---
title: "EN 319 411-1 vs EN 319 411-2 Certificate Policy"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-en-319-411-2"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-en-319-411-2"
author: "Sorena AI"
description: "Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ETSI EN 319 411-1"
  - "ETSI EN 319 411-2"
  - "qualified certificates"
  - "certificate policy"
  - "CP/CPS"
  - "trust service provider"
  - "ETSI EN 319 411-1 vs ETSI EN 319 411-2"
  - "CPS"
  - "CA operations"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# EN 319 411-1 vs EN 319 411-2 Certificate Policy

Compare ETSI EN 319 411-1 general certificate-service requirements with EN 319 411-2 EU qualified certificate requirements, including policy scope, CP/CPS evidence, and audit boundaries.

*Artifact Guide* *GLOBAL* *ETSI EN 319 411-1*

## ETSI EN 319 411-1 ETSI EN 319 411-1 vs ETSI EN 319 411-2

A focused comparison of Part 1 general certificate-service policy requirements and Part 2 requirements for trust service providers issuing EU qualified certificates.

Use it to separate non-qualified certificate-service evidence from qualified certificate policy, QSCD, QWAC, and EU trusted-list questions.

Use this page when a certificate service, customer questionnaire, conformity assessment file, or CP/CPS review mentions both ETSI EN 319 411-1 and ETSI EN 319 411-2. EN 319 411-1 is the general certificate-service requirements baseline; EN 319 411-2 adds the qualified-certificate layer for EU qualified certificates and qualified website authentication certificate policy profiles.

## ETSI EN 319 411-1 vs ETSI EN 319 411-2: what changes operationally?

Use this comparison to decide when EN 319 411-1 general certificate-service requirements are enough, and when EN 319 411-2 qualified certificate requirements add separate policy, evidence, and assurance work.

- **ETSI EN 319 411-1**: Part 1 covers general policy and security requirements for TSPs issuing certificates, including CP/CPS, PKI participants, certificate lifecycle operations, repositories, revocation, and records.
- **ETSI EN 319 411-2**: Part 2 covers requirements for TSPs issuing EU qualified certificates, with qualified certificate policy profiles, qualified website authentication certificate profiles, QTSP context, and QSCD-related routes where applicable.

| Dimension | ETSI EN 319 411-1 | ETSI EN 319 411-2 | Operational implication | Sources |
| --- | --- | --- | --- | --- |
| Scope and covered activity | EN 319 411-1 is the general certificate-service standard for TSPs issuing certificates. Scope the CA, RA, subscriber and subject roles, certificate usage, repository, revocation service, and CP/CPS commitments before mapping controls. | EN 319 411-2 is for TSPs issuing EU qualified certificates. Scope the qualified certificate policy profile, qualified website authentication certificate route if used, QTSP or qualified-status evidence, and QSCD-related route where applicable. | Start with the certificate service and policy profile. A Part 1 certificate lifecycle file can support Part 2 only when the qualified certificate scope is explicit. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.<br>[ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.<br>[ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations. |
| Who must act | Part 1 ownership usually sits with the certificate service owner, CA operations, RA or registration service provider owner, security operations, repository or status-service owner, and CP/CPS maintainer. | Part 2 adds the qualified trust service owner, qualified certificate policy owner, trusted-list evidence owner, QSCD or signing-device owner where relevant, and conformity assessment lead. | Assign owners by certificate service function and policy profile, not by a single catch-all compliance queue. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.<br>[ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.<br>[ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations. |
| Trigger or threshold | ETSI EN 319 411-1 is triggered when the TSP issues public key certificates under non-qualified certificate policy profiles, including CP/CPS, CA/RA, subscriber registration, certificate issuance, repository, and revocation-service commitments. | ETSI EN 319 411-2 is triggered when the service issues EU qualified certificates under eIDAS, including qualified certificate policy profiles, qualified website authentication certificates, QSCD-related paths, and qualified-status evidence. | Rerun the comparison when the certificate policy identifier, qualified status claim, QSCD dependency, web certificate profile, CA or RA boundary, repository, or revocation-status service changes. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.<br>[ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.<br>[ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations. |
| Core obligations | Part 1 obligations center on CP/CPS structure, certificate policy identification, PKI participants, publication and repository responsibilities, identity validation, certificate lifecycle operations, revocation and status services, facility controls, technical security controls, audit logging, records archival, and CA or RA termination. | Part 2 keeps those certificate-service disciplines but applies them to qualified certificate policy profiles and qualified-service context, including QCP profiles, qualified website authentication certificate profiles, trusted-list dependencies, and QSCD-related evidence where the policy route requires it. | Create one crosswalk row per operation and identify whether the requirement is Part 1-only, Part 2-only, or a Part 2 qualified use of a Part 1 control. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.<br>[ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.<br>[ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations. |
| Evidence and records | ETSI EN 319 411-1 evidence should name the certificate policy and CPS version, certificate profiles, subscriber identity records, CA and RA responsibilities, issuance logs, repository and CRL/OCSP records, revocation files, and audit-period evidence. | ETSI EN 319 411-2 evidence should add the qualified certificate policy profile, qualified status or trusted-list evidence, QCP or QWAC profile mapping, QSCD-related evidence where applicable, and Part 2-specific conformity assessment findings. | Keep a traceable evidence matrix: source, claim, owner, artifact, review date, and whether the evidence satisfies ETSI EN 319 411-1, ETSI EN 319 411-2, or both. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.<br>[ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.<br>[ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations. |
| Timing and cadence | Part 1 evidence timing is driven by certificate validity, certificate lifecycle events, revocation and status-service operation, audit logging, records archival, key changeover, and CA or RA termination records. | Part 2 timing adds qualified-service assessment and status considerations, including qualified certificate service changes and any trusted-list or qualified status evidence used for relying-party validation. | Keep retention and review dates tied to certificate validity, CP/CPS version, certificate profile, audit period, and qualified-service status rather than a broad annual checklist. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.<br>[ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.<br>[ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations. |
| Enforcement or assurance route | ETSI EN 319 411-1 assurance usually runs through TSP conformity assessment against EN 319 401 plus EN 319 411-1, with audit evidence tied to the non-qualified certificate policy, CPS, CA operations, RA controls, and lifecycle records. | ETSI EN 319 411-2 assurance connects the certificate audit path to eIDAS qualified trust-service supervision, qualified certificate policy profiles, QTSP status evidence, QSCD-related evidence where applicable, and qualified certificate lifecycle controls. | Escalate when an assessor, supervisory body, browser relying-party program, customer, or procurement reviewer asks for qualified certificate proof rather than ordinary certificate-service evidence. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.<br>[ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.<br>[ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations. |
| Overlap and reuse | Part 1 evidence can be reused for common PKI operations, such as lifecycle processing, revocation services, repositories, audit logging, and records archival, when the service boundary and policy profile match. | Part 2 can reuse common PKI evidence only after adding the qualified certificate policy context and any qualified-status, QWAC, trusted-list, or QSCD evidence needed for the qualified claim. | Reuse the operational artifact, not the conclusion. The same log or CP/CPS section may support both sides, but the qualified-certificate conclusion needs its own source-linked row. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.<br>[ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.<br>[ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations. |
| Practical decision rule | Use EN 319 411-1 as the controlling side when the claim is that a TSP certificate service meets the general Part 1 certificate policy and security requirements. | Use EN 319 411-2 as the controlling side when the claim is that the service issues EU qualified certificates or uses a Part 2 qualified certificate policy profile. | Do not collapse the standards into one checklist. Start with the certificate policy profile, then show exactly which Part 1 controls are reused by the Part 2 qualified certificate claim. | [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.<br>[ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.<br>[ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations. |

Sources for Scope and covered activity - ETSI EN 319 411-1:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"

Sources for Scope and covered activity - ETSI EN 319 411-2:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Scope and covered activity - operational implication:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Who must act - ETSI EN 319 411-1:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"

Sources for Who must act - ETSI EN 319 411-2:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Who must act - operational implication:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Trigger or threshold - ETSI EN 319 411-1:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Trigger or threshold - ETSI EN 319 411-2:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Trigger or threshold - operational implication:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Core obligations - ETSI EN 319 411-1:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Core obligations - ETSI EN 319 411-2:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Core obligations - operational implication:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Evidence and records - ETSI EN 319 411-1:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Evidence and records - ETSI EN 319 411-2:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Evidence and records - operational implication:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Timing and cadence - ETSI EN 319 411-1:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Timing and cadence - ETSI EN 319 411-2:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Timing and cadence - operational implication:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Enforcement or assurance route - ETSI EN 319 411-1:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Enforcement or assurance route - ETSI EN 319 411-2:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Enforcement or assurance route - operational implication:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Overlap and reuse - ETSI EN 319 411-1:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Overlap and reuse - ETSI EN 319 411-2:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Overlap and reuse - operational implication:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Practical decision rule - ETSI EN 319 411-1:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"

Sources for Practical decision rule - ETSI EN 319 411-2:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

Sources for Practical decision rule - operational implication:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

### How to choose between ETSI EN 319 411-1 and ETSI EN 319 411-2

- Start with the certificate policy profile and qualified-status claim, not with the standard title alone.
- Use EN 319 411-1 for general certificate-service CP/CPS, lifecycle, repository, revocation, and CA/RA operational evidence.
- Use EN 319 411-2 when the service claims EU qualified certificate status, a qualified certificate policy profile, QWAC coverage, or QSCD-backed qualified certificate issuance.

