---
title: "ETSI EN 319 411-2 FAQ for EU Qualified Certificates"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/items"
author: "Sorena AI"
description: "Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ETSI EN 319 411-2"
  - "EU qualified certificates"
  - "QCP-n"
  - "QCP-l"
  - "QCP-n-qscd"
  - "QCP-l-qscd"
  - "QEVCP-w"
  - "QNCP-w"
  - "QSCD"
  - "QTSP"
  - "eIDAS"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 319 411-2 FAQ for EU Qualified Certificates

Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.

*FAQ* *GLOBAL* *ETSI EN 319 411-2*

## ETSI EN 319 411-2 FAQ for EU qualified certificates

Answers to practical questions about ETSI EN 319 411-2 policy profiles, qualified certificate lifecycle controls, QSCD handling, trusted lists, and revocation-status obligations.

Grounded in ETSI EN 319 411-2, related ETSI certificate standards, and eIDAS source material. Use it for implementation planning, not for legal interpretation.

ETSI EN 319 411-2 is the ETSI standard for trust service providers issuing EU qualified certificates. This FAQ focuses on the questions that usually decide implementation scope: which qualified certificate policy applies, whether a QSCD is part of the claim, what identity validation evidence is needed, how relying parties should see trusted-list information, and how revocation status is kept available.

## Browse sub-FAQ modules

### [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md)

Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain.

- 3 items

### [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md)

ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.

- 3 items

### [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md)

A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.

- 3 items

### [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md)

FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.

- 3 items

### [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md)

How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence.

- 3 items

### [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md)

How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation.

- 3 items

### [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md)

FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence.

- 3 items

### [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md)

FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers.

- 3 items

### [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md)

Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.

- 3 items

Browse all indexed questions: [/artifacts/global/etsi-en-319-411-2/faq/items](/artifacts/global/etsi-en-319-411-2/faq/items.md)

## All FAQ items

*Page 1 of 2. Showing 20 of 27 items.*

### [What should revocation procedures cover?](/artifacts/global/etsi-en-319-411-2/faq/revocation.md#what-should-revocation-procedures-cover)

*Module: [ETSI EN 319 411-2: Certificate Revocation](/artifacts/global/etsi-en-319-411-2/faq/revocation.md)*

ETSI EN 319 411-2 makes the EN 319 411-1 revocation request controls applicable to qualified certificate services. In practice, the QTSP's CPS should define who can submit revocation requests or event reports, how they are submitted, when confirmation is required, what reasons can lead to suspension or revocation, and which mechanism distributes revocation status information.

- Authenticate each revocation request or event report and check that it comes from an authorized source before changing certificate status.
- Process revocation requests and revocation-related event reports on receipt, with UTC-synchronized time used for the revocation service.
- Apply the 24-hour maximum delay to every revocation status method in use when both CRL and OCSP can lag.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 6.2.4 makes the EN 319 411-1 revocation request requirements applicable to EU qualified certificate services.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Clause 6.2.4 defines CPS content for revocation requests, the 24-hour publication limit, UTC synchronization, and authorized-source checks.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Article 24.3 is mapped by ETSI EN 319 411-2 to revocation request handling and certificate revocation clauses for qualified certificate issuers.

### [What evidence should support revocation under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/revocation.md#what-evidence-should-support-revocation-under-etsi-en-319-411-2)

*Module: [ETSI EN 319 411-2: Certificate Revocation](/artifacts/global/etsi-en-319-411-2/faq/revocation.md)*

Evidence should show that the QTSP can receive, authenticate, decide, publish, and preserve revocation status consistently for the qualified certificate profiles it issues. The useful audit trail is not a generic owner list; it is the sequence from request or event report through certificate database update and CRL or OCSP publication.

- CPS extracts covering revocation request submitters, submission channels, confirmation rules, suspension or revocation reasons, CRL or OCSP distribution, and maximum delays.
- Timestamped revocation tickets or logs showing receipt, authorization, confirmation status, decision, certificate database update, CRL or OCSP publication, and any 24-hour exception justification.
- Status-service evidence showing 24/7 availability, integrity and authenticity protections, consistent updates across CRL and OCSP when both are used, and public international availability.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 6.3.10 adds qualified-certificate status requirements beyond certificate validity and requires practices statements and terms to explain how those requirements are met.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Clauses 6.3.9 and 6.3.10 support evidence for revocation decisions, notification, CRL publication, OCSP or CRL support, and consistency across status methods.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Article 24.4 is reflected in ETSI EN 319 411-2 status-service requirements for relying-party access to validity or revocation status.

### [What checklist should teams use for revocation under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/revocation.md#what-checklist-should-teams-use-for-revocation-under-etsi-en-319-411-2)

*Module: [ETSI EN 319 411-2: Certificate Revocation](/artifacts/global/etsi-en-319-411-2/faq/revocation.md)*

Use a checklist that follows the certificate lifecycle clauses rather than a general compliance workflow. The review should prove that revocation requests are controlled, revoked certificates are not reinstated, and relying parties can obtain status information through the published mechanisms.

- Map each qualified certificate profile in scope to its revocation request process, including authorized submitters, confirmation rules, future-dated requests, emergency reasons, and UTC time source.
- Verify that non-expired certificates are revoked when they are no longer compliant with the applicable certificate policy, when known changes affect certificate validity, or when the cryptography no longer ensures the binding between subject and public key.
- Check CRL handling where CRLs are used: publication at least every 24 hours until the last CRL, nextUpdate values, signer, expired revoked certificate handling, and last-CRL preservation.
- Check OCSP handling where OCSP is used: archive cut-off use for status beyond expiry, last OCSP answers where applicable, and documented interpretation when OCSP and CRL update delays differ.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 6.3.10 specifies CRL and OCSP requirements for making qualified-certificate revocation status available beyond validity.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Clause 6.3.9 defines revocation triggers, no reinstatement after definitive revocation, CRL timing, CARL timing, and short-term certificate handling.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - ETSI EN 319 411-2 maps eIDAS certificate revocation and relying-party status requirements to clauses 6.2.4, 6.3.9, and 6.3.10.

### [Choosing the right certificate policy route](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md#choosing-the-right-certificate-policy-route)

*Module: [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md)*

Start with the certificate policy. ETSI EN 319 411-2 names QCP-n for EU qualified certificates issued to natural persons and QCP-l for EU qualified certificates issued to legal persons. If the private key and related certificate reside on a QSCD, use the matching QSCD policy route: QCP-n-qscd for a natural person and QCP-l-qscd for a legal person.

- Use QCP-n or QCP-n-qscd when the qualified certificate is issued to a natural person.
- Use QCP-l or QCP-l-qscd when the qualified certificate is issued to a legal person.
- For qualified website authentication certificates, check whether the subscriber is a natural or legal person and validate both the identity and the link with the domain name.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines QCP-n, QCP-l, their QSCD variants, and the qualified website authentication policy routes used to separate natural-person and legal-person certificate handling.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Explains the subscriber and subject roles that EN 319 411-2 relies on when a certificate is requested for a person, an organization, or a device.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal source for qualified certificate identity verification of the natural or legal person to whom the certificate is issued.

### [What evidence should support legal and natural persons under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md#what-evidence-should-support-legal-and-natural-persons-under-etsi-en-319-411-2)

*Module: [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md)*

For a natural-person certificate, keep evidence that the person's identity and any specific attributes were verified either by physical presence or by a method for which the TSP can prove equivalent assurance. EN 319 411-1 adds the practical evidence categories: full name, date and place of birth or another distinguishing identity attribute, and records needed to verify the subject identity and any attribute limitations.

- Record the selected policy identifier: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
- Keep the identity-proofing method, the evidence source, the validated attributes, and any proof that a remote or indirect method provides equivalent assurance.
- When a subscriber acts for a separate subject, keep the representation agreement or authorization evidence required by EN 319 411-1.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Requires separate identity-validation routes for QCP-n/QCP-n-qscd and QCP-l/QCP-l-qscd, including equivalent-assurance proof when physical presence is not used.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Lists the evidence to collect for natural persons, natural persons associated with legal persons, legal persons, and subscriber authorization.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Article 24 is mapped in EN 319 411-2 to the qualified certificate identity-verification requirements for natural and legal persons.

### [What checklist should teams use for legal and natural persons under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md#what-checklist-should-teams-use-for-legal-and-natural-persons-under-etsi-en-319-411-2)

*Module: [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md)*

Use the checklist to prevent the common failure mode: issuing or describing a qualified certificate without proving whether the subject route, policy identifier, identity-proofing evidence, and subscriber authority match the actual natural-person, legal-person, or website-authentication scenario.

