CAB accreditation, assessor methodology, and scheme-specific requirements. - [Build the evidence map](/solutions/assessment.md): Connect EN 319 401 requirements to practice statements, terms, records, supplier controls, and review triggers. - [Resolve scope questions](/solutions/research-copilot.md): Check whether a claim belongs in EN 319 401 evidence, an assessment scheme, or CAB-specific requirements. - [Talk through implementation](/contact.md): Review assessment scope, evidence gaps, owners, and customer-facing claims with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies