--- title: "ETSI EN 319 401 Incident Reporting and Continuity Duties" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/incident-and-continuity-duties" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/incident-and-continuity-duties" author: "Sorena AI" description: "Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "ETSI EN 319 401 incident response" - "EN 319 401 business continuity" - "trust service provider incident reporting" - "eIDAS Article 19 notification" - "TSP continuity plan" - "ETSI EN 319 401" - "incident response" - "business continuity" - "trust service provider" - "eIDAS Article 19" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 401 Incident Reporting and Continuity Duties Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning. *Artifact Guide* *GLOBAL* *ETSI EN 319 401* ## ETSI EN 319 401 Incident reporting and continuity duties A clause-grounded guide to EN 319 401 V3.1.1 incident response, reporting, post-incident review, evidence retention, continuity, crisis management, and termination planning. Use it to plan trust service controls and audit evidence. Treat eIDAS notification timing here as an EN 319 401 mapping aid, not for legal interpretation. Use this page when a trust service provider needs to turn ETSI EN 319 401 V3.1.1 into operational incident and continuity evidence. The relevant center of gravity is clause 7.9 for vulnerabilities and incident management, clause 7.10 for collection of evidence, clause 7.11 for business continuity management, and clause 7.12 for TSP termination planning. ## What does EN 319 401 require for incident response? EN 319 401 treats incident work as more than a ticket queue. Clause 7.9.1 requires mechanisms to detect potential security incidents and respond through continuous monitoring and logging of network and information-system activity. The same clause calls for abnormal system activity that indicates a potential security violation, including intrusion, to be detected and reported as alarms. Clause 7.9.2 then turns detection into response. A TSP needs procedures for containment, eradication, and recovery; communication plans with incident categorisation, escalation procedures, and reporting protocols; competent personnel; comprehensive documentation throughout detection and response; and clear interfaces between incident handling and business continuity management. - Define what monitoring and log sources prove detection coverage, including network traffic, privileged access, administrator activity, critical configuration changes, backups, security-relevant logs, resource use, physical access where appropriate, network devices, and environmental events where appropriate. - Assign trusted-role personnel to follow up on potentially critical security-event alerts and make sure relevant incidents are reported under the TSP's own procedures. - Keep incident response procedures tied to containment, eradication, recovery, stakeholder communication, documentation, business-continuity coordination, and damage minimization. - Test and review incident roles, responsibilities, and procedures regularly and after incidents. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for EN 319 401 clause 7.9 monitoring, logging, incident response, reporting, event assessment, and post-incident review requirements. ## When must incident reporting and notification be planned? EN 319 401 requires reporting procedures before the incident happens. Clause 7.9.2 says the TSP shall comply with reporting obligations mandated by relevant legislative frameworks for network and information security incidents, including supervisory authorities and CSIRTs. It also requires stakeholder communication according to agreed communication plans. Clause 7.9.3 is more specific for breaches of security or loss of integrity. It requires procedures to notify appropriate parties, in line with applicable regulatory rules, when a breach has a significant impact on the trust service provided and on the personal data maintained therein. The clause states a 24-hour period from the breach being identified and notes that EU TSPs can contact the appropriate supervisory body or competent authorities for guidance under eIDAS Article 19.2. - Separate internal incident escalation from regulatory notification, stakeholder notification, and customer or contractor reporting intake. - Make the trigger test explicit: breach of security or loss of integrity, significant impact on the trust service or maintained personal data, and adverse effect on a natural or legal person where personal notification is required. - Provide a simple procedure for staff, contractors, and customers to report possible network and information security incidents. - Communicate the reporting procedure to contractors and customers, and train staff to use the procedure and the correct point of contact. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for EN 319 401 clauses 7.9.2 and 7.9.3, including reporting obligations, stakeholder communication, and notification procedures linked to eIDAS Article 19.2. ## What evidence should survive the incident? EN 319 401 requires incident documentation to support both current operations and later review. Clause 7.9.4 requires reported events to be analysed and severity-assessed, with the capability to reassess and reclassify events based on new inputs. Clause 7.9.5 requires the TSP to identify root cause and conduct a post-incident review, potentially resulting in measures to reduce recurrence risk. Clause 7.10 broadens the evidence duty beyond incidents. A TSP must record and keep accessible, for an appropriate period and including after the TSP's activities have ceased, relevant information concerning data issued and received by the TSP. The stated purposes include legal evidence and continuity of service. - Keep the event timeline, classification decisions, severity reassessments, response actions, communications, and post-incident review together. - Link each corrective action to the root cause, affected trust service boundary, owner, due date, and verification evidence. - Maintain confidentiality and integrity for current and archived service-operation records. - Synchronize audit-log event time with UTC at least once a day and retain records for the period disclosed in the TSP terms and conditions. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for EN 319 401 clauses 7.9.4, 7.9.5, and 7.10 on event classification, post-incident review, and collection of evidence. *Recommended next step* *Placement: after practical guidance* ## Operationalize incident and continuity controls Use this guide to assign owners, procedures, test evidence, notification triggers, continuity artifacts, and termination-plan records for EN 319 401 clauses 7.9 through 7.12. - [Build the evidence plan](/solutions/assessment.md): Convert EN 319 401 incident, evidence, continuity, and termination requirements into accountable controls and review checkpoints. - [Resolve a source question](/solutions/research-copilot.md): Use cited ETSI source material to check applicability, notification triggers, continuity scope, and evidence boundaries before implementation. - [Review implementation](/contact.md): Walk through incident response, reporting, backup recovery, crisis management, and termination evidence with Sorena. ## What continuity controls belong next to incident response? EN 319 401 clause 7.11 requires a continuity plan for disasters. It specifically names compromise of a private signing key or another TSP credential as disaster examples, and requires operations to be restored within the delay set in the continuity plan after addressing recurring causes such as security vulnerabilities. The backup requirements are concrete. The TSP must maintain backup copies of information and sufficient resources, including facilities, network and information systems, and personnel, according to the risk assessment and business continuity plan. Backup plans have to account for recovery times, completeness and accuracy of backup copies, safe storage outside the backed-up network and sufficiently distant from the main site, controls matching classification level, and restoration processes including approval processes. - Define continuity-plan restoration delays for trust service operations and make them testable. - Test backup recovery and redundancies at planned intervals, document the results, and take corrective action when tests find issues. - Keep incident handling and business continuity interfaces clear so incident response, restoration, notification, and post-incident review do not run as disconnected processes. - Maintain crisis-management processes for roles, competent-authority communications, and controls that preserve network and information security in crisis situations. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for EN 319 401 clause 7.11 business continuity, backup, and crisis management requirements. ## How does termination planning fit continuity duties? Continuity also matters when a TSP ceases services. EN 319 401 clause 7.12 requires potential disruption to subscribers and relying parties to be minimized, especially by continuing to maintain information needed to verify the correctness of trust services. The TSP must have an up-to-date termination plan. Before termination, the TSP must inform subscribers and other entities with established relations, including relying parties, other TSPs, and relevant authorities such as supervisory bodies. It must also make termination information available to other relying parties, terminate subcontractor authorization for trust service token issuance functions, and transfer obligations to a reliable party for maintaining evidence of TSP operation unless it can demonstrate that it holds no such information. - Keep the termination plan next to business-continuity evidence, not in a separate legal archive that operations cannot execute. - Document how affected entities will be notified and how relying parties can continue verifying trust services after cessation. - Define how subcontractor authorizations end before service termination. - Document the arrangement for preserving operational evidence after cessation and the handling of TSP private keys and backups. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for EN 319 401 clause 7.12 termination planning and continuity-oriented cessation requirements. ## Primary sources - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for trust service provider incident management, reporting, evidence retention, business continuity, crisis management, termination planning, and Annex B eIDAS Article 19 mapping. - Quote: "General Policy Requirements for Trust Service Providers" ## Related Topic Guides - [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md): How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries. - [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md): See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence. - [ETSI EN 319 401 Audit and Conformity Assessment Evidence](/artifacts/global/etsi-en-319-401/audit-and-conformity-assessment.md): How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses. - [ETSI EN 319 401 Audit Evidence Pack](/artifacts/global/etsi-en-319-401/audit-evidence-pack.md): Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence. - [ETSI EN 319 401 Audit Evidence Pack Workflow](/artifacts/global/etsi-en-319-401/audit-evidence-pack-workflow.md): Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence. - [ETSI EN 319 401 compliance duties for TSPs](/artifacts/global/etsi-en-319-401/compliance.md): source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers. - [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md): Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation. - [ETSI EN 319 401 FAQ for trust service providers](/artifacts/global/etsi-en-319-401/faq.md): source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence. - [ETSI EN 319 401 Incident Evidence Workflow](/artifacts/global/etsi-en-319-401/incident-and-continuity-evidence-workflow.md): Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review. - [ETSI EN 319 401 Personnel, Asset, and Access Controls](/artifacts/global/etsi-en-319-401/personnel-asset-and-access-controls.md): Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence. - [ETSI EN 319 401 policy and security requirements](/artifacts/global/etsi-en-319-401/policy-and-security-requirements.md): source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence. - [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md): How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review. - [ETSI EN 319 401 requirements map](/artifacts/global/etsi-en-319-401/requirements.md): Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls. - [ETSI EN 319 401 Risk Assessment and Treatment](/artifacts/global/etsi-en-319-401/risk-management.md): Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning. - [ETSI EN 319 401 Subcontractor Controls](/artifacts/global/etsi-en-319-401/subcontractor-controls.md): Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence. - [ETSI EN 319 401 Subcontractor Evidence Workflow](/artifacts/global/etsi-en-319-401/subcontractor-evidence-workflow.md): Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records. - [ETSI EN 319 401 Subcontractor Requirements FAQ](/artifacts/global/etsi-en-319-401/faq/subcontractors.md): How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility. - [ETSI EN 319 401 Trust Service Applicability Workflow](/artifacts/global/etsi-en-319-401/trust-service-applicability-workflow.md): A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect. - [ETSI EN 319 401 Trust Service Provider Applicability](/artifacts/global/etsi-en-319-401/trust-service-provider-applicability.md): Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document. - [ETSI EN 319 401 vs eIDAS Article 19 and 24](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-eidas.md): Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning. - [ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1.md): Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits. - [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md): How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents. - [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md): How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/incident-and-continuity-duties