- Classify the subject: natural person, natural person associated with a legal person, legal person, device or system operated by or for a person, or website-authentication subscriber.
- Select the certificate policy and OID route that matches the subject and QSCD status.
- For natural persons, verify the person and attributes through physical presence or an equivalent-assurance method and record distinguishing identity attributes.
- For legal persons, verify the legal person through an authorized representative or equivalent-assurance method and record organization, registration, and representation evidence.
- For website authentication, verify the subscriber identity and the subscriber's link with the domain name using the natural-person or legal-person route that applies.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Provides the policy identifiers and the choice rules for qualified website authentication where the subscriber can be a natural or legal person.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the checklist categories by defining subject types and the evidence needed when the subscriber represents the subject.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Supplies the eIDAS legal frame that EN 319 411-2 maps to qualified certificate identity verification.

### [How should a QTSP choose between QCP-n, QCP-l, QSCD, and website profiles?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md#how-should-a-qtsp-choose-between-qcp-n-qcp-l-qscd-and-website-profiles)

*Module: [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md)*

Start with the relying-party purpose and subject type. EN 319 411-2 defines separate policy identifiers for qualified certificates issued to natural persons, qualified certificates issued to legal persons, qualified certificates tied to a QSCD, and qualified website authentication certificates.

- Use QCP-n when the qualified certificate is issued to a natural person for advanced electronic signatures based on a qualified certificate.
- Use QCP-l when the qualified certificate is issued to a legal person for advanced electronic seals based on a qualified certificate.
- Use QCP-n-qscd or QCP-l-qscd only when the selected signature or seal route requires the private key to reside in a QSCD.
- Use QEVCP-w for a qualified website certificate based on EVCG, QNCP-w for a website certificate based on BRG, and QNCP-w-gen for the general-purpose website-authentication profile.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines the seven EU qualified certificate policy identifiers and describes their natural-person, legal-person, QSCD, and website-authentication use cases.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the general certificate policy, CPS, subscriber, repository, and lifecycle requirements that EN 319 411-2 builds on.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal context for qualified trust services, qualified certificates, electronic signatures, electronic seals, and website authentication.

### [What should the profile-selection record show?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md#what-should-the-profile-selection-record-show)

*Module: [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md)*

The record should show why the certificate policy and certificate contents match the qualified service being offered. EN 319 411-2 says that including one of its policy identifiers indicates the certificate is issued and managed according to that policy, so the identifier should not be treated as a cosmetic label.

- Identify the selected EN 319 411-2 profile and the exact policy identifier or TSP-allocated policy OID used in the certificate.
- Record whether the subject is a natural person, a legal person, or a website-authentication subject, because the profile families are split on that basis.
- For QCP-n-qscd and QCP-l-qscd, keep evidence that the QSCD route is intended and that the required QSCD qcStatement is included only for those profiles.
- For website authentication, record whether the route is QEVCP-w, QNCP-w, or QNCP-w-gen and how that route relates to EVCP, OVCP, IVCP, or EN 319 411-1 WEB-tagged requirements.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the profile-selection evidence points: policy identifiers, QSCD-specific certificate content, and website-authentication profile routes.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Grounds the underlying NCP, NCP+, EVCP, OVCP, IVCP, WEB, CPS, and certificate lifecycle concepts referenced by EN 319 411-2.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the legal frame for qualified certificates and qualified trust-service context behind the profile review.

### [When should the selected profile be reviewed?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md#when-should-the-selected-profile-be-reviewed)

*Module: [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md)*

Review the selected profile whenever the certificate purpose, subject population, QSCD handling, website-authentication route, policy OID, CPS wording, or certificate content changes. A profile that was correct for a non-QSCD natural-person certificate may be wrong after a QSCD service launch, and a signature or seal profile does not substitute for a website-authentication profile.

- Reassess when moving between natural-person and legal-person certificates, because QCP-n and QCP-l point to different subject contexts.
- Reassess before adding or removing QSCD reliance, because the -qscd profiles carry extra QSCD-specific requirements and certificate-content implications.
- Reassess when changing a website certificate route between QEVCP-w, QNCP-w, and QNCP-w-gen, because the underlying assurance model differs.
- Reassess when using a TSP-allocated policy OID, because EN 319 411-2 expects the referred policy to clearly identify which EN 319 411-2 policy it adopts as the basis.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports review triggers tied to subject type, QSCD status, website-authentication route, and TSP-allocated policy OIDs.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the general policy, CPS, and certificate lifecycle requirements used when reviewing whether the EN 319 411-2 route still fits.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Supports the qualified certificate and qualified trust-service context behind the profile review.

