---
title: "ETSI EN 319 401 Trust Service Provider Applicability"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/trust-service-provider-applicability"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/trust-service-provider-applicability"
author: "Sorena AI"
description: "Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document."
published_at: "2026-05-09"
updated_at: "2026-05-27"
keywords:
  - "ETSI EN 319 401"
  - "trust service provider applicability"
  - "trust service policy"
  - "trust service practice statement"
  - "eIDAS trust services"
  - "trust service provider"
  - "eIDAS"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 319 401 Trust Service Provider Applicability

Use ETSI EN 319 401 to decide whether a trust service provider activity falls in the standard's type-independent baseline and what service, policy, risk, supplier, and evidence boundaries to document.

*Applicability Guide* *GLOBAL* *ETSI EN 319 401*

## ETSI EN 319 401 Trust Service Provider Applicability

Decide when EN 319 401 is the right baseline for a trust service provider and what service boundary, policy, risk assessment, and supplier evidence must be in scope.

Grounded in ETSI EN 319 401 V3.1.1 and its eIDAS mapping. Use it as standards implementation guidance, supporting implementation planning and should be validated against jurisdiction-specific legal, contractual, and policy requirements before implementation.

Use this page before writing an EN 319 401 control map, practice statement, or assessment pack. The applicability question is not whether a product is generally security-relevant; it is whether an entity provides one or more trust services and needs the standard's type-independent baseline for operating and managing those services.

## When does ETSI EN 319 401 apply?

EN 319 401 applies as a general policy baseline for Trust Service Providers (TSPs). The standard defines a TSP as an entity that provides one or more trust services, and it says its requirements are independent of the type of TSP. That makes it relevant before choosing certificate, timestamp, validation, preservation, registered delivery, or other service-specific ETSI standards.

Do not use EN 319 401 as a stand-alone answer for every trust-service question. Its scope states that other specifications refine and extend the baseline for particular forms of TSP, and it does not specify how independent assessment is performed. Applicability therefore starts with the trust service being offered and then identifies which additional ETSI or regulatory layer is needed.

- Treat the standard as in scope when the organization provides, or operates components for, a trust service such as public key certificates, time-stamping, remote electronic signature generation, signature validation, long-term preservation, or registered delivery.
- Use it as the common baseline for TSP operation and management practices, then add the service-specific ETSI standard that matches the actual service.
- Separate qualified and non-qualified trust-service claims; EN 319 401 addresses general security-management requirements, while eIDAS status and qualified-service obligations need the relevant legal and service-specific evidence.
- Exclude ordinary product security, SaaS, or cryptographic-library work unless that work is part of providing a defined trust service or a trust service component.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the applicability boundary: EN 319 401 specifies type-independent general policy requirements for TSP operation and management, while other specifications refine requirements for particular trust services.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the EU legal context for electronic identification and trust services referenced by EN 319 401.

## What boundary should the applicability record define?

The applicability record should name the service, the trust service policy, the TSP practice statement, and the operating environment covered by the decision. EN 319 401 defines a trust service policy as rules indicating applicability to a community or class of application with common security requirements, and a practice statement as the practices a TSP uses to provide the service.

This boundary matters because EN 319 401 requirements attach to the TSP's actual service: risk assessment, terms and conditions, information security policy, personnel, assets, access controls, incident handling, continuity, termination planning, legal compliance, and supply chain controls. A vague statement that a platform is a TSP is not enough.

- Identify the trust service and token type involved, such as certificates, CRLs, time-stamp tokens, OCSP responses, validation outputs, or preservation records.
- List the community or class of application served by the trust service policy, including subscriber and relying-party assumptions.
- Name the systems, facilities, personnel roles, repositories, external organizations, and trust service components that support the service.
- Record which claims are EN 319 401 baseline claims and which claims depend on eIDAS, EN 319 411, EN 319 421, or another service-specific rule set.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Defines TSP, trust service policy, trust service practice statement, and trust service token, which are the core inputs for a defensible applicability boundary.

## Which EN 319 401 requirements are triggered once the service is in scope?

Once the trust service is in scope, EN 319 401 triggers more than a policy title. The TSP must carry out and review a risk assessment, select risk treatment measures, document security requirements and operational procedures, and have management approve the risk assessment and residual risk.

The standard also requires the TSP to specify policies and practices for the trust services it provides, make relevant documentation available to subscribers and relying parties where needed to demonstrate conformance, and publish terms and conditions before the contractual relationship. Those terms and conditions must cover the trust service policy, limitations on use, subscriber obligations, relying-party information, log-retention period, liability limits, legal system, complaints, assessment status, contact information, and availability undertakings.

- Create a risk-assessment record for the trust service, including business and technical issues, chosen treatment measures, residual risk acceptance, and review triggers.
- Maintain a practice statement that explains how the TSP addresses the requirements of the applicable trust service policy.
- Publish or make available the documentation that subscribers and relying parties need, while withholding sensitive detail where the standard allows that distinction.
- Check that terms and conditions disclose service limitations, relying-party verification information, log retention, liability limits, the applicable legal system, complaints process, and conformity-assessment status.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the triggered evidence list by clauses 5, 6.1, and 6.2 on risk assessment, practice statements, and terms and conditions.

