--- title: "eIDAS Articles 19 and 24 in ETSI EN 319 401" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24" author: "Sorena AI" description: "See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 401" - "eIDAS Article 19" - "eIDAS Article 24" - "qualified trust service provider" - "incident reporting" - "termination plan" - "qualified trust service providers" - "trust service evidence" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # eIDAS Articles 19 and 24 in ETSI EN 319 401 See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence. *Artifact Guide* *GLOBAL* *ETSI EN 319 401* ## ETSI EN 319 401 eIDAS Articles 19 and 24 evidence mapping A practical FAQ for reading eIDAS Article 19 and selected Article 24 duties through the ETSI EN 319 401 V3.1.1 Annex B mapping. Use this as standards evidence planning. ETSI EN 319 401 helps organize policy, security, incident, continuity, personnel, terms, and change evidence, but it is not a standalone legal opinion. Short answer: use ETSI EN 319 401 V3.1.1 Annex B as a mapping aid, not as a blanket eIDAS compliance claim. Annex B maps Article 19 security-risk and incident-notification duties to EN 319 401 clauses on risk assessment, policies, TSP management, incident management, and business continuity. It also maps selected Article 24 qualified trust service provider duties to requirements on change notification, personnel, terms and conditions, records, and termination planning. ## What does ETSI EN 319 401 say about Article 19? Annex B of ETSI EN 319 401 V3.1.1 maps eIDAS Article 19.1 to clauses 5, 6.3, and 7.2 through 7.12. In practical terms, the file should show how the TSP identifies and evaluates trust service risks, selects risk treatment measures, documents the information security policy and practice statement, manages personnel and operations, handles incidents, and maintains continuity and termination arrangements. Annex B also maps Article 19.1's requirement to prevent and minimize incident impact and inform stakeholders to clauses 7.9 and 7.11. The directly useful evidence is therefore incident monitoring, response, stakeholder communication, continuity coordination, and post-incident review evidence, not just a generic security policy. - Keep the Article 19.1 evidence tied to EN 319 401 clause 5 risk assessment, clause 6.3 information security policy, and the TSP management and operation clauses in 7.2 through 7.12. - For incident handling, keep procedures for detection, containment, eradication, recovery, stakeholder communication, documentation, testing, and post-incident review together with ownership records. - For Article 19.2, document notification procedures for a breach of security or loss of integrity with significant impact on the trust service or related personal data, including the 24-hour timing referenced by EN 319 401. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for the Annex B mapping from eIDAS Article 19 to EN 319 401 risk, policy, incident, continuity, and TSP management clauses. ## What does ETSI EN 319 401 say about Article 24? EN 319 401 Annex B does not turn the standard into a complete Article 24 checklist. It gives selected mappings for qualified trust service provider duties. The grounded examples are Article 24.2(a) to REQ-6.3-04X for informing the supervisory body about changes in qualified trust services or an intention to cease them, Article 24.2(b) to clause 7.2 for personnel and subcontractor competence, and Article 24.2(d) to clause 6.2 for precise terms and conditions before a contractual relationship. The Annex B excerpt also identifies Article 24.2(h) on keeping relevant issued and received information accessible for an appropriate period, including after cessation, and Article 24.2(i) on having an up-to-date termination plan. EN 319 401 clause 7.12 separately requires an up-to-date termination plan and continuity-oriented arrangements when a TSP ceases services. - For Article 24.2(a), keep change-notification and cessation-notification procedures aligned with REQ-6.3-04X. - For Article 24.2(b), keep personnel and subcontractor competence, training, reliability, and management evidence aligned with clause 7.2. - For Article 24.2(d), keep customer-facing terms and conditions evidence aligned with clause 6.2, including the trust service policy, limitations, relying-party information, and conformity-assessment statement where applicable. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for selected Annex B mappings from eIDAS Article 24.2 to EN 319 401 requirements and clauses. - [ETSI EN 319 411-2 V2.6.1 qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Used only for qualified-certificate context: EN 319 411-2 says it adds requirements for TSPs issuing EU qualified certificates and does not by itself imply qualified status under eIDAS. ## How should a team build the evidence file? Start with the trust service and legal posture, then map only the applicable Article 19 and Article 24 duties to the ETSI clauses that the grounding actually supports. A qualified certificate issuer should not treat EN 319 401 alone as the full evidence basis: EN 319 411-2 states that it incorporates EN 319 411-1 and adds requirements for EU qualified certificates, while also warning that conformance to EN 319 411-2 alone does not imply qualified status under eIDAS. A useful evidence file separates three layers: the eIDAS duty being discussed, the EN 319 401 requirement or clause used as supporting evidence, and the actual artifact proving current operation. That structure avoids unsupported claims such as 'EN 319 401 certifies Article 24 compliance' and makes gaps visible before audit or customer review. - Record the trust service type, whether the service is qualified or non-qualified, and whether the evidence concerns certificates, time-stamping, remote signing, validation, preservation, or another trust service. - For each Article 19 or Article 24 row, cite the EN 319 401 clause or requirement, name the owner, attach the evidence artifact, and set a review trigger for source, service, supplier, or incident changes. - Flag anything outside the Annex B mappings as a legal or service-specific standards gap rather than filling it with generic workflow language. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for general TSP policy, risk, incident, continuity, termination, and Annex B eIDAS mapping context. - [ETSI EN 319 411-2 V2.6.1 qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the caution that qualified-certificate services need service-specific requirements beyond EN 319 401 general policy evidence. ## Primary sources - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general TSP policy requirements, incident-management requirements, termination planning, and Annex B eIDAS mappings. - Quote: "General Policy Requirements for Trust Service Providers" - [ETSI EN 319 411-2 V2.6.1 qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Service-specific context for EU qualified certificate providers; used to avoid overstating what EN 319 401 alone proves. - Quote: "Requirements for trust service providers issuing EU qualified certificates" ## Topic Guides - [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md): How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries. - [ETSI EN 319 401 Audit and Conformity Assessment Evidence](/artifacts/global/etsi-en-319-401/audit-and-conformity-assessment.md): How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses. - [ETSI EN 319 401 Audit Evidence Pack](/artifacts/global/etsi-en-319-401/audit-evidence-pack.md): Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence. - [ETSI EN 319 401 Audit Evidence Pack Workflow](/artifacts/global/etsi-en-319-401/audit-evidence-pack-workflow.md): Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence. - [ETSI EN 319 401 compliance duties for TSPs](/artifacts/global/etsi-en-319-401/compliance.md): source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers. - [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md): Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation. - [ETSI EN 319 401 FAQ for trust service providers](/artifacts/global/etsi-en-319-401/faq.md): source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence. - [ETSI EN 319 401 Incident Evidence Workflow](/artifacts/global/etsi-en-319-401/incident-and-continuity-evidence-workflow.md): Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review. - [ETSI EN 319 401 Incident Reporting and Continuity Duties](/artifacts/global/etsi-en-319-401/incident-and-continuity-duties.md): Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning. - [ETSI EN 319 401 Personnel, Asset, and Access Controls](/artifacts/global/etsi-en-319-401/personnel-asset-and-access-controls.md): Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence. - [ETSI EN 319 401 policy and security requirements](/artifacts/global/etsi-en-319-401/policy-and-security-requirements.md): source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence. - [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md): How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review. - [ETSI EN 319 401 requirements map](/artifacts/global/etsi-en-319-401/requirements.md): Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls. - [ETSI EN 319 401 Risk Assessment and Treatment](/artifacts/global/etsi-en-319-401/risk-management.md): Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning. - [ETSI EN 319 401 Subcontractor Controls](/artifacts/global/etsi-en-319-401/subcontractor-controls.md): Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence. - [ETSI EN 319 401 Subcontractor Evidence Workflow](/artifacts/global/etsi-en-319-401/subcontractor-evidence-workflow.md): Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records. - [ETSI EN 319 401 Subcontractor Requirements FAQ](/artifacts/global/etsi-en-319-401/faq/subcontractors.md): How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility. - [ETSI EN 319 401 Trust Service Applicability Workflow](/artifacts/global/etsi-en-319-401/trust-service-applicability-workflow.md): A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect. - [ETSI EN 319 401 Trust Service Provider Applicability](/artifacts/global/etsi-en-319-401/trust-service-provider-applicability.md): Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document. - [ETSI EN 319 401 vs eIDAS Article 19 and 24](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-eidas.md): Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning. - [ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1.md): Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits. - [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md): How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents. - [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md): How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components. *Recommended next step* *Placement: after practical guidance* ## Operationalize the ETSI EN 319 401 eIDAS mapping Use this FAQ to assign owners, evidence artifacts, and review triggers for Article 19 security duties and the grounded Article 24 qualified-trust-service mappings. - [Build the evidence plan](/solutions/assessment.md): Convert the mappings into accountable controls, evidence requests, and review checkpoints. - [Resolve a scope question](/solutions/research-copilot.md): Use cited research support when Article 19, Article 24, or qualified-service scope is unclear. - [Review implementation](/contact.md): Walk through scope, evidence, ownership, and standards gaps with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24