### [What does EN 319 411-2 require for trusted-list reliance?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md#what-does-en-319-411-2-require-for-trusted-list-reliance)

*Module: [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md)*

ETSI EN 319 411-2 does not treat a trusted list as a loose background reference. In the notice to relying parties, the TSP must explain that, as one condition for relying on the certificate as an EU Qualified Certificate, the validation trust anchor is the service digital identifier in the appropriate EU trusted-list entry for the QTSP.

- Put the trusted-list condition in the relying-party notice or the terms and conditions referenced by that notice.
- Tie the claim to the QTSP and qualified trust service entry, not only to a generic provider name or certificate chain.
- Keep the certificate policy identifier visible because EN 319 411-2 says policy identifiers help relying parties assess suitability and trustworthiness under eIDAS.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 relying-party trusted-list notice](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - OVR-6.3.5-12 requires the notice to relying parties to identify the EU trusted-list service digital identifier used as the trust anchor for validating an EU qualified certificate.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal framework referenced by EN 319 411-2 for EU qualified certificates, QTSP status, and qualified trust services.

### [What should a QTSP publish or retain for relying parties?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md#what-should-a-qtsp-publish-or-retain-for-relying-parties)

*Module: [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md)*

The practical evidence set should show that relying parties were told how qualified-certificate reliance depends on the relevant EU trusted-list entry. Keep the public notice text, the CP/CPS or terms section it points to, and a mapping from the certificate service to the trusted-list service digital identifier.

- Relying-party notice: the exact wording that explains the EU trusted-list trust anchor condition.
- Service mapping: QTSP, qualified trust service, service digital identifier, certificate profile, and policy OID.
- Validation record: trusted-list source, date checked, result, reviewer or system owner, and exception handling if the entry or status changes.
- Change trigger: recheck after trusted-list updates, QTSP service-status changes, CP/CPS changes, certificate-profile changes, or validation failures.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 trusted-list validation references](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - The notes below OVR-6.3.5-12 reference Implementing Decision 2015/1505 for trusted-list formats and ETSI TS 119 615 for validating a certificate against EU trusted lists.
- [Commission Implementing Decision (EU) 2015/1505 on trusted-list specifications](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32015D1505&ref=sorena.io) - Official EU source for the technical specifications and formats for trusted lists under Article 22(5) of eIDAS.

### [How should validation teams use trusted-list standards?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md#how-should-validation-teams-use-trusted-list-standards)

*Module: [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md)*

Use EN 319 411-2 to identify the relying-party notice obligation, then use the trusted-list standards it references for the validation method. ETSI TS 119 612 is referenced for the trusted-list service digital identifier; ETSI TS 119 615 is referenced for procedures for using and interpreting EU Member State national trusted lists.

- Use TS 119 612 terminology when documenting the service digital identifier and trusted-list entry.
- Use TS 119 615-aligned procedures when deciding whether a certificate can be considered an EU qualified certificate from trusted-list data.
- Use TS 119 172-4-aligned validation policy evidence when the relying-party outcome concerns a qualified electronic signature or seal.

Sources for this answer:

- [ETSI TS 119 612 V2.4.1 trusted lists](https://www.etsi.org/deliver/etsi_ts/119600_119699/119612/02.04.01_60/ts_119612v020401p.pdf?ref=sorena.io) - Referenced by EN 319 411-2 for the service digital identifier of the appropriate EU trusted-list entry.
- [ETSI TS 119 615 V1.2.1 trusted-list procedures](https://www.etsi.org/deliver/etsi_ts/119600_119699/119615/01.02.01_60/ts_119615v010201p.pdf?ref=sorena.io) - Referenced by EN 319 411-2 as guidance for validating a digital certificate against EU trusted lists.
- [ETSI EN 319 411-2 V2.6.1 signature and seal validation reference](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - EN 319 411-2 references ETSI TS 119 172-4 for validation policy when determining whether a signature or seal can be considered qualified using EU trusted lists.

### [How should qualified trust service providers handle QSCD under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qscd.md#how-should-qualified-trust-service-providers-handle-qscd-under-etsi-en-319-411-2)

*Module: [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md)*

A QTSP should handle QSCD by first selecting the right ETSI EN 319 411-2 qualified certificate policy. QCP-n-qscd applies to qualified certificates for natural persons where the private key and related certificate reside on a QSCD. QCP-l-qscd applies to qualified certificates for legal persons where the private key and related certificate reside on a QSCD.