*Recommended next step*

*Placement: after applicability checklist*

## Scope ETSI EN 319 401 before mapping controls

Use the applicability boundary to decide which trust service, policy, components, suppliers, and service-specific standards belong in the assessment.

- [Open Assessment Autopilot for ETSI EN 319 401](/solutions/assessment.md): Convert the scoped TSP baseline into owners, evidence requests, and assessment-ready control work.
- [Research trust service source questions](/solutions/research-copilot.md): Resolve whether EN 319 401, eIDAS, or a service-specific ETSI standard supports a planned trust-service claim.
- [Review EN 319 401 applicability](/contact.md): Walk through the trust service, policy boundary, supplier dependencies, and evidence gaps with Sorena.

## How should components, suppliers, and outsourced work affect applicability?

Applicability should include third parties when they provide part of the trust service or a trust service component. EN 319 401 says a TSP that uses other parties, including trust service component providers, remains responsible for conformance with the supply chain policy, information security policy, and trust service policy requirements.

The source material supports a practical test: if the supplier, cloud service, subcontractor, or component can affect the trust service's security, functionality, availability, or policy conformance, it belongs in the applicability record. That does not make the supplier the TSP, but it does mean the TSP needs contractual, security, monitoring, lifecycle, and assurance evidence for the dependency.

- List every trust service component provided by another party and map it to the policy and practice-statement requirement it supports.
- Document supplier-selection criteria for cybersecurity specifications, risk and classification levels, source diversification, vendor lock-in, and critical supply-chain risk assessment.
- Require supplier contracts or service-level agreements to define information-security obligations aligned with the TSP's risk assessment.
- Keep evidence that ICT products and services conform to stated cybersecurity requirements, including component origin, genuine and unaltered delivery, lifecycle management, and change monitoring.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports including subcontractors, cloud services, ICT products, and trust service components in the applicability boundary where they affect the TSP service.

## Applicability checklist for a TSP using EN 319 401

Use this checklist to decide whether the page, assessment, or procurement request is really about EN 319 401. A complete applicability answer should be specific enough for an assessor, customer, or internal owner to tell what service is covered and where the baseline stops.

- Service named: the decision identifies the exact trust service and any trust service tokens, components, repositories, or relying-party use cases.
- Policy named: the decision identifies the trust service policy and the community or application class it applies to.
- Baseline separated: EN 319 401 baseline requirements are separated from eIDAS legal obligations and service-specific ETSI standards.
- Evidence named: the record points to a risk assessment, practice statement, terms and conditions, information security policy, asset inventory, personnel role records, incident procedures, continuity plans, termination provisions, and supplier controls where applicable.
- Assessment limits stated: the record does not claim that EN 319 401 alone proves qualified status, certificate-policy conformance, or independent assessment outcomes.

Sources for this answer:

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Supports the checklist scope by combining EN 319 401's type-independent baseline, policy/practice-statement requirements, and explicit statement that independent assessment requirements are outside this document.
- [ETSI EN 319 411-2 V2.6.1 qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Shows how a service-specific ETSI standard can incorporate EN 319 401 and add qualified-certificate requirements; it also cautions that conformance to that document alone does not make a TSP or certificate qualified under eIDAS.

## Primary sources

- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for the page's applicability test, including scope, TSP definitions, risk assessment, practice statements, terms and conditions, and supply-chain responsibilities.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the distinction between the EN 319 401 baseline and service-specific qualified-certificate requirements.
  - Quote: "policy and security requirements for the issuance"
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal context referenced by EN 319 401 for EU trust services and qualified trust service provider obligations.
  - Quote: "electronic identification and trust services"

