Artifact GuideGLOBALETSI EN 319 401

ETSI EN 319 401 Trust service provider scope under ETSI EN 319 401

A grounded FAQ for deciding what EN 319 401 covers for a trust service provider, what belongs in the practice statement and terms, and where service-specific standards still matter.

Based on ETSI EN 319 401 V3.1.1. It narrows eIDAS and assessment statements where the assigned source only provides EN 319 401 mapping or references.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
1

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

Short answer: EN 319 401 is a baseline TSP management and operation standard. Scope it around the trust services the provider actually offers, then connect that scope to the applicable trust service policy, the TSP practice statement, subscriber and relying-party terms, risk assessment, and any external organizations or trust service components supporting the service.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

What does EN 319 401 cover for TSP scope?

ETSI EN 319 401 V3.1.1 says it specifies general policy requirements for Trust Service Providers that are independent of the type of TSP. That makes it a baseline for operation and management practices, not a complete service-specific rulebook for every certificate, time-stamp, validation, preservation, or component service.

The scope decision should therefore start by naming the trust service or services provided and separating the EN 319 401 baseline from any additional ETSI specification that refines or extends requirements for a particular form of TSP.

  • Identify the provider entity and each trust service in scope; EN 319 401 defines a TSP as an entity that provides one or more trust services.
  • Treat EN 319 401 as the general policy layer for TSP operation and management practices, including security management and cybersecurity for qualified and non-qualified trust services.
  • Record which service-specific ETSI standards, policies, or customer rules refine the baseline, because EN 319 401 says other specifications can refine and extend its requirements for particular TSP forms.
Citations
Question 2

What documents should show the scope?

The most useful scope evidence is not a generic statement that a provider follows EN 319 401. Clause 6 points to specific documents: the TSP must specify policies and practices appropriate for the trust services it provides, maintain a practice statement addressing applicable trust service policy requirements, and make relevant documentation available to subscribers and relying parties as needed to demonstrate conformance.

The terms and conditions also carry scope information. EN 319 401 says they should specify the trust service policy applied, limitations on use, subscriber obligations, information for relying parties, event-log retention period, liability limits, applicable legal system, complaint and dispute procedures, any conformity assessment scheme, contact information, and any availability undertaking.

  • Use the trust service policy to explain the community, application class, or common security requirements the service is intended to serve.
  • Use the TSP practice statement to describe the practices and procedures used to meet the applicable trust service policy.
  • Use terms and conditions to disclose service limitations and relying-party information before the subscriber enters a contractual relationship.
Citations
Question 3

What scope questions should teams answer before claiming coverage?

A credible EN 319 401 scope review should answer operational questions that the standard itself makes relevant: which services are provided, which risks were assessed, which policies and practice statements were approved, which evidence is retained, and which outside organizations or components support the service.

Do not use EN 319 401 alone to claim that a specific trust service has passed an independent assessment. The standard explicitly says it does not specify how its requirements can be assessed by an independent party, and it points to ETSI EN 319 403-1 for conformity assessment body requirements.

  • List the in-scope trust services and the applicable trust service policy for each one.
  • Confirm management approval for the risk assessment and residual risk, plus approval authority for the practice statement.
  • Identify external organizations supporting the service and document their obligations in the practice statement.
  • For subcontracting, outsourcing, cloud use, or other third-party arrangements, record how the TSP maintains overall responsibility for the supply chain policy, information security policy, and applicable trust service policy requirements.
Citations
Recommended next step

Operationalize ETSI EN 319 401 scope decisions

Use this FAQ to connect trust service scope, policy, practice statement, terms, risk assessment, and supplier responsibility into evidence owners and review checkpoints.

Assessment workflow
Map EN 319 401 scope to controls

Turn TSP service boundaries, policy requirements, practice statements, and terms into accountable evidence requests.

Explore next step
Research workflow
Research TSP scope questions

Use cited research support when EN 319 401 baseline scope, service-specific standards, or third-party responsibility is unclear.

Explore next step
Talk to Sorena
Review EN 319 401 scope implementation

Walk through TSP scope, evidence, owners, and review triggers with Sorena.

Explore next step
Primary sources

References and citations

ETSI EN 319 401 V3.1.1 general policy requirements for TSPs
etsi.org
Referenced sections
  • Primary source for the EN 319 401 scope statement, trust service policy and practice statement requirements, terms and conditions, risk assessment, and third-party responsibility requirements.
"general policy requirements relating to Trust Service Providers (TSPs) that are independent of the type of TSP"
Related guides

Explore more topics

CA and RA responsibilities under ETSI EN 319 401
How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries.
eIDAS Articles 19 and 24 in ETSI EN 319 401
See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence.
ETSI EN 319 401 Audit and Conformity Assessment Evidence
How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses.
ETSI EN 319 401 Audit Evidence Pack
Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence.
ETSI EN 319 401 Audit Evidence Pack Workflow
Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence.
ETSI EN 319 401 compliance duties for TSPs
source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers.
ETSI EN 319 401 conformity assessment bodies: what is covered?
Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation.
ETSI EN 319 401 FAQ for trust service providers
source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence.
ETSI EN 319 401 Incident Evidence Workflow
Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review.
ETSI EN 319 401 Incident Reporting and Continuity Duties
Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning.
ETSI EN 319 401 Personnel, Asset, and Access Controls
Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence.
ETSI EN 319 401 policy and security requirements
source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence.
ETSI EN 319 401 policy documentation: what is required?
How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review.
ETSI EN 319 401 requirements map
Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls.
ETSI EN 319 401 Risk Assessment and Treatment
Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning.
ETSI EN 319 401 Subcontractor Controls
Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence.
ETSI EN 319 401 Subcontractor Evidence Workflow
Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records.
ETSI EN 319 401 Subcontractor Requirements FAQ
How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility.
ETSI EN 319 401 Trust Service Applicability Workflow
A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect.
ETSI EN 319 401 Trust Service Provider Applicability
Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document.
ETSI EN 319 401 vs eIDAS Article 19 and 24
Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning.
ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment
Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits.
Security Incidents in ETSI EN 319 401
How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents.