ETSI EN 319 411-2 vs eIDAS qualified trust services

EN 319 411-2 covers policy and security requirements for TSPs issuing EU qualified certificates, including named qualified certificate policy profiles.

eIDAS covers qualified trust services as a legal category, including qualified certificates for signatures, seals, and website authentication plus the provider status framework around them.

Start by naming both the certificate policy profile and the eIDAS service status being claimed; the standard scope and the legal qualified-service scope are related but not identical.

The EN 319 411-2 owner is the certificate-issuing TSP and its CA, RA, repository, revocation, certificate status, CP/CPS, and security-control owners.

The eIDAS owners include the trust service provider seeking or holding qualified status, the conformity assessment body, the supervisory body, and the Member State trusted-list function.

Assign standard evidence to certificate-service operators and legal status evidence to the qualified-service governance team; one generic compliance owner will miss handoffs.

EN 319 411-2 is triggered when a TSP issues, or claims conformance for issuing, EU qualified certificates under one of the standard's qualified certificate policy profiles.

eIDAS qualified-service work is triggered when a provider intends to provide a qualified trust service or needs to maintain qualified status after it has been granted.

Do not wait until public launch copy is drafted; trigger both reviews when the certificate profile and the intended qualified-service status are selected.

EN 319 411-2 obligations are implemented through certificate policy selection, CP/CPS controls, identity validation, issuance, acceptance, revocation, suspension, certificate status, repository, and QSCD-related evidence where applicable.

eIDAS obligations include notification, conformity assessment, supervisory verification, ongoing audits, remedy where required, status withdrawal risk, and trusted-list publication.

Build two linked workstreams: one for certificate-service controls and one for qualified-status lifecycle controls.

EN 319 411-2 evidence is the CP/CPS, certificate policy identifier, subscriber and subject validation, certificate issuance, revocation, suspension, certificate status, repository, QSCD indication, and records material.

eIDAS evidence is the conformity assessment report, notification to the supervisory body, supervisory verification, qualified-status grant, and trusted-list entry.

Keep a traceable matrix with separate columns for standard conformance artifacts and legal qualified-status artifacts.

EN 319 411-2 timing is driven by certificate lifecycle events such as application, issuance, acceptance, renewal, re-key, modification, revocation, suspension, status service operation, and records archival.

eIDAS timing includes the Article 20 audit cadence of at least every 24 months, submission of the conformity assessment report, supervisory verification, and trusted-list update timing.

Track certificate lifecycle clocks separately from qualified-status audit and supervisory clocks.

EN 319 411-2 is enforced through assessment, audit expectations, certification or procurement requirements, and the ability to prove the certificate service matches the selected policy profile.

eIDAS supervision is performed by supervisory bodies that can audit, require remedy, and withdraw qualified status where the Regulation's requirements are not met.

Escalate when an EN 319 411-2 finding affects status evidence, because a technical nonconformity can become a supervisory issue under eIDAS.

Reuse EN 319 411-2 controls where the same certificate service, policy profile, CP/CPS, CA/RA process, revocation service, and records boundary are unchanged.

Reuse eIDAS qualified-service evidence only where the same provider, service, Member State supervision, qualified-status decision, and trusted-list entry are in scope.

A shared control can reduce duplication, but status evidence, certificate-profile evidence, and trusted-list evidence must remain traceable to the exact source that supports the claim.

Use EN 319 411-2 when the question is whether certificate-policy, CP/CPS, lifecycle, QSCD, QWAC, or CA/RA evidence meets the qualified-certificate standard.

Use eIDAS when the question is whether the provider and service have qualified status, supervisory verification, conformity assessment evidence, and a trusted-list entry.

Use both only when the same qualified certificate service needs standard-conformance evidence and eIDAS qualified-status evidence.