- Record whether the certificate is QCP-n-qscd or QCP-l-qscd, not just that it is an EU qualified certificate.
- Show that the private key related to the certified public key resides in the QSCD for the selected policy route.
- Keep CPS and certificate profile evidence aligned with the QSCD route, including the required QSCD qcStatement only for QCP-n-qscd or QCP-l-qscd certificates.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines QCP-n-qscd and QCP-l-qscd as ETSI EN 319 411-2 policy routes where the private key and related certificate reside on a QSCD.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Referenced by ETSI EN 319 411-2 for EU qualified certificate context and for the legal definition of a qualified electronic signature or seal creation device.

### [What QSCD controls does ETSI EN 319 411-2 call out?](/artifacts/global/etsi-en-319-411-2/faq/qscd.md#what-qscd-controls-does-etsi-en-319-411-2-call-out)

*Module: [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md)*

When the TSP manages the QSCD for the subject, ETSI EN 319 411-2 restricts use of the private key for signing to the QSCD and distinguishes natural-person sole control from legal-person control. The same area of the standard ties natural-person QSCD keys to electronic signatures and legal-person QSCD keys to electronic seals.

- For QCP-n-qscd, preserve evidence that the subject's private key is used under the subject's sole control.
- For QCP-l-qscd, preserve evidence that the subject's private key is used under the subject's control.
- For certificate issuance, preserve proof of QSCD certification status, key-generation route, third-party TSP qualification where used, and CPS handling of QSCD status changes.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the QSCD-specific requirements for private-key use, subject control, QSCD certification verification, public-key origin, third-party managed devices, and QSCD status changes.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the base certificate policy, lifecycle, revocation, repository, and cryptographic module controls that ETSI EN 319 411-2 incorporates before adding QSCD-specific qualified certificate requirements.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - ETSI EN 319 411-2 points to eIDAS Annex II and device certification rules when explaining QSCD certification expectations.

### [What mistakes should QTSP teams avoid with QSCD evidence?](/artifacts/global/etsi-en-319-411-2/faq/qscd.md#what-mistakes-should-qtsp-teams-avoid-with-qscd-evidence)

*Module: [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md)*

The main risk is treating QSCD as a marketing or procurement attribute instead of a certificate-policy condition. If the service claims QCP-n-qscd or QCP-l-qscd, the evidence must trace from the policy identifier through device certification, key generation, subject control, certificate profile, CPS text, and revocation or status-change handling.

- Do not cite QCP-n or QCP-l evidence alone as proof of a QSCD-backed policy route.
- Do not rely on a device name or supplier assertion without evidence that the device is certified as a QSCD for the relevant use.
- Do not leave the CPS silent on measures for QSCD status changes before certificate expiry.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the warning against misplaced QSCD claims by requiring the QSCD qcStatement only on certificates issued under QCP-n-qscd or QCP-l-qscd requirements.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supplies the underlying certificate lifecycle and revocation framework that ETSI EN 319 411-2 references when QSCD status changes can affect non-expired certificates.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the EU legal context for qualified trust services and QSCD certification that ETSI EN 319 411-2 maps into certificate policy requirements.

### [Does ETSI EN 319 411-2 make a TSP qualified?](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md#does-etsi-en-319-411-2-make-a-tsp-qualified)

*Module: [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md)*

No. ETSI EN 319 411-2 expressly warns that conformance to the standard alone does not mean that the TSP or its certificates are qualified. A supervision answer should therefore avoid treating an EN 319 411-2 audit result as a substitute for qualified status.

- Keep the qualified-status decision separate from EN 319 411-2 conformance evidence.
- Identify the exact qualified certificate policy in scope, such as QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
- Show how EN 319 411-2 adds EU qualified certificate requirements on top of the EN 319 411-1 certificate policy baseline.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the distinction between EN 319 411-2 conformance and legal qualified status, and defines the EU qualified certificate policy scope.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the incorporated baseline for certificate policy, CPS, repository, revocation, subscriber identity, and lifecycle controls.

### [What should a QTSP supervision file contain?](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md#what-should-a-qtsp-supervision-file-contain)

*Module: [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md)*

A useful supervision file should start with the certificate service and policy identifier, then link the CPS, certificate profile, repository, identity proofing, revocation, status service, incident, and termination evidence to the relevant EN 319 411-2 and incorporated EN 319 411-1 requirements.

