--- title: "ETSI EN 319 401 Subcontractor Requirements FAQ" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/subcontractors" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/subcontractors" author: "Sorena AI" description: "How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "ETSI EN 319 401 subcontractors" - "TSP outsourcing" - "trust service supplier agreements" - "EN 319 401 supply chain controls" - "ETSI EN 319 401" - "subcontractors" - "outsourcing" - "supplier agreements" - "trust service provider" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 401 Subcontractor Requirements FAQ How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility. *Artifact Guide* *GLOBAL* *ETSI EN 319 401* ## ETSI EN 319 401 How should teams handle subcontractors under ETSI EN 319 401 A focused FAQ for trust service teams deciding how subcontractors, outsourcers, direct suppliers, and trust service component providers should be controlled and evidenced. Grounded in ETSI EN 319 401 V3.1.1. Use it as implementation guidance, not for legal interpretation. Short answer: EN 319 401 does not let a trust service provider hand off responsibility just because part of the service is subcontracted or outsourced. When other parties provide parts of the service, the TSP keeps overall responsibility for conformance and needs documented agreements, required controls, security requirements in contracts, monitoring, and a supplier-agreement register. ## What does EN 319 401 require when a TSP uses subcontractors? EN 319 401 treats subcontracting, outsourcing, and other third-party arrangements as part of the TSP's controlled supply chain. Clause 7.14.3 says that when other parties, including trust service component providers, provide parts of the service, the TSP maintains overall responsibility for conformance with the supply chain policy, information security policy, and trust service policy requirements. That means the practical control is not just vendor onboarding. The TSP should identify which part of the trust service is performed by the outside party, record the TSP-owned policy requirements that apply, and keep evidence showing that the arrangement is governed by documented responsibilities rather than informal reliance on the supplier. - Map each subcontracted or outsourced activity to the affected trust service, component, policy, system, information flow, and evidence owner. - Keep the TSP as the accountable owner for conformance even when a subcontractor or trust service component provider performs part of the service. - Use the trust service practice statement to identify obligations of external organizations supporting the TSP's services. - Require staff and, where applicable, subcontractors to have suitable expertise, reliability, experience, qualifications, and relevant cybersecurity and personal data protection training. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports retained TSP responsibility for subcontracting and outsourcing arrangements, external organization obligations in the practice statement, and subcontractor competence expectations. ## What should be in the subcontractor agreement evidence? The agreement evidence should show that the supplier relationship is specific enough to enforce the TSP's information security requirements. EN 319 401 calls for documented agreements and contractual relationships when service provisioning involves subcontracting, outsourcing, or other third-party arrangements, so both parties understand their obligations to fulfil relevant information security requirements. For evidence review, keep the signed agreement together with the requirement map. The agreement should show the outsourcer's liability, the controls the outsourcer is bound to implement, the TSP security policies and requirements included in contracts, and any service level agreements or auditing mechanisms used to check that direct suppliers and service providers take appropriate security measures aligned with the TSP risk assessment. - Document the service part or component the subcontractor provides and the trust service policy requirements it affects. - Define outsourcer liability and bind the outsourcer to implement controls required by the TSP. - Include applicable TSP security policies and requirements in contracts with direct suppliers or service providers. - Use service level agreements and/or auditing mechanisms to evidence that direct suppliers address TSP security requirements aligned with the TSP risk assessment. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports documented agreements, contractual relationships, outsourcer liability, required controls, security clauses, service level agreements, and auditing mechanisms for suppliers. ## How should teams keep subcontractor evidence current? Treat subcontractor evidence as living supply chain evidence, not a one-time procurement file. EN 319 401 requires the TSP to monitor, review, evaluate, and manage changes in direct supplier or service provider cybersecurity practices at planned intervals or after an incident related to the services they provide. The standard also requires a supplier and agreement register that tracks where TSP information is managed or archived, and it requires regular review, validation, and update of that register to confirm agreements remain valid, fit for purpose, and include relevant information security clauses. If a TSP terminates its services, EN 319 401 also calls for terminating all subcontractor authorization to act on behalf of the TSP for functions related to issuing trust service tokens. - Maintain a register of suppliers and agreements showing where TSP information is managed or archived. - Regularly review, validate, and update the supplier register and agreements for validity, fitness for purpose, and relevant security clauses. - Trigger reassessment after an incident related to a direct supplier's or service provider's provision of services. - Include subcontractor authorization termination in the TSP service termination plan when subcontractors act for functions related to issuing trust service tokens. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports planned and incident-triggered supplier monitoring, supplier-agreement registers, register review, and termination of subcontractor authorization before TSP service termination. ## Primary sources - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for this FAQ's subcontractor, outsourcing, supplier agreement, SLA, monitoring, supplier register, competence, practice statement, and termination-plan guidance. - Quote: "subcontracting, outsourcing or other third party arrangements" ## Topic Guides - [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md): How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries. - [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md): See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence. - [ETSI EN 319 401 Audit and Conformity Assessment Evidence](/artifacts/global/etsi-en-319-401/audit-and-conformity-assessment.md): How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses. - [ETSI EN 319 401 Audit Evidence Pack](/artifacts/global/etsi-en-319-401/audit-evidence-pack.md): Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence. - [ETSI EN 319 401 Audit Evidence Pack Workflow](/artifacts/global/etsi-en-319-401/audit-evidence-pack-workflow.md): Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence. - [ETSI EN 319 401 compliance duties for TSPs](/artifacts/global/etsi-en-319-401/compliance.md): source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers. - [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md): Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation. - [ETSI EN 319 401 FAQ for trust service providers](/artifacts/global/etsi-en-319-401/faq.md): source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence. - [ETSI EN 319 401 Incident Evidence Workflow](/artifacts/global/etsi-en-319-401/incident-and-continuity-evidence-workflow.md): Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review. - [ETSI EN 319 401 Incident Reporting and Continuity Duties](/artifacts/global/etsi-en-319-401/incident-and-continuity-duties.md): Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning. - [ETSI EN 319 401 Personnel, Asset, and Access Controls](/artifacts/global/etsi-en-319-401/personnel-asset-and-access-controls.md): Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence. - [ETSI EN 319 401 policy and security requirements](/artifacts/global/etsi-en-319-401/policy-and-security-requirements.md): source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence. - [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md): How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review. - [ETSI EN 319 401 requirements map](/artifacts/global/etsi-en-319-401/requirements.md): Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls. - [ETSI EN 319 401 Risk Assessment and Treatment](/artifacts/global/etsi-en-319-401/risk-management.md): Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning. - [ETSI EN 319 401 Subcontractor Controls](/artifacts/global/etsi-en-319-401/subcontractor-controls.md): Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence. - [ETSI EN 319 401 Subcontractor Evidence Workflow](/artifacts/global/etsi-en-319-401/subcontractor-evidence-workflow.md): Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records. - [ETSI EN 319 401 Trust Service Applicability Workflow](/artifacts/global/etsi-en-319-401/trust-service-applicability-workflow.md): A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect. - [ETSI EN 319 401 Trust Service Provider Applicability](/artifacts/global/etsi-en-319-401/trust-service-provider-applicability.md): Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document. - [ETSI EN 319 401 vs eIDAS Article 19 and 24](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-eidas.md): Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning. - [ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1.md): Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits. - [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md): How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents. - [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md): How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components. *Recommended next step* *Placement: after practical guidance* ## Operationalize subcontractor controls under ETSI EN 319 401 Use this FAQ as the starting point for supplier maps, contract checks, SLA or audit mechanisms, risk-aligned monitoring, and register updates. - [Turn the answer into controls](/solutions/assessment.md): Convert subcontractor requirements into accountable tasks, evidence requests, and review milestones. - [Ask a scoped follow-up](/solutions/research-copilot.md): Use cited research support when subcontractor scope, source interpretation, or evidence ownership is unclear. - [Talk through implementation](/contact.md): Review supplier scope, agreement evidence, monitoring, owners, and next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/faq/subcontractors