--- title: "ETSI EN 319 401 Risk Assessment and Treatment" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/risk-management" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/risk-management" author: "Sorena AI" description: "Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "ETSI EN 319 401 risk assessment" - "EN 319 401 risk treatment" - "trust service provider residual risk" - "eIDAS Article 19 risk management" - "TSP information security policy" - "ETSI EN 319 401" - "risk assessment" - "risk treatment" - "trust service provider" - "eIDAS Article 19" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 401 Risk Assessment and Treatment Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning. *Artifact Guide* *GLOBAL* *ETSI EN 319 401* ## ETSI EN 319 401 Risk assessment and treatment A practical guide to EN 319 401 V3.1.1 clause 5 risk assessment, risk treatment, operational procedures, recurring review, and residual-risk approval. Use it to plan trust service controls and evidence. Treat eIDAS references here as implementation context, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation. Use this page when a trust service provider needs to turn ETSI EN 319 401 V3.1.1 risk-management requirements into reviewable work. The source center is clause 5, which requires risk assessment, risk treatment, security requirements and operational procedures, regular review, and management acceptance of residual risk. ## What does EN 319 401 require the risk assessment to cover? Clause 5 starts with the trust service, not with a generic enterprise risk register. REQ-5-01 requires the TSP to carry out a risk assessment that identifies, analyses, and evaluates trust service risks while taking business and technical issues into account. That means the useful boundary is the service being provided and the operational practices that support it. The same EN 319 401 document defines trust services to include services such as creation, verification, and validation of digital signatures and related certificates; time-stamps and related certificates; registered delivery and related certificates; website-authentication certificates; and preservation of digital signatures or certificates related to those services. - Name the trust service or trust service component before listing risks. - Record both business issues and technical issues for each risk so the assessment does not become only a security-tool output. - Use EN 319 401 terminology consistently: risk assessment means identification, analysis, and evaluation; risk treatment means modifying risk. - Keep service-specific assumptions visible, especially where another ETSI trust-service standard adds requirements beyond this general baseline. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for clause 5 risk assessment and for EN 319 401 definitions of trust service, risk assessment, risk management, and risk treatment. ## How should risk treatment be selected? REQ-5-02 connects risk treatment to the assessment results. The TSP has to select appropriate risk treatment measures, and those measures have to make the level of security commensurate with the degree of risk. The standard does not prescribe a single risk method in clause 5. It points users to ISO/IEC 27005:2022 for guidance on information security risk management as part of an information security management system, but the enforceable EN 319 401 work remains the selected treatment measures and the evidence that they follow from the assessed trust service risks. - Trace each treatment measure back to a specific assessed risk instead of listing controls in isolation. - State why the treatment is proportionate to the degree of risk. - Separate mandatory EN 319 401 treatment evidence from optional method notes borrowed from ISO/IEC 27005 guidance. - Keep rejected or deferred treatments with the residual-risk record so management can approve the real remaining exposure. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for REQ-5-02 and the note pointing to ISO/IEC 27005:2022 as risk-management guidance. ## Where do risk decisions have to appear in TSP documentation? REQ-5-03 turns treatment choices into operational documentation. The TSP has to determine the security requirements and operational procedures needed to implement the chosen treatment measures, and those have to be documented in the information security policy and the trust service practice statement. This matters for visitor value because it tells the implementation team where the evidence belongs. A risk register alone is not enough if the treatment changes service operation, personnel duties, access controls, network segmentation, incident handling, continuity, or supplier controls without updating the policy and practice-statement material that EN 319 401 expects to carry those procedures. - For each treatment, identify the policy section or practice-statement section that documents the resulting requirement or procedure. - Mark which treatments change customer-facing trust service practices and which remain internal information-security controls. - Review policy and practice-statement changes through management approval paths already required by EN 319 401 clause 6. - Preserve enough evidence for an assessor or customer reviewer to follow the chain from risk to treatment to documented procedure. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for REQ-5-03 and clause 6 documentation links to information security policy and trust service practice statement. ## When should the risk assessment be reviewed? REQ-5-04 requires the risk assessment to be regularly reviewed and revised. EN 319 401 does not set a universal review interval in clause 5, so a page or internal workflow should not invent one. The defensible action is to define the review cadence in the TSP's evidence set and add change triggers where other clauses show risk-dependent controls. Examples inside EN 319 401 show why change-triggered review is practical. Asset classification is based on the risk assessment and business value, network segmentation is based on risk assessment, backups are maintained according to the risk assessment and business continuity plan, and supplier security measures are aligned with the TSP's risk assessment. - Document the regular review cadence instead of implying EN 319 401 clause 5 sets a fixed interval. - Trigger review when the trust service boundary, asset classification, network zones, backup approach, supplier service, or cloud-service use changes. - Record whether the review revised risk identification, analysis, evaluation, treatment selection, procedures, or residual-risk acceptance. - Avoid stale evidence by dating the assessment version and linking it to the current policy and practice-statement versions. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for REQ-5-04 and for risk-assessment dependencies in asset classification, network security, backup, and supplier controls. ## Who accepts residual risk? REQ-5-05 makes residual-risk acceptance a management decision. The TSP's management has to approve the risk assessment and accept the residual risk identified. For implementation, that means evidence should show more than a completed spreadsheet. It should show the assessment version, treatment decisions, remaining risk, approval authority, date, and any conditions attached to acceptance. If a treatment is delayed or a vulnerability is judged not to require remediation under another EN 319 401 process, the basis for that decision should remain connected to the residual-risk evidence. - Identify the management body or management role that approves the risk assessment. - Keep residual risk distinct from untreated risk, accepted exceptions, and open remediation items. - Attach approval to a dated assessment version and the trust service scope it covers. - Re-open acceptance when reviews materially revise risk results or treatment choices. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for REQ-5-05 management approval and residual-risk acceptance. ## How does this connect to eIDAS Article 19? EN 319 401 Annex B maps eIDAS Article 19.1 to clause 5, clause 6.3, and clauses 7.2 through 7.12. The mapped eIDAS text says qualified and non-qualified trust service providers shall take appropriate technical and organisational measures to manage risks posed to the security of the trust services they provide, with security commensurate to the degree of risk. Use that mapping carefully. It helps explain why EN 319 401 risk assessment cannot sit apart from information security policy, personnel, asset, access, cryptographic, physical, operational, network, incident, evidence, continuity, and termination controls. It does not supersede legal analysis of eIDAS obligations for a specific provider, trust service, Member State, or supervisory context. - Use EN 319 401 clause 5 as the risk-assessment anchor for Article 19 implementation work. - Use clause 6.3 and clauses 7.2 through 7.12 to test whether treatment measures have become operational controls. - Avoid claiming legal compliance from this page alone; preserve the actual eIDAS applicability analysis separately. - When the service is qualified, check the relevant service-specific ETSI standard and supervisory expectations before treating this general baseline as complete. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for Annex B mapping of eIDAS Article 19.1 to EN 319 401 clauses 5, 6.3, and 7.2 through 7.12. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Official legal source for eIDAS trust-service security requirements referenced by the EN 319 401 Annex B mapping. *Recommended next step* *Placement: after practical guidance* ## Operationalize risk assessment and treatment Use this guide to assign owners, treatment measures, policy updates, review triggers, and management approvals for EN 319 401 clause 5. - [Build the evidence plan](/solutions/assessment.md): Convert EN 319 401 risk assessment, treatment, review, and residual-risk approval into accountable controls. - [Resolve a source question](/solutions/research-copilot.md): Use cited ETSI source material to check risk scope, treatment evidence, Article 19 mapping, and review triggers before implementation. - [Review implementation](/contact.md): Walk through risk assessment, treatment decisions, policy updates, and residual-risk approval evidence with Sorena. ## Primary sources - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for trust service provider risk assessment, risk treatment, policy and practice-statement linkage, review, residual-risk approval, and Annex B eIDAS Article 19 mapping. - Quote: "Risk Assessment" - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Official legal source for eIDAS trust-service security requirements used only where EN 319 401 Annex B maps Article 19 to EN 319 401 controls. - Quote: "electronic identification and trust services" ## Related Topic Guides - [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md): How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries. - [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md): See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence. - [ETSI EN 319 401 Audit and Conformity Assessment Evidence](/artifacts/global/etsi-en-319-401/audit-and-conformity-assessment.md): How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses. - [ETSI EN 319 401 Audit Evidence Pack](/artifacts/global/etsi-en-319-401/audit-evidence-pack.md): Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence. - [ETSI EN 319 401 Audit Evidence Pack Workflow](/artifacts/global/etsi-en-319-401/audit-evidence-pack-workflow.md): Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence. - [ETSI EN 319 401 compliance duties for TSPs](/artifacts/global/etsi-en-319-401/compliance.md): source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers. - [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md): Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation. - [ETSI EN 319 401 FAQ for trust service providers](/artifacts/global/etsi-en-319-401/faq.md): source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence. - [ETSI EN 319 401 Incident Evidence Workflow](/artifacts/global/etsi-en-319-401/incident-and-continuity-evidence-workflow.md): Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review. - [ETSI EN 319 401 Incident Reporting and Continuity Duties](/artifacts/global/etsi-en-319-401/incident-and-continuity-duties.md): Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning. - [ETSI EN 319 401 Personnel, Asset, and Access Controls](/artifacts/global/etsi-en-319-401/personnel-asset-and-access-controls.md): Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence. - [ETSI EN 319 401 policy and security requirements](/artifacts/global/etsi-en-319-401/policy-and-security-requirements.md): source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence. - [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md): How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review. - [ETSI EN 319 401 requirements map](/artifacts/global/etsi-en-319-401/requirements.md): Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls. - [ETSI EN 319 401 Subcontractor Controls](/artifacts/global/etsi-en-319-401/subcontractor-controls.md): Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence. - [ETSI EN 319 401 Subcontractor Evidence Workflow](/artifacts/global/etsi-en-319-401/subcontractor-evidence-workflow.md): Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records. - [ETSI EN 319 401 Subcontractor Requirements FAQ](/artifacts/global/etsi-en-319-401/faq/subcontractors.md): How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility. - [ETSI EN 319 401 Trust Service Applicability Workflow](/artifacts/global/etsi-en-319-401/trust-service-applicability-workflow.md): A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect. - [ETSI EN 319 401 Trust Service Provider Applicability](/artifacts/global/etsi-en-319-401/trust-service-provider-applicability.md): Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document. - [ETSI EN 319 401 vs eIDAS Article 19 and 24](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-eidas.md): Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning. - [ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1.md): Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits. - [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md): How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents. - [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md): How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/risk-management