Search every question across sub-FAQs

Treat CA and RA responsibility as part of the TSP's documented practice system, not as an informal team chart. EN 319 401 requires the TSP to specify appropriate policies and practices, have a practice statement addressing the applicable trust service policy, obtain management approval, implement those practices, and define a review process with responsibilities for maintaining the practice statement.

For CA or RA activities performed by external organizations, the practice statement should not hide the dependency. EN 319 401 requires the trust service practice statement to identify obligations of external organizations supporting the TSP's services, including applicable policies and practices.

EN 319 401 names certification services and registration services as examples of trust services, but it stays at the general TSP-policy level. For certificate services, ETSI EN 319 411-1 provides the more specific vocabulary: a CA is an authority trusted to create and assign certificates, and an RA is responsible mainly for identification and authentication of certificate subjects.

Use that certificate-specific vocabulary to label the work, then use EN 319 401 to govern the evidence: policy scope, approved practices, role assignment, segregation of conflicting duties, competence, external obligations, and supplier controls. Do not claim that EN 319 401 alone defines every CA or RA procedure.

The useful artifact is a responsibility map that connects each CA or RA activity to the policy, practice statement, role, approval record, and evidence location. EN 319 401 supports this by requiring policies and practices to be approved, communicated where relevant, maintained, and made available to subscribers and relying parties as necessary to demonstrate conformance, while allowing sensitive details to remain undisclosed.

For certificate services, keep the public-facing CPS or terms aligned with the private operating evidence. EN 319 411-1 explains that low-level operational procedures can hold specific task and responsibility details that are useful for daily operation and process review, even if they are not publicly disclosed.

Annex B of ETSI EN 319 401 V3.1.1 maps eIDAS Article 19.1 to clauses 5, 6.3, and 7.2 through 7.12. In practical terms, the file should show how the TSP identifies and evaluates trust service risks, selects risk treatment measures, documents the information security policy and practice statement, manages personnel and operations, handles incidents, and maintains continuity and termination arrangements.

Annex B also maps Article 19.1's requirement to prevent and minimize incident impact and inform stakeholders to clauses 7.9 and 7.11. The directly useful evidence is therefore incident monitoring, response, stakeholder communication, continuity coordination, and post-incident review evidence, not just a generic security policy.

EN 319 401 Annex B does not turn the standard into a complete Article 24 checklist. It gives selected mappings for qualified trust service provider duties. The grounded examples are Article 24.2(a) to REQ-6.3-04X for informing the supervisory body about changes in qualified trust services or an intention to cease them, Article 24.2(b) to clause 7.2 for personnel and subcontractor competence, and Article 24.2(d) to clause 6.2 for precise terms and conditions before a contractual relationship.

The Annex B excerpt also identifies Article 24.2(h) on keeping relevant issued and received information accessible for an appropriate period, including after cessation, and Article 24.2(i) on having an up-to-date termination plan. EN 319 401 clause 7.12 separately requires an up-to-date termination plan and continuity-oriented arrangements when a TSP ceases services.

Start with the trust service and legal posture, then map only the applicable Article 19 and Article 24 duties to the ETSI clauses that the grounding actually supports. A qualified certificate issuer should not treat EN 319 401 alone as the full evidence basis: EN 319 411-2 states that it incorporates EN 319 411-1 and adds requirements for EU qualified certificates, while also warning that conformance to EN 319 411-2 alone does not imply qualified status under eIDAS.

A useful evidence file separates three layers: the eIDAS duty being discussed, the EN 319 401 requirement or clause used as supporting evidence, and the actual artifact proving current operation. That structure avoids unsupported claims such as 'EN 319 401 certifies Article 24 compliance' and makes gaps visible before audit or customer review.

EN 319 401 V3.1.1 sets baseline policy requirements for the operation and management practices of Trust Service Providers, independent of the type of trust service. Its scope statement draws a clear boundary: the standard does not define how the requirements can be assessed by an independent party, the information that has to be made available to independent assessors, or the requirements imposed on those assessors.

The practical consequence is that a TSP should not cite EN 319 401 alone as proof that a conformity assessment body is qualified or that a particular audit method is prescribed. EN 319 401 can support the evidence package, while the conformity assessment body's requirements belong in ETSI EN 319 403-1 and the applicable assessment scheme.

Even though EN 319 401 does not prescribe the CAB's process, it does identify evidence areas that matter when a TSP needs to demonstrate how its trust service policy is implemented. The strongest assessor-facing package starts with the trust service practice statement, the policies and practices approved by management, and the public documentation made available to subscribers and relying parties where necessary to demonstrate conformance.

The terms and conditions are also important because EN 319 401 requires them to state, for each supported trust service policy, whether the service has been assessed as conformant and, if so, through which conformity assessment scheme. That makes the assessment claim itself a controlled piece of public-facing evidence.

Do not use EN 319 401 by itself to claim that a specific CAB is accredited, that a specific CAB procedure is mandatory, or that an assessment result covers products, services, suppliers, or locations outside the actual assessment scope. The available EN 319 401 grounding only supports the standard's own boundary statement and the TSP evidence requirements inside the standard.

Where a TSP relies on suppliers, outsourcing, cloud services, or trust service components provided by another party, EN 319 401 keeps overall conformance responsibility with the TSP under the stated conditions. The evidence should therefore include supplier agreements, security requirements, monitoring, change review, and the supplier register where those requirements apply.

EN 319 401 V3.1.1 requires the TSP to specify the set of policies and practices appropriate for the trust services it provides. Those policies and practices have to be approved by management, published, and communicated to employees and external parties as relevant.

The core document is the trust service practice statement. EN 319 401 requires it to describe the practices and procedures used to address the applicable trust service policy identified by the TSP, identify obligations of external organizations supporting the service, and be maintained through a defined review process. The standard does not mandate a particular practice-statement structure.

EN 319 401 distinguishes between documentation that demonstrates conformance and sensitive details that do not need to be publicly disclosed. The TSP must make its practice statement and other relevant documentation available to subscribers and relying parties as necessary to demonstrate conformance to the trust service policy, while sensitive aspects can remain undisclosed.

The terms and conditions are a separate public-facing requirement. They must be available to subscribers and relying parties and, for each supported trust service policy, cover the policy being applied, use limitations, subscriber obligations, relying-party information, event-log retention, liability limitations, applicable legal system, complaint and dispute procedures, conformity-assessment status and scheme when applicable, contact information, and any availability undertaking.

Policy documentation should be maintained as a governed evidence set. EN 319 401 requires an information security policy approved by management, documented security controls and operating procedures for facilities, systems, and information assets, and communication of applicable policy changes to impacted parties.

Review triggers matter. The information security policy and asset inventory must be reviewed at planned intervals or when significant changes occur, and changes that impact the security level require management-body approval. When a practice-statement change might affect service acceptance by a subject, subscriber, or relying party, the TSP has to give due notice; after approval, the revised practice statement has to be made available.

EN 319 401 treats subcontracting, outsourcing, and other third-party arrangements as part of the TSP's controlled supply chain. Clause 7.14.3 says that when other parties, including trust service component providers, provide parts of the service, the TSP maintains overall responsibility for conformance with the supply chain policy, information security policy, and trust service policy requirements.

That means the practical control is not just vendor onboarding. The TSP should identify which part of the trust service is performed by the outside party, record the TSP-owned policy requirements that apply, and keep evidence showing that the arrangement is governed by documented responsibilities rather than informal reliance on the supplier.

The agreement evidence should show that the supplier relationship is specific enough to enforce the TSP's information security requirements. EN 319 401 calls for documented agreements and contractual relationships when service provisioning involves subcontracting, outsourcing, or other third-party arrangements, so both parties understand their obligations to fulfil relevant information security requirements.

For evidence review, keep the signed agreement together with the requirement map. The agreement should show the outsourcer's liability, the controls the outsourcer is bound to implement, the TSP security policies and requirements included in contracts, and any service level agreements or auditing mechanisms used to check that direct suppliers and service providers take appropriate security measures aligned with the TSP risk assessment.

Treat subcontractor evidence as living supply chain evidence, not a one-time procurement file. EN 319 401 requires the TSP to monitor, review, evaluate, and manage changes in direct supplier or service provider cybersecurity practices at planned intervals or after an incident related to the services they provide.

The standard also requires a supplier and agreement register that tracks where TSP information is managed or archived, and it requires regular review, validation, and update of that register to confirm agreements remain valid, fit for purpose, and include relevant information security clauses. If a TSP terminates its services, EN 319 401 also calls for terminating all subcontractor authorization to act on behalf of the TSP for functions related to issuing trust service tokens.

Clause 7.9 of ETSI EN 319 401 V3.1.1 is the core incident-management clause. It covers monitoring and logging, incident response, reporting, event assessment and classification, and post-incident reviews. The practical implication is that incident handling should be documented from detection through follow-up, with evidence that the process actually operates.

The standard defines incident handling as actions and procedures to prevent, detect, analyse, contain, respond to, and recover from an incident. It also defines an information security incident as related and identified information security events that can harm assets or compromise operations, so the incident process should connect event intake, severity assessment, response, and lessons learned.

EN 319 401 expects incident handling to have assigned roles and communication paths. The TSP should maintain communication plans that include incident categorisation, escalation procedures, and standardised reporting protocols. Personnel also need the competencies to detect and respond to security incidents.

For alerts of potentially critical security events, the standard calls for trusted role personnel to follow up and make sure relevant incidents are reported in line with the TSP's procedures. The incident function should also have clear interfaces with business continuity management so response and service restoration do not run as disconnected workstreams.

EN 319 401 does not let teams replace legal analysis with a generic notification rule. It says the TSP shall comply with reporting obligations mandated by relevant legislative frameworks for network and information security incidents, including supervisory authorities and CSIRTs.

For a breach of security or loss of integrity with significant impact on the trust service provided and on the personal data maintained in it, clause 7.9.3 requires procedures to notify appropriate parties in line with applicable regulatory rules within 24 hours of the breach being identified. The ETSI note says TSPs operating within the European Union can contact the appropriate supervisory body or other competent authorities for guidance on notification procedures under eIDAS Article 19.2.

A useful EN 319 401 incident file should show the full chain: event source, severity assessment, classification changes, response actions, stakeholder communication, vulnerability handling, continuity coordination, and post-incident review. This keeps the page focused on evidence that a trust service provider can maintain and show to assessors or customers.

Post-incident work should not stop at closure notes. Clause 7.9.5 requires the TSP to keep informed about technical vulnerabilities, evaluate its exposure, take appropriate measures, identify incident root cause, conduct post-incident reviews, and ensure each past incident led to a post-incident review.

ETSI EN 319 401 V3.1.1 says it specifies general policy requirements for Trust Service Providers that are independent of the type of TSP. That makes it a baseline for operation and management practices, not a complete service-specific rulebook for every certificate, time-stamp, validation, preservation, or component service.

The scope decision should therefore start by naming the trust service or services provided and separating the EN 319 401 baseline from any additional ETSI specification that refines or extends requirements for a particular form of TSP.