FAQ item index

Search every question across sub-FAQs

Find the exact question, open the source answer card, and copy a direct link to the anchored sub-FAQ response.

Indexed coverage

22of22items

Across 7 modules • Updated May 27, 2026

Author

Sorena AI

Published

May 9, 2026

Updated

May 27, 2026

Back to sub-FAQs

Trust service provider scope under ETSI EN 319 401

What documents should show the scope?

The most useful scope evidence is not a generic statement that a provider follows EN 319 401. Clause 6 points to specific documents: the TSP must specify policies and practices appropriate for the trust services it provides, maintain a practice statement addressing applicable trust service policy requirements, and make relevant documentation available to subscribers and relying parties as needed to demonstrate conformance.

The terms and conditions also carry scope information. EN 319 401 says they should specify the trust service policy applied, limitations on use, subscriber obligations, information for relying parties, event-log retention period, liability limits, applicable legal system, complaint and dispute procedures, any conformity assessment scheme, contact information, and any availability undertaking.

Use the trust service policy to explain the community, application class, or common security requirements the service is intended to serve.
Use the TSP practice statement to describe the practices and procedures used to meet the applicable trust service policy.
Use terms and conditions to disclose service limitations and relying-party information before the subscriber enters a contractual relationship.

Citations

ETSI EN 319 401 V3.1.1 general policy requirements for TSPs

Primary source for the EN 319 401 scope statement, trust service policy and practice statement requirements, terms and conditions, risk assessment, and third-party responsibility requirements.

Jump to answer Open module

Trust service provider scope under ETSI EN 319 401

What scope questions should teams answer before claiming coverage?

A credible EN 319 401 scope review should answer operational questions that the standard itself makes relevant: which services are provided, which risks were assessed, which policies and practice statements were approved, which evidence is retained, and which outside organizations or components support the service.

Do not use EN 319 401 alone to claim that a specific trust service has passed an independent assessment. The standard explicitly says it does not specify how its requirements can be assessed by an independent party, and it points to ETSI EN 319 403-1 for conformity assessment body requirements.

List the in-scope trust services and the applicable trust service policy for each one.
Confirm management approval for the risk assessment and residual risk, plus approval authority for the practice statement.
Identify external organizations supporting the service and document their obligations in the practice statement.
For subcontracting, outsourcing, cloud use, or other third-party arrangements, record how the TSP maintains overall responsibility for the supply chain policy, information security policy, and applicable trust service policy requirements.

Citations

ETSI EN 319 401 V3.1.1 general policy requirements for TSPs

Primary source for the EN 319 401 scope statement, trust service policy and practice statement requirements, terms and conditions, risk assessment, and third-party responsibility requirements.

Jump to answer Open module

Page 2 of 2

Previous12Next