--- title: "ETSI EN 319 401 FAQ for trust service providers" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/items" author: "Sorena AI" description: "source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "ETSI EN 319 401 FAQ" - "trust service provider requirements" - "TSP practice statement" - "EN 319 401 risk assessment" - "trust service evidence" - "ETSI EN 319 401" - "trust service provider" - "eIDAS trust services" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 401 FAQ for trust service providers source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence. *Artifact Guide* *GLOBAL* *ETSI EN 319 401* ## ETSI EN 319 401 FAQ for TSPs Practical answers for trust service providers using ETSI EN 319 401 V3.1.1 to structure policies, controls, records, incidents, continuity, and supplier evidence. Grounded in ETSI EN 319 401 source material. Use it to clarify implementation scope and evidence; do not treat it as a legal opinion or proof of conformity. This FAQ answers common implementation questions about ETSI EN 319 401 V3.1.1, the ETSI standard for general policy requirements for trust service providers. It focuses on what the standard actually covers, how a TSP should frame its practice statement and terms, how risk assessment drives controls, and what evidence is needed for incidents, records, continuity, termination, and suppliers. ## Browse sub-FAQ modules ### [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md) How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries. - 3 items ### [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md) See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence. - 3 items ### [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md) Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation. - 3 items ### [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md) How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review. - 3 items ### [ETSI EN 319 401 Subcontractor Requirements FAQ](/artifacts/global/etsi-en-319-401/faq/subcontractors.md) How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility. - 3 items ### [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md) How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents. - 4 items ### [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md) How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components. - 3 items Browse all indexed questions: [/artifacts/global/etsi-en-319-401/faq/items](/artifacts/global/etsi-en-319-401/faq/items.md) ## All FAQ items *Page 1 of 2. Showing 20 of 22 items.* ### [What does EN 319 401 require for CA and RA responsibility?](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md#what-does-en-319-401-require-for-ca-and-ra-responsibility) *Module: [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md)* Treat CA and RA responsibility as part of the TSP's documented practice system, not as an informal team chart. EN 319 401 requires the TSP to specify appropriate policies and practices, have a practice statement addressing the applicable trust service policy, obtain management approval, implement those practices, and define a review process with responsibilities for maintaining the practice statement. - Map CA and RA activities to the TSP practice statement or certificate-specific CPS rather than leaving them only in private working notes. - Show management approval and a named review process for the practices that govern certificate issuance, registration support, revocation support, and related service components. - Identify any external organization, registration service provider, component provider, outsourcer, or subcontractor that supports the CA or RA process. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for TSP practice statement, management approval, external organization obligations, and review-process requirements. - [ETSI EN 319 411-1 V1.5.1 certificate TSP requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Certificate-service context explaining that a CPS states how the TSP creates and maintains certificates and can include operational procedures for tasks and responsibilities. ### [Where should teams draw the CA/RA boundary?](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md#where-should-teams-draw-the-cara-boundary) *Module: [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md)* EN 319 401 names certification services and registration services as examples of trust services, but it stays at the general TSP-policy level. For certificate services, ETSI EN 319 411-1 provides the more specific vocabulary: a CA is an authority trusted to create and assign certificates, and an RA is responsible mainly for identification and authentication of certificate subjects. - Separate CA certificate-generation and certificate-status responsibilities from RA identification, authentication, certificate-application, and revocation-support responsibilities. - Document who performs the work, whether the role is internal or external, which trust service policy or certificate policy applies, and which practice statement governs it. - If the RA function is delegated or outsourced, retain evidence that the TSP remains accountable for conformance and has a documented agreement covering the relevant security obligations. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Grounds the TSP-level requirement to define policies, segregate duties, document roles, and maintain responsibility when using other parties. - [ETSI EN 319 411-1 V1.5.1 certificate TSP requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides certificate-service definitions for Certification Authority, Registration Authority, Certification Practice Statement, and registration officers. ### [What evidence should support the responsibility map?](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md#what-evidence-should-support-the-responsibility-map) *Module: [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md)* The useful artifact is a responsibility map that connects each CA or RA activity to the policy, practice statement, role, approval record, and evidence location. EN 319 401 supports this by requiring policies and practices to be approved, communicated where relevant, maintained, and made available to subscribers and relying parties as necessary to demonstrate conformance, while allowing sensitive details to remain undisclosed. - Practice statement or CPS section identifying CA, RA, registration officer, revocation-support, and external-support responsibilities. - Management approval record, review cadence, and change-notice trigger for practice-statement changes that may affect subjects, subscribers, or relying parties. - Role and access evidence showing segregation of conflicting duties, documented trusted roles, personnel competence, and contractor or supplier obligations. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports evidence expectations for practice statement approval, publication, maintenance, role documentation, and duty segregation. - [ETSI EN 319 411-1 V1.5.1 certificate TSP requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the split between public CPS information and internal operational procedures containing detailed tasks and responsibilities. ### [What does ETSI EN 319 401 say about Article 19?](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md#what-does-etsi-en-319-401-say-about-article-19) *Module: [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md)* Annex B of ETSI EN 319 401 V3.1.1 maps eIDAS Article 19.1 to clauses 5, 6.3, and 7.2 through 7.12. In practical terms, the file should show how the TSP identifies and evaluates trust service risks, selects risk treatment measures, documents the information security policy and practice statement, manages personnel and operations, handles incidents, and maintains continuity and termination arrangements. - Keep the Article 19.1 evidence tied to EN 319 401 clause 5 risk assessment, clause 6.3 information security policy, and the TSP management and operation clauses in 7.2 through 7.12. - For incident handling, keep procedures for detection, containment, eradication, recovery, stakeholder communication, documentation, testing, and post-incident review together with ownership records. - For Article 19.2, document notification procedures for a breach of security or loss of integrity with significant impact on the trust service or related personal data, including the 24-hour timing referenced by EN 319 401. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for the Annex B mapping from eIDAS Article 19 to EN 319 401 risk, policy, incident, continuity, and TSP management clauses. ### [What does ETSI EN 319 401 say about Article 24?](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md#what-does-etsi-en-319-401-say-about-article-24) *Module: [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md)* EN 319 401 Annex B does not turn the standard into a complete Article 24 checklist. It gives selected mappings for qualified trust service provider duties. The grounded examples are Article 24.2(a) to REQ-6.3-04X for informing the supervisory body about changes in qualified trust services or an intention to cease them, Article 24.2(b) to clause 7.2 for personnel and subcontractor competence, and Article 24.2(d) to clause 6.2 for precise terms and conditions before a contractual relationship. - For Article 24.2(a), keep change-notification and cessation-notification procedures aligned with REQ-6.3-04X. - For Article 24.2(b), keep personnel and subcontractor competence, training, reliability, and management evidence aligned with clause 7.2. - For Article 24.2(d), keep customer-facing terms and conditions evidence aligned with clause 6.2, including the trust service policy, limitations, relying-party information, and conformity-assessment statement where applicable. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for selected Annex B mappings from eIDAS Article 24.2 to EN 319 401 requirements and clauses. - [ETSI EN 319 411-2 V2.6.1 qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Used only for qualified-certificate context: EN 319 411-2 says it adds requirements for TSPs issuing EU qualified certificates and does not by itself imply qualified status under eIDAS. ### [How should a team build the evidence file?](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md#how-should-a-team-build-the-evidence-file) *Module: [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md)* Start with the trust service and legal posture, then map only the applicable Article 19 and Article 24 duties to the ETSI clauses that the grounding actually supports. A qualified certificate issuer should not treat EN 319 401 alone as the full evidence basis: EN 319 411-2 states that it incorporates EN 319 411-1 and adds requirements for EU qualified certificates, while also warning that conformance to EN 319 411-2 alone does not imply qualified status under eIDAS. - Record the trust service type, whether the service is qualified or non-qualified, and whether the evidence concerns certificates, time-stamping, remote signing, validation, preservation, or another trust service. - For each Article 19 or Article 24 row, cite the EN 319 401 clause or requirement, name the owner, attach the evidence artifact, and set a review trigger for source, service, supplier, or incident changes. - Flag anything outside the Annex B mappings as a legal or service-specific standards gap rather than filling it with generic workflow language. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for general TSP policy, risk, incident, continuity, termination, and Annex B eIDAS mapping context. - [ETSI EN 319 411-2 V2.6.1 qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the caution that qualified-certificate services need service-specific requirements beyond EN 319 401 general policy evidence. ### [What does EN 319 401 say about conformity assessment bodies?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md#what-does-en-319-401-say-about-conformity-assessment-bodies) *Module: [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md)* EN 319 401 V3.1.1 sets baseline policy requirements for the operation and management practices of Trust Service Providers, independent of the type of trust service. Its scope statement draws a clear boundary: the standard does not define how the requirements can be assessed by an independent party, the information that has to be made available to independent assessors, or the requirements imposed on those assessors. - Use EN 319 401 to define the TSP policy, practice, security, recordkeeping, continuity, compliance, and supplier evidence that may be reviewed. - Do not treat EN 319 401 as the source for CAB accreditation, independence, sampling, audit-method, or assessor-competence rules. - When a customer asks for CAB status, separate the TSP's conformance evidence from the assessor's own authority, scope, and conformity assessment scheme. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for EN 319 401 scope and TSP policy requirements. ### [What evidence can a TSP prepare for assessor review?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md#what-evidence-can-a-tsp-prepare-for-assessor-review) *Module: [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md)* Even though EN 319 401 does not prescribe the CAB's process, it does identify evidence areas that matter when a TSP needs to demonstrate how its trust service policy is implemented. The strongest assessor-facing package starts with the trust service practice statement, the policies and practices approved by management, and the public documentation made available to subscribers and relying parties where necessary to demonstrate conformance. - Map the assessed service to the trust service policy being applied and the practices used to address that policy. - Keep management approval, publication, review responsibilities, and change-notice decisions traceable to the practice statement. - For customer-facing claims, ensure the terms and conditions identify whether conformity has been assessed and the conformity assessment scheme used, when such an assessment exists. - Avoid disclosing sensitive implementation details publicly; EN 319 401 allows relevant documentation to demonstrate conformance without requiring disclosure of sensitive aspects. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for practice statements, public documentation, and terms-and-conditions assessment disclosures. ### [What should not be claimed from EN 319 401 alone?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md#what-should-not-be-claimed-from-en-319-401-alone) *Module: [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md)* Do not use EN 319 401 by itself to claim that a specific CAB is accredited, that a specific CAB procedure is mandatory, or that an assessment result covers products, services, suppliers, or locations outside the actual assessment scope. The available EN 319 401 grounding only supports the standard's own boundary statement and the TSP evidence requirements inside the standard. - Keep CAB qualifications, accreditation status, assessor competence, and audit methodology out of EN 319 401-only claims. - Do not imply that an assessment covers all services unless the trust service policy, assessment scope, and scheme say so. - For outsourced or subcontracted service parts, keep the TSP's responsibility, agreements, supplier security requirements, and monitoring evidence explicit. - Review the evidence package after practice-statement changes, information security policy changes, supplier changes, incidents, or changes to service provision. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for the scope limit, supplier responsibility, security policy changes, and TSP evidence obligations. ### [What policy documents does EN 319 401 expect?