--- title: "ETSI EN 319 411-2 V2.6.1 Compliance Playbook (EU Qualified Certificates and QSCD Operations)" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/compliance" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/compliance" author: "Sorena AI" description: "How to operationalize ETSI EN 319 411-2 V2.6.1 for EU qualified certificates: policy OID governance, CP and CPS disclosures, identity verification workflows." published_at: "2026-03-04" updated_at: "2026-03-04" keywords: - "ETSI EN 319 411-2 compliance" - "ETSI EN 319 411-2 V2.6.1" - "EU qualified certificates compliance program" - "qualified trust service provider" - "QCP-n QCP-l QCP-qscd" - "QEVCP-w QNCP-w QNCP-w-gen" - "QSCD operations" - "sole control key management" - "identity verification natural person legal person" - "domain-link verification" - "qualified certificate policy OID" - "PKI disclosure statement qualified" - "audit evidence eIDAS" - "EU trusted list validation" - "EU qualified certificates" - "Identity verification" - "Evidence pack" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 411-2 V2.6.1 Compliance Playbook (EU Qualified Certificates and QSCD Operations) How to operationalize ETSI EN 319 411-2 V2.6.1 for EU qualified certificates: policy OID governance, CP and CPS disclosures, identity verification workflows. *Artifact Guide* *GLOBAL* ## ETSI EN 319 411-2 Compliance A compliance playbook for qualified certificate issuance that produces defensible evidence by default. Focus: current-edition policy OIDs, identity verification, QSCD boundaries, trusted-list operations, and operational proof for audits and supervisory reviews. Qualified certificate programs succeed when they treat policy identifiers and QSCD requirements as engineering constraints, not paperwork. EN 319 411-2 V2.6.1 adds qualified-specific requirements on top of EN 319 411-1 and ties them to eIDAS expectations. This page explains how to run EN 319 411-2 as an operating system: documentation, workflows, controls, trusted-list proof, monitoring, and evidence. ## 1) Start with policy strategy because the asserted OID defines the proof burden The qualified policy identifier you include in a certificate communicates assurance properties to relying parties. It also determines which requirement sets apply and what evidence you need to retain. Treat policy selection as a governance decision with documented rationale, clear service scope, and an owner who keeps CP, CPS, profile settings, and issuance operations synchronized. - Choose policies: QCP-n and QCP-l, QSCD variants, and qualified website-authentication policies such as QEVCP-w and QNCP-w - Define which customer segments and use cases map to each policy OID - Maintain a versioned mapping from policy OID to requirements, controls, and evidence ## 2) Build the qualified-documentation and repository program EN 319 411-2 requires policy documentation to say clearly that it is for EU qualified certificates and whether QSCD use is required. It also expects PKI disclosure support and builds on the publication and repository responsibilities inherited from EN 319 411-1. This is a common failure mode: documents exist, but they do not clearly communicate qualified status, QSCD expectations, or which version was in force when a certificate was issued. - CP: explicit EU-qualified statement plus explicit QSCD requirement statement where applicable - CPS: operational reality for identity verification, issuance, key boundaries, status services, and trusted-list interactions - Repository: stable URLs, version history, and change notices for relying parties and assessors ## 3) Identity verification workflows must produce reusable evidence EN 319 411-2 adds qualified identity-verification rules for natural persons and legal persons, and it defines a choice rule for qualified website-authentication policies depending on whether the subscriber is a natural or legal person. The compliance requirement is not just to verify identity. It is to be able to demonstrate that identity verification was performed correctly, with traceable evidence and approval records. - Natural-person qualified certificates: verification steps and retained evidence for the person and relevant attributes - Legal-person qualified certificates: verification steps and retained evidence for the entity and relevant attributes - Website authentication: verify subscriber identity and link to the domain name, then preserve the evidence path ## 4) QSCD boundaries need an explicit operating model QSCD-related policies require strong key-control boundaries. EN 319 411-2 includes conditional requirements for cases where the TSP manages the QSCD for the subject, and it pushes obligations into subscriber obligations when the subscriber or subject maintains the private key. Your assessment story must be consistent: who has control, what operations occur, what device or module is in scope, and what evidence proves that signing stays inside the permitted QSCD boundary. - Define the responsibility model: subject-controlled QSCD or TSP-managed QSCD - Enforce QSCD-only signing where required and log the enforcement evidence - Document sole-control or subject-control semantics and implement checks for violations or exceptions ## 5) Trusted-list operations are part of the compliance story Qualified status has to be externally verifiable. EN 319 411-2 points to the