--- title: "ETSI EN 319 401 Subcontractor Controls" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/subcontractor-controls" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/subcontractor-controls" author: "Sorena AI" description: "Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "ETSI EN 319 401 subcontractor controls" - "TSP outsourcing" - "trust service supplier agreements" - "EN 319 401 SLA evidence" - "supplier register" - "ETSI EN 319 401" - "subcontractor controls" - "trust service provider" - "supplier agreements" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 401 Subcontractor Controls Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence. *Artifact Guide* *GLOBAL* *ETSI EN 319 401* ## ETSI EN 319 401 Subcontractor Controls A focused control guide for trust service providers using subcontractors, outsourcers, direct suppliers, service providers, or trust service component providers. Grounded in ETSI EN 319 401 V3.1.1. Use it as implementation guidance, not for legal interpretation. Use this page when a trust service provider needs to show that subcontracting or outsourcing does not weaken control over the trust service. EN 319 401 makes the TSP keep overall responsibility when other parties provide parts of the service, and it expects documented obligations, supplier agreements, risk-aligned security requirements, monitoring, and current supplier records. ## Start with retained TSP responsibility The first control decision is whether the outside party provides any part of the trust service through subcontracting, outsourcing, or another third-party arrangement. If it does, EN 319 401 clause 7.14.3 keeps overall responsibility with the TSP for conformance with the supply chain policy, information security policy, and trust service policy requirements. This turns the subcontractor file into assurance evidence, not only procurement paperwork. The TSP should be able to name the outsourced service part, the affected trust service policy requirements, the supplier-owned activities, the TSP-owned controls, and the evidence that proves those controls were communicated and monitored. - List each subcontracted or outsourced activity that supports the trust service, including trust service component providers where relevant. - Map each activity to the affected trust service, system, information flow, policy requirement, and internal accountable owner. - Keep the TSP, not the supplier, as the owner of conformance evidence for EN 319 401 and the trust service policy. - Use the trust service practice statement to identify obligations of external organizations supporting the TSP's services. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports retained TSP responsibility for subcontracting, outsourcing, and other third-party arrangements, plus practice-statement obligations for external organizations. ## Convert supplier selection into control evidence EN 319 401 treats supplier selection as a security control. Clause 7.14 requires processes for security risks associated with supplier products and services, and the supply chain policy has to define criteria for selecting and contracting suppliers or service providers. For a subcontractor control review, do not stop at a vendor name. Keep evidence that selection considered the supplier's ability to meet the cybersecurity specifications, risks, and classification levels of the TSP services, systems, or products delivered by that supplier or service provider. - Keep the supplier-selection record with the trust service scope it supports and the TSP security requirements it must meet. - Show how the supplier or service provider was evaluated against cybersecurity specifications, risk, and classification levels. - Where an ICT service supplier subcontracts part of the service, require propagation of the TSP security requirements through that supply chain. - Where ICT products include components from other suppliers, request supplier information about software components, security functions, and secure configuration. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports supplier risk processes, supplier-selection criteria, propagation of TSP security requirements, software component information, and secure-configuration information. *Recommended next step* *Placement: after practical guidance* ## Operationalize subcontractor controls Use this ETSI EN 319 401 guidance to build supplier maps, agreement checks, SLA or audit evidence, monitoring triggers, and register updates that can be reviewed together. - [Open Assessment Autopilot for ETSI EN 319 401](/solutions/assessment.md): Convert subcontractor controls into accountable tasks, evidence requests, and review milestones. - [Research ETSI EN 319 401 source questions](/solutions/research-copilot.md): Use cited source material to resolve supplier scope, outsourcing boundaries, agreement evidence, and monitoring questions before implementation. - [Talk through implementation](/contact.md): Review supplier scope, agreements, monitoring, owners, and next compliance actions with Sorena. ## Make agreements specific enough to audit When service provisioning involves subcontracting, outsourcing, or other third-party arrangements, EN 319 401 calls for a documented agreement and contractual relationship so both parties understand their obligations to fulfil relevant information security requirements. The agreement evidence should connect directly to the TSP's risk assessment and policies. It should define the outsourcer's liability, bind the outsourcer to implement controls required by the TSP, include applicable TSP security policies and requirements in contracts with direct suppliers or service providers, and use service level agreements or auditing mechanisms where those are the chosen method for supplier assurance. - Keep signed agreements with a short control map showing the relevant EN 319 401 requirement IDs, TSP policy clauses, and supplier obligations. - Define outsourcer liability and the controls the outsourcer is bound to implement for the TSP. - Include applicable TSP security policies and requirements in supplier or service-provider contracts. - Use SLAs and/or auditing mechanisms to check that direct suppliers and service providers address TSP security requirements aligned with the TSP risk assessment. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports documented agreements, contractual relationships, outsourcer liability, required controls, contract clauses, SLAs, and auditing mechanisms. ## Monitor changes instead of relying on onboarding Subcontractor approval should not be treated as permanent. EN 319 401 requires planned or incident-triggered review of the supply chain policy and changes in the cybersecurity practices of direct suppliers or service providers related to the provision of services. The standard also expects a register of suppliers and agreements that tracks where TSP information is managed or archived. That register should be regularly reviewed, validated, and updated so agreements remain valid, fit for purpose, and include the relevant information security clauses. - Define planned review intervals for direct supplier and service-provider cybersecurity practices. - Trigger review after an incident related to services provided by a direct supplier or service provider. - Maintain a supplier-and-agreement register showing where TSP information is managed or archived. - Regularly validate that supplier agreements remain current, fit for purpose, and include relevant information security clauses. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports planned and incident-triggered supplier review, supplier agreement registers, and regular validation of agreement currency and security clauses. ## Checklist for a subcontractor controls evidence pack A useful evidence pack should let an assessor, security reviewer, procurement lead, or product owner understand the outsourced boundary without interviewing the whole team. It should show what the outside party does, why the TSP still owns conformance, what controls are contractually required, how those controls are checked, and when the arrangement must be re-reviewed. Also include the adjacent EN 319 401 controls that can affect subcontractors: staff and subcontractor competence, contractor incident reporting procedures, return of TSP assets when external personnel or third parties change or terminate, and termination of subcontractor authorization before the TSP terminates services where subcontractors act for functions related to issuing trust service tokens. - Scope map: subcontracted activity, trust service component, affected policy requirements, systems, information, and owner. - Agreement pack: signed agreement, outsourcer liability, required controls, applicable security policy clauses, SLA or audit mechanism, and termination terms. - Monitoring pack: review cadence, supplier change reviews, incident-triggered reviews, audit results or SLA evidence, and exception decisions. - Register evidence: current supplier-and-agreement register, locations where TSP information is managed or archived, and validation history. - Lifecycle evidence: competence checks for subcontractors where applicable, contractor incident reporting communication, asset return procedures, and service-termination authorization controls. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the evidence checklist across clauses 7.2, 7.3.2, 7.9.3, 7.12, and 7.14 for subcontractor competence, asset return, incident reporting, termination, and supplier controls. ## Common mistakes to avoid The common failure pattern is treating the supplier as outside the trust service boundary. Under EN 319 401, if the supplier provides part of the service or manages relevant TSP information, the subcontractor controls need to be visible in the TSP's policies, agreements, monitoring, and evidence records. Another weak pattern is citing a generic security questionnaire without connecting it to EN 319 401. A defensible review names the supplier arrangement, the applicable TSP policies, the trust service policy requirements, the risk assessment connection, the agreement clauses, and the evidence that the arrangement is still current. - Do not describe subcontracting as a transfer of EN 319 401 responsibility away from the TSP. - Do not rely on a generic vendor approval when the outsourced activity affects a trust service component or TSP information. - Do not keep supplier agreements separate from the supplier register, policy requirements, SLA or audit evidence, and review history. - Do not leave subcontractor incident reporting, asset return, or service-termination authorization controls out of the evidence pack when those controls apply. Sources for this answer: - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports these pitfalls by requiring retained responsibility, documented supplier obligations, supplier registers, planned or incident-triggered review, and adjacent personnel, incident, asset, and termination controls. ## Primary sources - [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for this page's EN 319 401 subcontractor, outsourcing, supplier-selection, agreement, SLA, monitoring, supplier-register, competence, incident-reporting, asset-return, and termination-control guidance. - Quote: "Responsibility, third parties agreements and SLA" ## Related Topic Guides - [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md): How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries. - [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md): See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence. - [ETSI EN 319 401 Audit and Conformity Assessment Evidence](/artifacts/global/etsi-en-319-401/audit-and-conformity-assessment.md): How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses. - [ETSI EN 319 401 Audit Evidence Pack](/artifacts/global/etsi-en-319-401/audit-evidence-pack.md): Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence. - [ETSI EN 319 401 Audit Evidence Pack Workflow](/artifacts/global/etsi-en-319-401/audit-evidence-pack-workflow.md): Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence. - [ETSI EN 319 401 compliance duties for TSPs](/artifacts/global/etsi-en-319-401/compliance.md): source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers. - [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md): Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation. - [ETSI EN 319 401 FAQ for trust service providers](/artifacts/global/etsi-en-319-401/faq.md): source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence. - [ETSI EN 319 401 Incident Evidence Workflow](/artifacts/global/etsi-en-319-401/incident-and-continuity-evidence-workflow.md): Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review. - [ETSI EN 319 401 Incident Reporting and Continuity Duties](/artifacts/global/etsi-en-319-401/incident-and-continuity-duties.md): Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning. - [ETSI EN 319 401 Personnel, Asset, and Access Controls](/artifacts/global/etsi-en-319-401/personnel-asset-and-access-controls.md): Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence. - [ETSI EN 319 401 policy and security requirements](/artifacts/global/etsi-en-319-401/policy-and-security-requirements.md): source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence. - [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md): How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review. - [ETSI EN 319 401 requirements map](/artifacts/global/etsi-en-319-401/requirements.md): Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls. - [ETSI EN 319 401 Risk Assessment and Treatment](/artifacts/global/etsi-en-319-401/risk-management.md): Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning. - [ETSI EN 319 401 Subcontractor Evidence Workflow](/artifacts/global/etsi-en-319-401/subcontractor-evidence-workflow.md): Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records. - [ETSI EN 319 401 Subcontractor Requirements FAQ](/artifacts/global/etsi-en-319-401/faq/subcontractors.md): How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility. - [ETSI EN 319 401 Trust Service Applicability Workflow](/artifacts/global/etsi-en-319-401/trust-service-applicability-workflow.md): A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect. - [ETSI EN 319 401 Trust Service Provider Applicability](/artifacts/global/etsi-en-319-401/trust-service-provider-applicability.md): Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document. - [ETSI EN 319 401 vs eIDAS Article 19 and 24](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-eidas.md): Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning. - [ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1.md): Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits. - [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md): How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents. - [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md): How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/subcontractor-controls