- Preserve the selected policy identifier and the certificate profile evidence used to signal that policy.
- Attach CPS sections for issuance, maintenance, revocation, status services, records, and service termination.
- Keep trusted-list evidence for the QTSP service digital identifier used as the relying-party trust anchor.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports policy identifier evidence, relying-party notice requirements, and the EU trusted-list trust-anchor path for QTSP certificates.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the underlying certificate lifecycle and CPS controls that the QTSP supervision file should map to the qualified certificate service.

### [What are the most common supervision mistakes?](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md#what-are-the-most-common-supervision-mistakes)

*Module: [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md)*

The most common mistakes are to blur qualified-status evidence with standards conformance, omit the trusted-list reliance path, or leave the supervision file without a traceable link from the selected certificate policy to the operational records.

- Do not claim qualified status from EN 319 411-2 conformance alone.
- Do not omit the trusted-list service digital identifier or the notice to relying parties.
- Do not leave revocation, incident, and records-retention evidence outside the supervision pack.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the liability-responsibility point for the qualified TSP identified in the trusted list and the mapped controls for incidents, records, termination, revocation, and certificate status services.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the incorporated baseline controls for certificate lifecycle operations, revocation, records, publication, and repository responsibilities.

### [How should qualified trust service providers handle qualified certificates under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md#how-should-qualified-trust-service-providers-handle-qualified-certificates-under-etsi-en-319-411-2)

*Module: [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md)*

Start by separating ETSI policy conformance from EU qualification status. EN 319 411-2 says it incorporates the general certificate policy and security requirements from EN 319 411-1 and adds requirements intended to meet eIDAS requirements for TSPs issuing EU qualified certificates, but it also states that conformance to the standard alone does not imply that the TSP or its certificates are qualified under eIDAS.

- Do not describe a generic certificate as qualified unless the service, certificate policy, trusted-list status, and eIDAS qualification context support that claim.
- For signature and seal certificates, distinguish natural-person, legal-person, and QSCD-backed routes before choosing the QCP identifier or local policy OID.
- For website authentication certificates, distinguish the EVCP-based QEVCP-w route, the BRG and OVCP or IVCP based QNCP-w route, and the general-purpose QNCP-w-gen route.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Primary legal source for EU trust services, qualified trust services, supervisory framing, and qualified certificate context.

### [What evidence should support qualified certificates under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md#what-evidence-should-support-qualified-certificates-under-etsi-en-319-411-2)

*Module: [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md)*

The evidence should prove that the certificate was issued and managed under the claimed EN 319 411-2 policy, not merely that the organization has a PKI program. Keep the certificate policy, Certification Practice Statement, terms and conditions, certificate profile, identity-verification record, status-service evidence, and revocation records aligned to the selected QCP route.

- Map each public certificate or service claim to QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
- Retain the policy identifier or policy OID mapping used in issued certificates, including any locally allocated OID and the EN 319 411-2 policy it adopts as the basis.
- Keep certificate database, validity-status, revocation, and records-retention evidence because eIDAS article 24 duties are mapped in EN 319 411-2 to certificate lifecycle and recordkeeping controls.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Primary legal source for EU trust services, qualified trust services, supervisory framing, and qualified certificate context.

## FAQ Pagination

- Canonical index (page 1): [/artifacts/global/etsi-en-319-411-2/faq/items](/artifacts/global/etsi-en-319-411-2/faq/items.md)
- Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL.
- Current page: 1 of 2

Pages: [1](/artifacts/global/etsi-en-319-411-2/faq/items.md) | [2](/artifacts/global/etsi-en-319-411-2/faq/items/page/2.md)

[Next page](/artifacts/global/etsi-en-319-411-2/faq/items/page/2.md)

*Recommended next step*

*Placement: after FAQ guidance*

## Operationalize ETSI EN 319 411-2

Use this FAQ to connect qualified certificate policy choices, QSCD evidence, identity validation, trusted-list checks, and revocation-status records before an assessment or customer review.

- [Open Assessment Autopilot for ETSI EN 319 411-2](/solutions/assessment.md): Convert the selected EN 319 411-2 policy profile into accountable controls, evidence requests, and review milestones.
- [Research ETSI EN 319 411-2 source questions](/solutions/research-copilot.md): Resolve qualified certificate, QSCD, trusted-list, and revocation-status questions against cited ETSI and eIDAS source material.
- [Talk through ETSI EN 319 411-2 implementation](/contact.md): Review certificate-service scope, source evidence, owner assignments, and next assessment actions with Sorena.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/items