ETSI EN 319 401 Trust Service Provider Applicability

EN 319 401 applies as a general policy baseline for Trust Service Providers (TSPs). The standard defines a TSP as an entity that provides one or more trust services, and it says its requirements are independent of the type of TSP. That makes it relevant before choosing certificate, timestamp, validation, preservation, registered delivery, or other service-specific ETSI standards.

Do not use EN 319 401 as a stand-alone answer for every trust-service question. Its scope states that other specifications refine and extend the baseline for particular forms of TSP, and it does not specify how independent assessment is performed. Applicability therefore starts with the trust service being offered and then identifies which additional ETSI or regulatory layer is needed.

The applicability record should name the service, the trust service policy, the TSP practice statement, and the operating environment covered by the decision. EN 319 401 defines a trust service policy as rules indicating applicability to a community or class of application with common security requirements, and a practice statement as the practices a TSP uses to provide the service.

This boundary matters because EN 319 401 requirements attach to the TSP's actual service: risk assessment, terms and conditions, information security policy, personnel, assets, access controls, incident handling, continuity, termination planning, legal compliance, and supply chain controls. A vague statement that a platform is a TSP is not enough.

Once the trust service is in scope, EN 319 401 triggers more than a policy title. The TSP must carry out and review a risk assessment, select risk treatment measures, document security requirements and operational procedures, and have management approve the risk assessment and residual risk.

The standard also requires the TSP to specify policies and practices for the trust services it provides, make relevant documentation available to subscribers and relying parties where needed to demonstrate conformance, and publish terms and conditions before the contractual relationship. Those terms and conditions must cover the trust service policy, limitations on use, subscriber obligations, relying-party information, log-retention period, liability limits, legal system, complaints, assessment status, contact information, and availability undertakings.

Applicability should include third parties when they provide part of the trust service or a trust service component. EN 319 401 says a TSP that uses other parties, including trust service component providers, remains responsible for conformance with the supply chain policy, information security policy, and trust service policy requirements.

The source material supports a practical test: if the supplier, cloud service, subcontractor, or component can affect the trust service's security, functionality, availability, or policy conformance, it belongs in the applicability record. That does not make the supplier the TSP, but it does mean the TSP needs contractual, security, monitoring, lifecycle, and assurance evidence for the dependency.

Use this checklist to decide whether the page, assessment, or procurement request is really about EN 319 401. A complete applicability answer should be specific enough for an assessor, customer, or internal owner to tell what service is covered and where the baseline stops.