--- title: "ETSI EN 319 401 policy documentation: what is required?" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/policy-documentation" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/policy-documentation" author: "Sorena AI" description: "How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review." published_at: "2024-06-01" updated_at: "2024-06-01" keywords: - "ETSI EN 319 401 policy documentation" - "trust service practice statement" - "TSP terms and conditions" - "information security policy" - "TSP evidence" - "ETSI EN 319 401" - "policy documentation" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 401 policy documentation: what is required? How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review. *Artifact Guide* *GLOBAL* *ETSI EN 319 401* ## ETSI EN 319 401 Policy documentation requirements A focused answer for teams turning EN 319 401 policy, practice, terms, security, and evidence requirements into maintainable documentation. Grounded in ETSI EN 319 401 V3.1.1. Use it as implementation guidance, not for legal interpretation or a substitute for an assessment scheme. Short answer: under ETSI EN 319 401, policy documentation is not a single generic compliance file. A Trust Service Provider needs approved policies and practices, a trust service practice statement, available terms and conditions, a documented information security policy, records that can support evidence, and review processes that keep those documents current when relevant changes occur. ## What policy documents does EN 319 401 expect? EN 319 401 V3.1.1 requires the TSP to specify the set of policies and practices appropriate for the trust services it provides. Those policies and practices have to be approved by management, published, and communicated to employees and external parties as relevant. The core document is the trust service practice statement. EN 319 401 requires it to describe the practices and procedures used to address the applicable trust service policy identified by the TSP, identify obligations of external organizations supporting the service, and be maintained through a defined review process. The standard does not mandate a particular practice-statement structure. - Maintain a trust service practice statement that maps the applicable trust service policy to the practices and procedures actually used. - Record management approval and final authority for approving the practice statement. - Identify external organizations supporting the service and the policies or practices that apply to their obligations. - Define responsibilities for maintaining the practice statement and reviewing it over time. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for EN 319 401 policy and practice statement requirements. ## What should be made available to subscribers and relying parties? EN 319 401 distinguishes between documentation that demonstrates conformance and sensitive details that do not need to be publicly disclosed. The TSP must make its practice statement and other relevant documentation available to subscribers and relying parties as necessary to demonstrate conformance to the trust service policy, while sensitive aspects can remain undisclosed. The terms and conditions are a separate public-facing requirement. They must be available to subscribers and relying parties and, for each supported trust service policy, cover the policy being applied, use limitations, subscriber obligations, relying-party information, event-log retention, liability limitations, applicable legal system, complaint and dispute procedures, conformity-assessment status and scheme when applicable, contact information, and any availability undertaking. - Keep a public or customer-facing version of the practice statement aligned with the controlled internal version. - Do not publish sensitive implementation details merely to prove conformance; disclose what is necessary and support the rest through controlled evidence. - Make terms and conditions available before a contractual relationship, through a durable means of communication, in readily understandable language. - Treat event-log retention, limitations of liability, contact details, and conformity-assessment claims as controlled terms-and-conditions content. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for subscriber and relying-party documentation, sensitive-information boundaries, and terms-and-conditions content. ## How should policy documentation stay current? Policy documentation should be maintained as a governed evidence set. EN 319 401 requires an information security policy approved by management, documented security controls and operating procedures for facilities, systems, and information assets, and communication of applicable policy changes to impacted parties. Review triggers matter. The information security policy and asset inventory must be reviewed at planned intervals or when significant changes occur, and changes that impact the security level require management-body approval. When a practice-statement change might affect service acceptance by a subject, subscriber, or relying party, the TSP has to give due notice; after approval, the revised practice statement has to be made available. - Connect the practice statement, information security policy, asset inventory, operating procedures, and terms and conditions instead of maintaining them as disconnected files. - Document the maximum interval between configuration checks in the trust service practice statement. - Use planned reviews, significant changes, service-provision changes, security-impacting changes, and practice-statement changes as update triggers. - Keep records accessible for an appropriate period to support legal evidence and service continuity, including after TSP activities cease where applicable. Sources for this answer: - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for information security policy maintenance, review triggers, change approval, configuration-check interval documentation, and collection of evidence. ## Primary sources - [ETSI EN 319 401 V3.1.1 (2024-06)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for policy and practice statement requirements, terms and conditions, information security policy, change review, configuration-check interval documentation, and collection of evidence. - Quote: "General Policy Requirements for Trust Service Providers" ## Topic Guides - [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md): How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries. - [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md): See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence. - [ETSI EN 319 401 Audit and Conformity Assessment Evidence](/artifacts/global/etsi-en-319-401/audit-and-conformity-assessment.md): How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses. - [ETSI EN 319 401 Audit Evidence Pack](/artifacts/global/etsi-en-319-401/audit-evidence-pack.md): Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence. - [ETSI EN 319 401 Audit Evidence Pack Workflow](/artifacts/global/etsi-en-319-401/audit-evidence-pack-workflow.md): Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence. - [ETSI EN 319 401 compliance duties for TSPs](/artifacts/global/etsi-en-319-401/compliance.md): source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers. - [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md): Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation. - [ETSI EN 319 401 FAQ for trust service providers](/artifacts/global/etsi-en-319-401/faq.md): source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence. - [ETSI EN 319 401 Incident Evidence Workflow](/artifacts/global/etsi-en-319-401/incident-and-continuity-evidence-workflow.md): Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review. - [ETSI EN 319 401 Incident Reporting and Continuity Duties](/artifacts/global/etsi-en-319-401/incident-and-continuity-duties.md): Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning. - [ETSI EN 319 401 Personnel, Asset, and Access Controls](/artifacts/global/etsi-en-319-401/personnel-asset-and-access-controls.md): Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence. - [ETSI EN 319 401 policy and security requirements](/artifacts/global/etsi-en-319-401/policy-and-security-requirements.md): source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence. - [ETSI EN 319 401 requirements map](/artifacts/global/etsi-en-319-401/requirements.md): Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls. - [ETSI EN 319 401 Risk Assessment and Treatment](/artifacts/global/etsi-en-319-401/risk-management.md): Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning. - [ETSI EN 319 401 Subcontractor Controls](/artifacts/global/etsi-en-319-401/subcontractor-controls.md): Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence. - [ETSI EN 319 401 Subcontractor Evidence Workflow](/artifacts/global/etsi-en-319-401/subcontractor-evidence-workflow.md): Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records. - [ETSI EN 319 401 Subcontractor Requirements FAQ](/artifacts/global/etsi-en-319-401/faq/subcontractors.md): How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility. - [ETSI EN 319 401 Trust Service Applicability Workflow](/artifacts/global/etsi-en-319-401/trust-service-applicability-workflow.md): A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect. - [ETSI EN 319 401 Trust Service Provider Applicability](/artifacts/global/etsi-en-319-401/trust-service-provider-applicability.md): Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document. - [ETSI EN 319 401 vs eIDAS Article 19 and 24](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-eidas.md): Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning. - [ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1.md): Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits. - [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md): How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents. - [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md): How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components. *Recommended next step* *Placement: after practical guidance* ## Operationalize policy documentation under ETSI EN 319 401 Use this FAQ to connect practice statements, terms, information security policy, records, owners, and review triggers into one evidence workflow. - [Build the evidence map](/solutions/assessment.md): Connect EN 319 401 documentation requirements to owners, records, review triggers, and assessment-ready evidence. - [Resolve source boundaries](/solutions/research-copilot.md): Check which claims belong in the practice statement, public terms, information security policy, or controlled evidence pack. - [Talk through implementation](/contact.md): Review documentation scope, source-linked gaps, owners, and next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/policy-documentation