ETSI EN 319 401 Incident reporting and continuity duties

EN 319 401 treats incident work as more than a ticket queue. Clause 7.9.1 requires mechanisms to detect potential security incidents and respond through continuous monitoring and logging of network and information-system activity. The same clause calls for abnormal system activity that indicates a potential security violation, including intrusion, to be detected and reported as alarms.

Clause 7.9.2 then turns detection into response. A TSP needs procedures for containment, eradication, and recovery; communication plans with incident categorisation, escalation procedures, and reporting protocols; competent personnel; comprehensive documentation throughout detection and response; and clear interfaces between incident handling and business continuity management.

EN 319 401 requires reporting procedures before the incident happens. Clause 7.9.2 says the TSP shall comply with reporting obligations mandated by relevant legislative frameworks for network and information security incidents, including supervisory authorities and CSIRTs. It also requires stakeholder communication according to agreed communication plans.

Clause 7.9.3 is more specific for breaches of security or loss of integrity. It requires procedures to notify appropriate parties, in line with applicable regulatory rules, when a breach has a significant impact on the trust service provided and on the personal data maintained therein. The clause states a 24-hour period from the breach being identified and notes that EU TSPs can contact the appropriate supervisory body or competent authorities for guidance under eIDAS Article 19.2.

EN 319 401 requires incident documentation to support both current operations and later review. Clause 7.9.4 requires reported events to be analysed and severity-assessed, with the capability to reassess and reclassify events based on new inputs. Clause 7.9.5 requires the TSP to identify root cause and conduct a post-incident review, potentially resulting in measures to reduce recurrence risk.

Clause 7.10 broadens the evidence duty beyond incidents. A TSP must record and keep accessible, for an appropriate period and including after the TSP's activities have ceased, relevant information concerning data issued and received by the TSP. The stated purposes include legal evidence and continuity of service.

EN 319 401 clause 7.11 requires a continuity plan for disasters. It specifically names compromise of a private signing key or another TSP credential as disaster examples, and requires operations to be restored within the delay set in the continuity plan after addressing recurring causes such as security vulnerabilities.

The backup requirements are concrete. The TSP must maintain backup copies of information and sufficient resources, including facilities, network and information systems, and personnel, according to the risk assessment and business continuity plan. Backup plans have to account for recovery times, completeness and accuracy of backup copies, safe storage outside the backed-up network and sufficiently distant from the main site, controls matching classification level, and restoration processes including approval processes.

Continuity also matters when a TSP ceases services. EN 319 401 clause 7.12 requires potential disruption to subscribers and relying parties to be minimized, especially by continuing to maintain information needed to verify the correctness of trust services. The TSP must have an up-to-date termination plan.

Before termination, the TSP must inform subscribers and other entities with established relations, including relying parties, other TSPs, and relevant authorities such as supervisory bodies. It must also make termination information available to other relying parties, terminate subcontractor authorization for trust service token issuance functions, and transfer obligations to a reliable party for maintaining evidence of TSP operation unless it can demonstrate that it holds no such information.