ETSI EN 319 401 Subcontractor Controls

The first control decision is whether the outside party provides any part of the trust service through subcontracting, outsourcing, or another third-party arrangement. If it does, EN 319 401 clause 7.14.3 keeps overall responsibility with the TSP for conformance with the supply chain policy, information security policy, and trust service policy requirements.

This turns the subcontractor file into assurance evidence, not only procurement paperwork. The TSP should be able to name the outsourced service part, the affected trust service policy requirements, the supplier-owned activities, the TSP-owned controls, and the evidence that proves those controls were communicated and monitored.

EN 319 401 treats supplier selection as a security control. Clause 7.14 requires processes for security risks associated with supplier products and services, and the supply chain policy has to define criteria for selecting and contracting suppliers or service providers.

For a subcontractor control review, do not stop at a vendor name. Keep evidence that selection considered the supplier's ability to meet the cybersecurity specifications, risks, and classification levels of the TSP services, systems, or products delivered by that supplier or service provider.

When service provisioning involves subcontracting, outsourcing, or other third-party arrangements, EN 319 401 calls for a documented agreement and contractual relationship so both parties understand their obligations to fulfil relevant information security requirements.

The agreement evidence should connect directly to the TSP's risk assessment and policies. It should define the outsourcer's liability, bind the outsourcer to implement controls required by the TSP, include applicable TSP security policies and requirements in contracts with direct suppliers or service providers, and use service level agreements or auditing mechanisms where those are the chosen method for supplier assurance.

Subcontractor approval should not be treated as permanent. EN 319 401 requires planned or incident-triggered review of the supply chain policy and changes in the cybersecurity practices of direct suppliers or service providers related to the provision of services.

The standard also expects a register of suppliers and agreements that tracks where TSP information is managed or archived. That register should be regularly reviewed, validated, and updated so agreements remain valid, fit for purpose, and include the relevant information security clauses.

A useful evidence pack should let an assessor, security reviewer, procurement lead, or product owner understand the outsourced boundary without interviewing the whole team. It should show what the outside party does, why the TSP still owns conformance, what controls are contractually required, how those controls are checked, and when the arrangement must be re-reviewed.

Also include the adjacent EN 319 401 controls that can affect subcontractors: staff and subcontractor competence, contractor incident reporting procedures, return of TSP assets when external personnel or third parties change or terminate, and termination of subcontractor authorization before the TSP terminates services where subcontractors act for functions related to issuing trust service tokens.

The common failure pattern is treating the supplier as outside the trust service boundary. Under EN 319 401, if the supplier provides part of the service or manages relevant TSP information, the subcontractor controls need to be visible in the TSP's policies, agreements, monitoring, and evidence records.

Another weak pattern is citing a generic security questionnaire without connecting it to EN 319 401. A defensible review names the supplier arrangement, the applicable TSP policies, the trust service policy requirements, the risk assessment connection, the agreement clauses, and the evidence that the arrangement is still current.