Sources for the practical decision rule:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

## When should teams compare ETSI EN 319 411-1 with ETSI EN 319 411-2?

Compare them before a TSP reuses the same CP/CPS, subscriber identity proofing, certificate profile, revocation evidence, or audit file for both ordinary certificate services and EU qualified certificate services.

The practical question is whether the service is operating under EN 319 411-1 general certificate policy requirements, under EN 319 411-2 qualified certificate policy requirements, or under both with different evidence boundaries.

- Start with the certificate policy identifier and certificate profile: NCP, EVCP, and web certificate routes belong in the Part 1 analysis; QCP and qualified web certificate profiles belong in the Part 2 analysis.
- Separate common PKI operations, such as CA/RA responsibilities and revocation status services, from qualified-service proof such as QTSP status, QSCD-related paths, and EU trusted-list evidence.
- Keep crosswalk rows source-linked so audit reviewers can see when Part 2 incorporates or depends on Part 1 requirements.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.

## Decision rules for Part 1 and Part 2 certificate services

Use EN 319 411-1 when the service is about policy and security requirements for TSPs issuing certificates in the general Part 1 scope. Use EN 319 411-2 when the claim is specifically about EU qualified certificates, including the qualified certificate policy profiles named in Part 2.

Do not treat Part 2 as a simple replacement for Part 1. The Part 2 grounding references EN 319 411-1 and EN 319 401, while adding qualified certificate policy profiles such as QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, and QNCP-w-gen.

- If the certificate service is not making an EU qualified certificate claim, keep the comparison anchored in EN 319 411-1 and avoid importing qualified-certificate obligations by label alone.
- If the service claims qualified status, document the Part 2 policy profile, qualified status evidence, trusted-list dependency, and any QSCD-related route before reusing Part 1 evidence.
- When Part 2 points back to Part 1 clauses, cite both sides in the audit file and explain which requirement is being satisfied.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.

## What to decide before reusing CP/CPS evidence

Decide whether the same CP/CPS text actually covers the service, policy object identifier, certificate usage, participants, and publication responsibilities on both sides. Part 1 and Part 2 both use CP/CPS concepts, but Part 2's qualified certificate policy profiles change what the evidence must prove.

For EN 319 411-1, the review should cover CA and RA responsibilities, subscribers and subjects, naming, initial identity validation, certificate application and issuance, certificate acceptance, revocation, status services, repositories, and records archival. For EN 319 411-2, add the qualified certificate policy profile, qualified status context, qualified website authentication certificate route if relevant, and QSCD-related evidence only where the Part 2 profile calls for it.

- Name the certificate service, CA, RA or registration service provider, certificate policy, certificate profile, repository, and revocation-status service in scope.
- Record whether the service is non-qualified, qualified for natural persons, qualified for legal persons, QSCD-backed, or a qualified website authentication certificate profile.
- Separate Part 1 evidence reused by Part 2 from Part 2-only evidence so the audit file does not hide qualified-service assumptions.
- Version evidence by standard version, CP/CPS version, certificate profile, assessment period, and certificate service boundary.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.

*Recommended next step*

*Placement: after practical guidance*

## Compare certificate policy evidence before the audit

Use the comparison to separate ordinary certificate-service evidence from qualified certificate evidence before a CP/CPS update, procurement response, or conformity assessment.

- [Open Assessment Autopilot for certificate evidence](/solutions/assessment.md): Turn the Part 1 and Part 2 crosswalk into assigned evidence requests, CP/CPS review items, and audit-ready gaps.
- [Research certificate policy source questions](/solutions/research-copilot.md): Resolve certificate policy, qualified certificate, trusted-list, and QSCD questions against the cited ETSI material.
- [Talk through implementation](/contact.md): Review the certificate-service scope, evidence split, and next audit actions with Sorena.

## Evidence that belongs on each side of the comparison

Build the comparison as an evidence map, not as a merged checklist. The same operational record can sometimes support both standards, but the claim it supports should stay tied to the relevant Part 1 or Part 2 clause set.

