ETSI EN 319 411-2 compliance checklist

Start by proving that the service is actually an EU qualified certificate service within the EN 319 411-2 scope: issuance, maintenance, and life-cycle management of EU qualified certificates for natural persons, legal persons, or website authentication. Keep non-qualified certificate services and general CA controls in a separate EN 319 411-1 evidence set.

The compliance file should identify the certificate policy being used, the certificate population it covers, the issuing TSP and CA roles, the applicable CP and CPS documents, and the reason the service is being treated as qualified. Do not describe the service as qualified solely because it follows the standard; preserve the trusted-list, supervisory, or conformity-assessment evidence that supports the qualified-service claim.

Treat policy selection as the first compliance decision. EN 319 411-2 defines separate EU qualified certificate policy identifiers, and the certificate profile should show whether the service is using the ETSI policy identifier, a TSP-allocated OID, or both.

The policy selected should match the subject type and relying-party use case. QCP-n and QCP-n-qscd are for natural persons; QCP-l and QCP-l-qscd are for legal persons; QEVCP-w, QNCP-w, and QNCP-w-gen address qualified website authentication certificate variants. If the service uses a TSP-allocated OID only, preserve the clause 7 mapping that shows which EN 319 411-2 policy it builds on.

The compliance pack should show how the certificate policy, certification practice statement, subscriber terms, repository practices, and certificate life-cycle controls implement the selected EN 319 411-2 policy. A useful review file does not stop at a policy name; it ties each requirement family to the operating record that proves it was applied.

Prioritize evidence for identity validation, certificate application processing, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status services, and end of subscription. For natural-person and legal-person certificates, preserve the records showing physical-presence validation or equivalent-assurance validation, including the basis for equivalence where remote or third-party validation is used.

For QCP-n-qscd and QCP-l-qscd, the compliance question is not merely whether a QSCD is mentioned. EN 319 411-2 expects evidence that the device is certified as a QSCD, that the certificate request process links the certified public key to a QSCD-generated key pair, and that the TSP has measures for a QSCD status change before the certificate expires.

Certificate status services also need specific evidence. EN 319 411-2 requires revocation status information beyond the certificate validity period using a method used during validity, such as CRL or OCSP, unless a validity-assured short certificate exception is being used. The CPS and terms should explain the availability period, CA key compromise handling, and TSP termination handling.

A qualified certificate compliance review should include relying-party evidence, not only issuer-side controls. EN 319 411-2 says the notice to relying parties should explain that the trust anchor for validating the certificate as an EU qualified certificate is the service digital identifier in an appropriate EU trusted-list entry for the qualified TSP.

Keep the trusted-list check with the same rigor as the certificate policy evidence: date checked, trusted-list source, service digital identifier, qualified service status, certificate population covered, and any mismatch between the certificate policy claim and the trusted-list entry. Use this record to separate a standards implementation issue from a qualified-service recognition issue.