## Related Topic Guides

- [CA and RA responsibilities under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/ca-and-ra-responsibilities.md): How ETSI EN 319 401 frames CA and RA responsibility: TSP practice statements, management approval, role segregation, subcontractor control, and evidence boundaries.
- [eIDAS Articles 19 and 24 in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/eidas-articles-19-and-24.md): See how ETSI EN 319 401 V3.1.1 Annex B maps eIDAS Article 19 security duties and selected Article 24 qualified trust service duties to concrete policy evidence.
- [ETSI EN 319 401 Audit and Conformity Assessment Evidence](/artifacts/global/etsi-en-319-401/audit-and-conformity-assessment.md): How to prepare ETSI EN 319 401 evidence for audit and conformity assessment without overstating what the standard itself assesses.
- [ETSI EN 319 401 Audit Evidence Pack](/artifacts/global/etsi-en-319-401/audit-evidence-pack.md): Build an ETSI EN 319 401 audit evidence pack around records, logs, policies, risk assessment, incident handling, continuity, and supplier evidence.
- [ETSI EN 319 401 Audit Evidence Pack Workflow](/artifacts/global/etsi-en-319-401/audit-evidence-pack-workflow.md): Build an ETSI EN 319 401 audit evidence pack for trust service providers: risk assessment, practice statement, policies, records, logs, continuity, and supplier evidence.
- [ETSI EN 319 401 compliance duties for TSPs](/artifacts/global/etsi-en-319-401/compliance.md): source-linked ETSI EN 319 401 compliance guidance for trust service providers: legal operation, evidence, accessibility, privacy, records, incidents, continuity, and suppliers.
- [ETSI EN 319 401 conformity assessment bodies: what is covered?](/artifacts/global/etsi-en-319-401/faq/conformity-assessment-bodies.md): Understand what ETSI EN 319 401 says, and does not say, about conformity assessment bodies, independent assessment, and TSP evidence preparation.
- [ETSI EN 319 401 FAQ for trust service providers](/artifacts/global/etsi-en-319-401/faq.md): source-linked ETSI EN 319 401 FAQ for TSP scope, trust service practice statements, risk assessment, incidents, records, continuity, and supplier evidence.
- [ETSI EN 319 401 Incident Evidence Workflow](/artifacts/global/etsi-en-319-401/incident-and-continuity-evidence-workflow.md): Build an EN 319 401 incident and continuity evidence workflow for TSP monitoring, response, reporting, records, backup recovery, and crisis review.
- [ETSI EN 319 401 Incident Reporting and Continuity Duties](/artifacts/global/etsi-en-319-401/incident-and-continuity-duties.md): Practical ETSI EN 319 401 V3.1.1 guidance for trust service incident response, reporting, evidence retention, business continuity, and termination planning.
- [ETSI EN 319 401 Personnel, Asset, and Access Controls](/artifacts/global/etsi-en-319-401/personnel-asset-and-access-controls.md): Clause-focused EN 319 401 V3.1.1 guide to TSP personnel duties, trusted roles, asset inventories, classification, and access-control evidence.
- [ETSI EN 319 401 policy and security requirements](/artifacts/global/etsi-en-319-401/policy-and-security-requirements.md): source-linked ETSI EN 319 401 guidance for TSP policy and security requirements: risk assessment, practice statements, terms, security policy, controls, incidents, and evidence.
- [ETSI EN 319 401 policy documentation: what is required?](/artifacts/global/etsi-en-319-401/faq/policy-documentation.md): How ETSI EN 319 401 treats policy documentation: practice statements, terms and conditions, information security policy, evidence records, and change review.
- [ETSI EN 319 401 requirements map](/artifacts/global/etsi-en-319-401/requirements.md): Map ETSI EN 319 401 V3.1.1 requirements for trust service providers across risk assessment, policies, TSP operations, incidents, evidence, continuity, termination, and supply chain controls.
- [ETSI EN 319 401 Risk Assessment and Treatment](/artifacts/global/etsi-en-319-401/risk-management.md): Clause-grounded ETSI EN 319 401 V3.1.1 guidance for trust service risk assessment, risk treatment, residual-risk approval, and evidence planning.
- [ETSI EN 319 401 Subcontractor Controls](/artifacts/global/etsi-en-319-401/subcontractor-controls.md): Practical EN 319 401 guidance for TSP subcontractor controls: retained responsibility, agreements, SLAs, supplier registers, monitoring, and audit evidence.
- [ETSI EN 319 401 Subcontractor Evidence Workflow](/artifacts/global/etsi-en-319-401/subcontractor-evidence-workflow.md): Build an EN 319 401 subcontractor evidence workflow for TSP supplier agreements, SLAs, audit mechanisms, risk reviews, supplier registers, and archived records.
- [ETSI EN 319 401 Subcontractor Requirements FAQ](/artifacts/global/etsi-en-319-401/faq/subcontractors.md): How ETSI EN 319 401 treats subcontractors, outsourcing, supplier agreements, SLAs, monitoring, evidence, and retained TSP responsibility.
- [ETSI EN 319 401 Trust Service Applicability Workflow](/artifacts/global/etsi-en-319-401/trust-service-applicability-workflow.md): A scoped workflow for deciding when ETSI EN 319 401 applies to a trust service and what TSP policy, risk, terms, operations, and supplier evidence to collect.
- [ETSI EN 319 401 vs eIDAS Article 19 and 24](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-eidas.md): Compare ETSI EN 319 401 V3.1.1 with the eIDAS provisions mapped in Annex B: trust service risk management, incident handling, records, staff, terms, and termination planning.
- [ETSI EN 319 401 vs EN 319 403-1: TSP Policy vs CAB Assessment](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-en-319-403-1.md): Compare ETSI EN 319 401 and ETSI EN 319 403-1 for trust service providers: TSP operating controls, conformity assessment context, evidence boundaries, and reuse limits.
- [Security Incidents in ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/security-incidents.md): How ETSI EN 319 401 V3.1.1 expects trust service providers to detect, respond to, report, classify, document, and review security incidents.
- [Trust service provider scope under ETSI EN 319 401](/artifacts/global/etsi-en-319-401/faq/trust-service-provider-scope.md): How to scope ETSI EN 319 401 for a trust service provider: service boundaries, trust service policy, practice statement, terms, risks, and third-party components.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/trust-service-provider-applicability