For Part 1, keep CP and CPS versions, certificate policy identifiers, subscriber agreements, identity validation records, RA delegation evidence, issuance logs, CRL or OCSP records, revocation files, repository publication records, key-management records, audit logs, and records archival evidence. For Part 2, add qualified certificate policy profile evidence, QTSP or qualified-status records, EU trusted-list validation references, qualified website authentication certificate material where used, and QSCD-related evidence only when the profile depends on it.

- Mark each evidence item as Part 1-only, Part 2-only, or shared with a clause-level explanation.
- Do not describe a certificate as qualified unless the Part 2 policy profile and qualified-service evidence are present.
- Do not describe a Part 1 control as sufficient for Part 2 unless the Part 2 source actually incorporates or aligns with that Part 1 requirement.
- Review the crosswalk after CP/CPS changes, certificate profile changes, RA changes, revocation-service changes, key-management changes, or conformity-assessment scope changes.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.

## Comparison checklist for certificate-service teams

Use this checklist when preparing a CP/CPS update, audit evidence pack, qualified certificate service review, or procurement response that mentions both standards.

- List the certificate service, certificate policy object identifier, CP/CPS version, certificate profile, CA, RA, repository, and status service covered by EN 319 411-1.
- Identify whether any Part 2 policy profile applies: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
- Create a row for every shared operation, including identity validation, issuance, acceptance, revocation, status services, records archival, and CA or RA termination.
- Attach the evidence artifact to the row: CP/CPS text, subscriber record, validation record, certificate sample, CRL or OCSP record, trusted-list reference, audit log, or conformity-assessment finding.
- Flag unsupported reuse where the Part 1 evidence proves ordinary certificate-service operation but does not prove the qualified certificate claim.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.

## Comparison mistakes that create audit gaps

The main failure pattern is treating the standards as two labels for the same audit file. They overlap through TSP policy, security, and certificate lifecycle concepts, but Part 2 is narrower and more specific because it addresses EU qualified certificates.

- Do not call a service qualified because it satisfies EN 319 411-1 general requirements; Part 2 qualified certificate policy evidence is still needed.
- Do not hide certificate policy profile differences behind a vague CP/CPS title.
- Do not reuse identity validation, revocation, repository, or audit-log evidence unless the certificate service boundary and policy profile match.
- Do not mix CA/Browser Forum web certificate requirements, qualified website authentication certificate requirements, and ordinary certificate policy requirements without a row-level  source reference .

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.

## Primary sources

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"
- [ETSI EN 319 401 V3.1.1 general policy requirements for TSPs](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary ETSI source for general policy, risk assessment, management, security, incident, continuity, and audit evidence requirements for trust service providers.
  - Quote: "General Policy Requirements for Trust Service Providers"
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
  - Quote: "EU qualified certificates"

