---
title: "ETSI EN 319 401 FAQ for trust service providers"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/items/page/2"
author: "Sorena AI"
description: "source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence."
published_at: "2026-05-09"
updated_at: "2026-05-27"
keywords:
  - "ETSI EN 319 401 FAQ"
  - "trust service provider requirements"
  - "TSP practice statement"
  - "EN 319 401 risk assessment"
  - "trust service evidence"
  - "ETSI EN 319 401"
  - "trust service provider"
  - "eIDAS trust services"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 319 401 FAQ for trust service providers

source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence.

*Artifact Guide* *GLOBAL* *ETSI EN 319 401*

## ETSI EN 319 401 FAQ for TSPs

Practical answers for trust service providers using ETSI EN 319 401 V3.1.1 to structure policies, controls, records, incidents, continuity, and supplier evidence.

Grounded in ETSI EN 319 401 source material. Use it to clarify implementation scope and evidence; do not treat it as a legal opinion or proof of conformity.

This FAQ answers common implementation questions about ETSI EN 319 401 V3.1.1, the ETSI standard for general policy requirements for trust service providers. It focuses on what the standard actually covers, how a TSP should frame its practice statement and terms, how risk assessment drives controls, and what evidence is needed for incidents, records, continuity, termination, and suppliers.

## Browse sub-FAQ modules

### [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md)

How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries.

- 3 items

### [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md)

See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence.

- 3 items

### [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md)

Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation.

- 3 items

### [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md)

How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review.

- 3 items

### [ETSI EN 319 401 Subcontractor Requirements FAQ](/artifacts/global/etsi-en-319-401/faq/subcontractors.md)

How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility.

- 3 items

### [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md)

How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents.

- 4 items

### [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md)

How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components.

- 3 items

Browse all indexed questions: [/artifacts/global/etsi-en-319-401/faq/items](/artifacts/global/etsi-en-319-401/faq/items.md)

## All FAQ items

*Page 2 of 2. Showing 2 of 22 items.*

### [What documents should show the scope?](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md#what-documents-should-show-the-scope)

*Module: [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md)*

The most useful scope evidence is not a generic statement that a provider follows EN 319 401. Clause 6 points to specific documents: the TSP must specify policies and practices appropriate for the trust services it provides, maintain a practice statement addressing applicable trust service policy requirements, and make relevant documentation available to subscribers and relying parties as needed to demonstrate conformance.

- Use the trust service policy to explain the community, application class, or common security requirements the service is intended to serve.
- Use the TSP practice statement to describe the practices and procedures used to meet the applicable trust service policy.
- Use terms and conditions to disclose service limitations and relying-party information before the subscriber enters a contractual relationship.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for the EN 319 401 scope statement, trust service policy and practice statement requirements, terms and conditions, risk assessment, and third-party responsibility requirements.

### [What scope questions should teams answer before claiming coverage?](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md#what-scope-questions-should-teams-answer-before-claiming-coverage)

*Module: [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md)*

A credible EN 319 401 scope review should answer operational questions that the standard itself makes relevant: which services are provided, which risks were assessed, which policies and practice statements were approved, which evidence is retained, and which outside organizations or components support the service.

- List the in-scope trust services and the applicable trust service policy for each one.
- Confirm management approval for the risk assessment and residual risk, plus approval authority for the practice statement.
- Identify external organizations supporting the service and document their obligations in the practice statement.
- For subcontracting, outsourcing, cloud use, or other third-party arrangements, record how the TSP maintains overall responsibility for the supply chain policy, information security policy, and applicable trust service policy requirements.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for the EN 319 401 scope statement, trust service policy and practice statement requirements, terms and conditions, risk assessment, and third-party responsibility requirements.

## FAQ Pagination

- Canonical index (page 1): [/artifacts/global/etsi-en-319-401/faq/items](/artifacts/global/etsi-en-319-401/faq/items.md)
- Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL.
- Current page: 2 of 2

Pages: [1](/artifacts/global/etsi-en-319-401/faq/items.md) | [2](/artifacts/global/etsi-en-319-401/faq/items/page/2.md)

[Previous page](/artifacts/global/etsi-en-319-401/faq/items.md)

*Recommended next step*

*Placement: after practical guidance*

## Operationalize the TSP evidence file

Use this ETSI EN 319 401 FAQ to separate scope questions, practice-statement duties, risk decisions, incident evidence, continuity tests, and supplier controls before assessment or customer review.

- [Open Assessment Autopilot for ETSI EN 319 401](/solutions/assessment.md): Convert EN 319 401 FAQ answers into accountable tasks, evidence requests, and review milestones.
- [Research ETSI EN 319 401 source questions](/solutions/research-copilot.md): Use cited ETSI material to resolve scope, applicability, evidence, and version questions before implementation.
- [Talk through TSP evidence](/contact.md): Review trust-service scope, practice-statement duties, incident records, supplier dependencies, and next EN 319 401 actions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/items/page/2