trusted-list ecosystem, including ETSI TS 119 612, ETSI TS 119 615, and ETSI TS 119 172-4, because relying parties validate qualified status against those materials. A mature qualified program knows exactly how each service maps to trusted-list entries, how relying parties validate that mapping, and how support teams explain it during customer due-diligence reviews. - Map each service and certificate type to the correct trusted-list entry and service digital identifier - Test certificate validation against EU trusted lists and keep evidence of the validation path - Coordinate trusted-list operations with CP, CPS, certificate-profile, and customer-support teams *Recommended next step* *Placement: after the compliance steps* ## Turn ETSI EN 319 411-2 Compliance into an operational assessment Assessment Autopilot can take ETSI EN 319 411-2 Compliance from operationalizing the guidance into a tracked program to a reusable workflow inside Sorena. Teams working on ETSI EN 319 411-2 can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for ETSI EN 319 411-2 Compliance](/solutions/assessment.md): Start from ETSI EN 319 411-2 Compliance and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through ETSI EN 319 411-2](/contact.md): Review your current process, evidence gaps, and next steps for ETSI EN 319 411-2 Compliance. ## 6) Revocation and status services still need relying-party-grade proof EN 319 411-2 inherits the EN 319 411-1 lifecycle and status-service expectations and also references status and certificate-profile mechanisms relevant to long-lived validation such as OCSP ArchiveCutOff and expired revoked certificates on CRLs. In practice, auditors and relying parties care about status freshness, availability, interpretation rules, and whether the infrastructure behaved consistently with the qualified policy in force. - Run revocation and online-status services as critical infrastructure with measured freshness and availability - Document any ArchiveCutOff or expired-revoked-certificate behavior and make sure profiles, CPS text, and operations match - Retain evidence that status information remained consistent with issuance, suspension, and revocation events ## 7) Manage CA Browser Forum precedence for qualified web policies For certain qualified website-authentication policies, EN 319 411-2 includes a conditional precedence rule: if there is conflict with the latest CA Browser Forum requirements, those CA Browser Forum requirements take precedence. Operationally, this forces a maintenance program. You must track changes, assess impact, implement updates, and refresh CPS and evidence accordingly. - Monitor CA Browser Forum changes relevant to the web-policy OIDs you assert - Maintain documented gap analysis and remediation tracking - Refresh evidence after control changes rather than relying on stale test results ## 8) Build the evidence pack for supervision and conformity assessment The strongest evidence is operational: logs, case records, configuration history, monitored controls, and trusted-list proof generated by your systems. Build an evidence index that links every requirement family to its proof and latest verification results. A qualified program should be able to answer quickly which policy was asserted, why it was appropriate, how identity was verified, how QSCD boundaries were enforced, how qualified status was validated, and how revocation and status services performed. - Policy evidence: OID usage inventory, CP and CPS versions, qualified statements, and repository change history - Identity evidence: verification case records with sources, decisions, and approvals - Qualified-status evidence: trusted-list mappings, validation tests, and profile or QCStatement checks - Lifecycle evidence: issuance, re-key, revocation events, status-service availability, and consistency checks ## Primary sources - [ETSI EN 319 411-2 V2.6.1 (Official PDF via ETSI Deliver)](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified policy identifiers, identity verification rules, QSCD obligations, trusted-list references, and qualified disclosures. - [ETSI EN 319 411-1 V1.5.1](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Baseline CP and CPS and lifecycle requirements incorporated by EN 319 411-2. - [ETSI Work Item REN/ESI-0019411-2v261](https://portal.etsi.org/webapp/WorkProgram/Report_WorkItem.asp?WKI_ID=72255&ref=sorena.io) - Official ETSI work item page for current-version and publication metadata. - [eIDAS Regulation (EU) No 910/2014 (consolidated)](https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX%3A02014R0910-20240520&ref=sorena.io) - Legal framework referenced by EN 319 411-2 for qualified trust services and qualified certificates. ## Related Topic Guides - [ETSI EN 319 411-2 V2.6.1 FAQ (EU Qualified Certificates, QCP, QNCP, QEVCP, QSCD)](/artifacts/global/etsi-en-319-411-2/faq.md): Frequently asked questions about ETSI EN 319 411-2 V2.6.1 for qualified trust service providers: policy OIDs, QSCD requirements, trusted-list validation. - [ETSI EN 319 411-2 V2.6.1 Requirements (EU Qualified Certificates, QCP, QEVCP, QNCP, QSCD)](/artifacts/global/etsi-en-319-411-2/requirements.md): ETSI EN 319 411-2 V2.6.1 requirements map for EU qualified certificates under eIDAS: qualified policy OIDs, identity verification, QSCD obligations. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/compliance