## Related Topic Guides

- [CP vs CPS under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/cp-vs-cps.md): Understand how ETSI EN 319 411-1 separates Certificate Policy from Certification Practice Statement work for certification authorities and trust service providers.
- [ETSI EN 319 411-1 Audit File Evidence](/artifacts/global/etsi-en-319-411-1/audit-file-evidence.md): Build an ETSI EN 319 411-1 audit evidence file for CA logging, registration records, revocation records, CA key lifecycle evidence, and records archival.
- [ETSI EN 319 411-1 CA Key Management](/artifacts/global/etsi-en-319-411-1/ca-key-management.md): CA key management guidance for ETSI EN 319 411-1: CPS commitments, key ceremonies, secure cryptographic devices, backup, recovery, and lifecycle evidence.
- [ETSI EN 319 411-1 certificate lifecycle workflow](/artifacts/global/etsi-en-319-411-1/certificate-lifecycle-workflow.md): Workflow for EN 319 411-1 certificate application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and evidence records.
- [ETSI EN 319 411-1 certificate re-key FAQ](/artifacts/global/etsi-en-319-411-1/faq/re-key.md): What ETSI EN 319 411-1 requires when a TSP re-keys an existing certificate with a new subject public key.
- [ETSI EN 319 411-1 Certificate Suspension FAQ](/artifacts/global/etsi-en-319-411-1/faq/suspension.md): How CAs should handle certificate suspension under ETSI EN 319 411-1: CPS disclosure, validated requests, status publication, subscriber notice, and audit evidence.
- [ETSI EN 319 411-1 Certification Audit Evidence FAQ](/artifacts/global/etsi-en-319-411-1/faq/certification-audit-evidence.md): How CAs should prepare ETSI EN 319 411-1 audit evidence for CP/CPS scope, registration records, revocation records, CA key logs, and retained assessment files.
- [ETSI EN 319 411-1 Compliance Guide](/artifacts/global/etsi-en-319-411-1/compliance.md): Build an ETSI EN 319 411-1 compliance file for certificate policies, CPS commitments, certificate lifecycle controls, revocation services, CA keys, and audit evidence.
- [ETSI EN 319 411-1 CP and CPS template](/artifacts/global/etsi-en-319-411-1/cp-and-cps-template.md): Build a certificate policy and Certification Practice Statement template for ETSI EN 319 411-1 certificate services, with fields for policy identifiers, subscribers, relying parties, revocation, publication, and evidence.
- [ETSI EN 319 411-1 FAQ for Certificate Services](/artifacts/global/etsi-en-319-411-1/faq.md): Answers to common ETSI EN 319 411-1 questions on certificate policies, CPS content, CA and RA boundaries, subscriber evidence, revocation, status services, and record retention.
- [ETSI EN 319 411-1 Identity Validation](/artifacts/global/etsi-en-319-411-1/identity-validation.md): Identity validation requirements in ETSI EN 319 411-1 for subscribers, subjects, RAs, certificate requests, registration evidence, and issuance records.
- [ETSI EN 319 411-1 Identity Validation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/identity-validation-evidence-workflow.md): A workflow for building ETSI EN 319 411-1 identity validation evidence packs across subscriber, subject, certificate request, RA, logging, and retention controls.
- [ETSI EN 319 411-1 RA Delegation Guide](/artifacts/global/etsi-en-319-411-1/ra-delegation.md): How to scope registration authority delegation under ETSI EN 319 411-1, including delegated RA tasks, external provider controls, registration records, and audit evidence.
- [ETSI EN 319 411-1 RA Delegation Review Workflow](/artifacts/global/etsi-en-319-411-1/ra-delegation-review-workflow.md): Review delegated registration authority work under ETSI EN 319 411-1: retained CA responsibility, recognized registration service providers, secure data exchange, CPS coverage, and audit evidence.
- [ETSI EN 319 411-1 requirements map for certificate services](/artifacts/global/etsi-en-319-411-1/requirements.md): Map ETSI EN 319 411-1 requirements for certificate policies, CP/CPS content, registration, revocation, certificate status, and CA key-management evidence.
- [ETSI EN 319 411-1 Revocation Evidence Workflow](/artifacts/global/etsi-en-319-411-1/revocation-evidence-workflow.md): Build a revocation evidence workflow for ETSI EN 319 411-1 covering CPS procedures, request authentication, 24-hour status updates, CRL/OCSP publication, logs, and retention.
- [ETSI EN 319 411-1 Revocation, OCSP, and CRL Operations](/artifacts/global/etsi-en-319-411-1/revocation-ocsp-and-crl-operations.md): Operate ETSI EN 319 411-1 revocation status services with CPS procedures, authenticated requests, 24-hour CRL or OCSP publication controls, and audit evidence.
- [ETSI EN 319 411-1 vs CA/B Forum Baseline Requirements](/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-ca-browser-forum-baseline-requirements.md): Compare how EN 319 411-1 incorporates CA/B Forum BRG concepts for DVCP, OVCP, IVCP, [WEB] requirements, CPS disclosure, domain validation, and conflict handling.
- [How should certificate authorities handle revocation evidence under ETSI EN 319 411-1?](/artifacts/global/etsi-en-319-411-1/faq/revocation-evidence.md): What ETSI EN 319 411-1 expects CAs to evidence for certificate revocation requests, status publication, CRL or OCSP updates, and archived revocation records.
- [RA delegation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/ra-delegation.md): How certificate authorities can delegate registration authority work under ETSI EN 319 411-1 while keeping identity validation, secure data exchange, role controls, and audit evidence traceable.
- [Subscriber agreements under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-agreements.md): How ETSI EN 319 411-1 expects CAs and TSPs to inform subscribers, record acceptance, handle subject consent, and retain subscriber-agreement evidence.
- [Subscriber identity validation under ETSI EN 319 411-1](/artifacts/global/etsi-en-319-411-1/faq/subscriber-identity-validation.md): How certificate authorities should validate subscriber and subject identity under ETSI EN 319 411-1, including evidence, authorization, subject categories, and registration records.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-1/en-319-411-1-vs-en-319-411-2