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md#what-policy-documents-does-en-319-401-expect) *Module: [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md)* EN 319 401 V3.1.1 requires the TSP to specify the set of policies and practices appropriate for the trust services it provides. Those policies and practices have to be approved by management, published, and communicated to employees and external parties as relevant. - Maintain a trust service practice statement that maps the applicable trust service policy to the practices and procedures actually used. - Record management approval and final authority for approving the practice statement. - Identify external organizations supporting the service and the policies or practices that apply to their obligations. - Define responsibilities for maintaining the practice statement and reviewing it over time. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for EN 319 401 policy and practice statement requirements. ### [What should be made available to subscribers and relying parties?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md#what-should-be-made-available-to-subscribers-and-relying-parties) *Module: [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md)* EN 319 401 distinguishes between documentation that demonstrates conformance and sensitive details that do not need to be publicly disclosed. The TSP must make its practice statement and other relevant documentation available to subscribers and relying parties as necessary to demonstrate conformance to the trust service policy, while sensitive aspects can remain undisclosed. - Keep a public or customer-facing version of the practice statement aligned with the controlled internal version. - Do not publish sensitive implementation details merely to prove conformance; disclose what is necessary and support the rest through controlled evidence. - Make terms and conditions available before a contractual relationship, through a durable means of communication, in readily understandable language. - Treat event-log retention, limitations of liability, contact details, and conformity-assessment claims as controlled terms-and-conditions content. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for subscriber and relying-party documentation, sensitive-information boundaries, and terms-and-conditions content. ### [How should policy documentation stay current?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md#how-should-policy-documentation-stay-current) *Module: [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md)* Policy documentation should be maintained as a governed evidence set. EN 319 401 requires an information security policy approved by management, documented security controls and operating procedures for facilities, systems, and information assets, and communication of applicable policy changes to impacted parties. - Connect the practice statement, information security policy, asset inventory, operating procedures, and terms and conditions instead of maintaining them as disconnected files. - Document the maximum interval between configuration checks in the trust service practice statement. - Use planned reviews, significant changes, service-provision changes, security-impacting changes, and practice-statement changes as update triggers. - Keep records accessible for an appropriate period to support legal evidence and service continuity, including after TSP activities cease where applicable. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for information security policy maintenance, review triggers, change approval, configuration-check interval documentation, and collection of evidence. ### [What does EN 319 401 require when a TSP uses subcontractors?](/artifacts/global/etsi-en-319-401/faq/subcontractors.md#what-does-en-319-401-require-when-a-tsp-uses-subcontractors) *Module: [ETSI EN 319 401 Subcontractor Requirements](/artifacts/global/etsi-en-319-401/faq/subcontractors.md)* EN 319 401 treats subcontracting, outsourcing, and other third-party arrangements as part of the TSP's controlled supply chain. Clause 7.14.3 says that when other parties, including trust service component providers, provide parts of the service, the TSP maintains overall responsibility for conformance with the supply chain policy, information security policy, and trust service policy requirements. - Map each subcontracted or outsourced activity to the affected trust service, component, policy, system, information flow, and evidence owner. - Keep the TSP as the accountable owner for conformance even when a subcontractor or trust service component provider performs part of the service. - Use the trust service practice statement to identify obligations of external organizations supporting the TSP's services. - Require staff and, where applicable, subcontractors to have suitable expertise, reliability, experience, qualifications, and relevant cybersecurity and personal data protection training. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports retained TSP responsibility for subcontracting and outsourcing arrangements, external organization obligations in the practice statement, and subcontractor competence expectations. ### [What should be in the subcontractor agreement evidence?](/artifacts/global/etsi-en-319-401/faq/subcontractors.md#what-should-be-in-the-subcontractor-agreement-evidence) *Module: [ETSI EN 319 401 Subcontractor Requirements](/artifacts/global/etsi-en-319-401/faq/subcontractors.md)* The agreement evidence should show that the supplier relationship is specific enough to enforce the TSP's information security requirements. EN 319 401 calls for documented agreements and contractual relationships when service provisioning involves subcontracting, outsourcing, or other third-party arrangements, so both parties understand their obligations to fulfil relevant information security requirements. - Document the service part or component the subcontractor provides and the trust service policy requirements it affects. - Define outsourcer liability and bind the outsourcer to implement controls required by the TSP. - Include applicable TSP security policies and requirements in contracts with direct suppliers or service providers. - Use service level agreements and/or auditing mechanisms to evidence that direct suppliers address TSP security requirements aligned with the TSP risk assessment. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports documented agreements, contractual relationships, outsourcer liability, required controls, security clauses, service level agreements, and auditing mechanisms for suppliers. ### [How should teams keep subcontractor evidence current?](/artifacts/global/etsi-en-319-401/faq/subcontractors.md#how-should-teams-keep-subcontractor-evidence-current) *Module: [ETSI EN 319 401 Subcontractor Requirements](/artifacts/global/etsi-en-319-401/faq/subcontractors.md)* Treat subcontractor evidence as living supply chain evidence, not a one-time procurement file. EN 319 401 requires the TSP to monitor, review, evaluate, and manage changes in direct supplier or service provider cybersecurity practices at planned intervals or after an incident related to the services they provide. - Maintain a register of suppliers and agreements showing where TSP information is managed or archived. - Regularly review, validate, and update the supplier register and agreements for validity, fitness for purpose, and relevant security clauses. - Trigger reassessment after an incident related to a direct supplier's or service provider's provision of services. - Include subcontractor authorization termination in the TSP service termination plan when subcontractors act for functions related to issuing trust service tokens. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports planned and incident-triggered supplier monitoring, supplier-agreement registers, register review, and termination of subcontractor authorization before TSP service termination. ### [What does ETSI EN 319 401 require for security incidents?](/artifacts/global/etsi-en-319-401/faq/security-incidents.md#what-does-etsi-en-319-401-require-for-security-incidents) *Module: [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md)* Clause 7.9 of ETSI EN 319 401 V3.1.1 is the core incident-management clause. It covers monitoring and logging, incident response, reporting, event assessment and classification, and post-incident reviews. The practical implication is that incident handling should be documented from detection through follow-up, with evidence that the process actually operates. - Detect potential security incidents through continuous monitoring and logging mechanisms for the TSP's network and information systems. - Maintain, document, and regularly review logs covering network traffic, user and permission administration, administrator activity, critical configuration and backup access or changes, security-relevant logs, resource use, and relevant physical, network-device, and environmental events. - Use incident response procedures that include containment, eradication, and recovery, then keep comprehensive documentation throughout detection and response. - Analyse reported events, assess severity, and be able to reassess and reclassify events when new inputs appear. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for clause 7.9 requirements on monitoring, logging, incident response, reporting, event assessment, classification, and post-incident review. ### [Who must be involved in incident response?](/artifacts/global/etsi-en-319-401/faq/security-incidents.md#who-must-be-involved-in-incident-response) *Module: [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md)* EN 319 401 expects incident handling to have assigned roles and communication paths. The TSP should maintain communication plans that include incident categorisation, escalation procedures, and standardised reporting protocols. Personnel also need the competencies to detect and respond to security incidents. - Name the incident owner, trusted role personnel, escalation path, and business continuity handoff before an incident occurs. - Keep stakeholder communication plans separate from ad hoc status updates; EN 319 401 expects agreed communication plans and standardised reporting protocols. - Train staff on the reporting procedure and communicate the reporting procedure to contractors and customers. - Test and review roles, responsibilities, and procedures regularly and after incidents. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for clause 7.9.2 incident-response roles, competencies, communication plans, documentation, and continuity interfaces. ### [When does ETSI EN 319 401 point to notification duties?](/artifacts/global/etsi-en-319-401/faq/security-incidents.md#when-does-etsi-en-319-401-point-to-notification-duties) *Module: [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md)* EN 319 401 does not let teams replace legal analysis with a generic notification rule. It says the TSP shall comply with reporting obligations mandated by relevant legislative frameworks for network and information security incidents, including supervisory authorities and CSIRTs. - Do not claim every incident has the same external notification path; first classify the event and identify the applicable regulatory rule. - Keep procedures for notifying appropriate parties when there is a significant-impact breach of security or loss of integrity affecting the trust service and related personal data. - Notify affected natural or legal persons without undue delay when the breach is likely to adversely affect the person to whom the trust service was provided. - Maintain a simple reporting procedure for staff, contractors, and customers to report possible network and information security incidents. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for clause 7.9.3 reporting requirements and the EU note that references eIDAS Article 19.2 guidance from supervisory or competent authorities. ### [What evidence should an incident file contain?](/artifacts/global/etsi-en-319-401/faq/security-incidents.md#what-evidence-should-an-incident-file-contain) *Module: [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md)* A useful EN 319 401 incident file should show the full chain: event source, severity assessment, classification changes, response actions, stakeholder communication, vulnerability handling, continuity coordination, and post-incident review. This keeps the page focused on evidence that a trust service provider can maintain and show to assessors or customers. - Monitoring evidence: alert records, log-review records, and the log categories covered by the monitoring process. - Response evidence: containment, eradication, recovery, owner decisions, communication records, and business continuity handoffs. - Reporting evidence: regulatory-rule assessment, appropriate-party notification records where applicable, and staff, contractor, or customer intake records. - Review evidence: root-cause analysis, vulnerability exposure assessment, mitigation plan or documented no-remediation basis, and proof that the post-incident review occurred. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for post-incident review, vulnerability exposure evaluation, root-cause, and evidence-retention expectations relevant to incident files. ### [What does EN 319 401 cover for TSP scope?](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md#what-does-en-319-401-cover-for-tsp-scope) *Module: [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md)* ETSI EN 319 401 V3.1.1 says it specifies general policy requirements for Trust Service Providers that are independent of the type of TSP. That makes it a baseline for operation and management practices, not a complete service-specific rulebook for every certificate, time-stamp, validation, preservation, or component service. - Identify the provider entity and each trust service in scope; EN 319 401 defines a TSP as an entity that provides one or more trust services. - Treat EN 319 401 as the general policy layer for TSP operation and management practices, including security management and cybersecurity for qualified and non-qualified trust services. - Record which service-specific ETSI standards, policies, or customer rules refine the baseline, because EN 319 401 says other specifications can refine and extend its requirements for particular TSP forms. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for the EN 319 401 scope statement, trust service policy and practice statement requirements, terms and conditions, risk assessment, and third-party responsibility requirements. ## FAQ Pagination - Canonical index (page 1): [/artifacts/global/etsi-en-319-401/faq/items](/artifacts/global/etsi-en-319-401/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 1 of 2 Pages: [1](/artifacts/global/etsi-en-319-401/faq/items.md) | [2](/artifacts/global/etsi-en-319-401/faq/items/page/2.md) [Next page](/artifacts/global/etsi-en-319-401/faq/items/page/2.md) *Recommended next step* *Placement: after practical guidance* ## Operationalize the TSP evidence file Use this ETSI EN 319 401 FAQ to separate scope questions, practice-statement duties, risk decisions, incident evidence, continuity tests, and supplier controls before assessment or customer review. - [Open Assessment Autopilot for ETSI EN 319 401](/solutions/assessment.md): Convert EN 319 401 FAQ answers into accountable tasks, evidence requests, and review milestones. - [Research ETSI EN 319 401 source questions](/solutions/research-copilot.md): Use cited ETSI material to resolve scope, applicability, evidence, and version questions before implementation. - [Talk through TSP evidence](/contact.md): Review trust-service scope, practice-statement duties, incident records, supplier dependencies, and next EN 319 401 actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/items