A practical evidence workflow for trust service providers that use subcontractors, outsourcers, suppliers, cloud providers, or trust service component providers.
Grounded in ETSI EN 319 401 V3.1.1 clauses on policies, supplier relationships, records, and supply-chain responsibility. Use it as implementation guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.
Structured answer sets in this page tree.
Cited legal and guidance references.
Use this page to turn EN 319 401 subcontractor and supplier requirements into an audit-ready evidence workflow. The focus is narrow: what a trust service provider should collect, review, retain, and update when another party provides part of the trust service or supplies ICT products or services that support it.
Start with the trigger. EN 319 401 treats subcontracting, outsourcing, and other third-party arrangements as in-scope when another party provides parts of the TSP's service. That can include trust service component providers, direct suppliers, service providers, ICT suppliers, and cloud computing providers where they support the service boundary.
The key evidence point is retained accountability. When the TSP uses other parties to provide parts of its service, EN 319 401 says the TSP keeps overall responsibility for conformance with its supply chain policy, information security policy, and the requirements defined in the trust service policy.
Use this EN 319 401 workflow as a shared checklist for supplier scope, agreements, SLAs, monitoring reviews, supplier registers, and retained records.
Convert supplier and subcontractor requirements into accountable tasks, evidence requests, and review milestones.
Use cited ETSI source material to resolve scope, applicability, supplier evidence, and assessment questions before implementation.
Review supplier scope, agreement evidence, monitoring checkpoints, and next compliance actions with Sorena.
Before relying on a supplier or subcontractor, collect evidence that the selection and contracting decision used EN 319 401 criteria. The supplier evidence should show its ability to meet the TSP's cybersecurity specifications, risk position, and classification levels for the services, systems, or products being delivered.
The contract file should also show the liability model, required controls, commencement requirements, termination requirements, and a documented agreement or contractual relationship that makes both parties' information security obligations clear.
Operational evidence should show that supplier controls are not frozen at onboarding. EN 319 401 requires monitoring, review, evaluation, and change management for supplier information security practices and service delivery, including planned reviews and review after incidents related to supplier-provided services.
For ICT suppliers, the workflow should also preserve evidence that security requirements are propagated through subcontracted ICT services, that supplier product or service components critical to functionality are identified, and that the TSP has acceptable methods for validating that ICT products and services conform to stated cybersecurity requirements.
Use this workflow as the operating table for a subcontractor evidence pack: Step | Owner | Evidence | Decision.
1 | Service owner | Supplier scope note, supported trust service, and component/service description | Does this relationship provide or support part of the TSP service?
2 | Procurement and security | Selection criteria, risk/classification fit, and supplier due-diligence record | Can the supplier meet the TSP's cybersecurity specifications and risk requirements?
3 | Legal and control owner | Agreement, liability terms, required controls, SLA or auditing mechanism, and start/exit controls | Are both parties' information security obligations clear enough to rely on?
4 | Operations and assurance | Monitoring reviews, change records, incident-triggered reassessments, supplier register updates, and retained operational records | Is the supplier evidence still valid for the current service boundary?
The supplier file should be retained as part of the TSP's broader record model. EN 319 401 requires relevant information concerning data issued and received by the TSP to be recorded and kept accessible for an appropriate period, including after the TSP's activities have ceased, for legal evidence and continuity purposes.
Review checkpoints should therefore cover both supplier relationship evidence and operational service evidence. The evidence pack is weak if it only contains the original contract and omits updated supplier reviews, incident follow-up, supplier register validation, or records showing where TSP information is managed or archived.
Most subcontractor evidence gaps are practical rather than semantic: the supplier is named, but the service boundary is not; the contract exists, but the required security controls are not traceable; the supplier register exists, but it does not show where TSP information is managed or archived.
Before presenting the pack to a customer, assessor, or internal governance forum, remove unsupported claims. EN 319 401 supports a strong evidence workflow for supplier responsibility, agreements, monitoring, registers, and records; it does not by itself prove that a supplier, service, or TSP is conformant without the actual implementation and assessment evidence.
"REQ-7.14"
"REQ-6.1-04; REQ-7.14.3-01X"
"REQ-6.1-04; REQ-7.10-01; REQ-7.14.3-12X"
"REQ-7.10-01; REQ-7.10-07; REQ-7.14.3-10X; REQ-7.14.3-12X"
"REQ-7.14-04X; REQ-7.14.3-02X; REQ-7.14.3-04X"
"REQ-7.14.2-03X; REQ-7.14.2-15X; REQ-7.14.3-10X; REQ-7.14.3-11X"