--- title: "ETSI EN 319 411-2 FAQ for EU Qualified Certificates" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/items/page/2" author: "Sorena AI" description: "Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-2" - "EU qualified certificates" - "QCP-n" - "QCP-l" - "QCP-n-qscd" - "QCP-l-qscd" - "QEVCP-w" - "QNCP-w" - "QSCD" - "QTSP" - "eIDAS" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 411-2 FAQ for EU Qualified Certificates Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services. *FAQ* *GLOBAL* *ETSI EN 319 411-2* ## ETSI EN 319 411-2 FAQ for EU qualified certificates Answers to practical questions about ETSI EN 319 411-2 policy profiles, qualified certificate lifecycle controls, QSCD handling, trusted lists, and revocation-status obligations. Grounded in ETSI EN 319 411-2, related ETSI certificate standards, and eIDAS source material. Use it for implementation planning, not for legal interpretation. ETSI EN 319 411-2 is the ETSI standard for trust service providers issuing EU qualified certificates. This FAQ focuses on the questions that usually decide implementation scope: which qualified certificate policy applies, whether a QSCD is part of the claim, what identity validation evidence is needed, how relying parties should see trusted-list information, and how revocation status is kept available. ## Browse sub-FAQ modules ### [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md) Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain. - 3 items ### [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md) ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers. - 3 items ### [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md) A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2. - 3 items ### [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md) FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references. - 3 items ### [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md) How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence. - 3 items ### [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md) How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation. - 3 items ### [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md) FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence. - 3 items ### [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md) FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers. - 3 items ### [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md) Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2. - 3 items Browse all indexed questions: [/artifacts/global/etsi-en-319-411-2/faq/items](/artifacts/global/etsi-en-319-411-2/faq/items.md) ## All FAQ items *Page 2 of 2. Showing 7 of 27 items.* ### [What checklist should teams use before claiming EN 319 411-2 qualified certificate coverage?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md#what-checklist-should-teams-use-before-claiming-en-319-411-2-qualified-certificate-coverage) *Module: [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md)* Use the checklist to prevent the common error of treating all certificates, all certificate policies, or all QTSP services as interchangeable. The useful review is certificate-policy specific and should be repeated when the certificate profile, CPS, QSCD route, website certificate route, trusted-list status, or relevant ETSI/eIDAS source changes. - Confirm that the service is an EU qualified certificate service for electronic signatures, electronic seals, or website authentication before applying EN 319 411-2 as the qualified-certificate policy layer. - Check that the certificate includes at least one allowed policy identifier or policy OID for the selected EN 319 411-2 route. - Verify that any QSCD claim is limited to QCP-n-qscd or QCP-l-qscd certificates and is reflected consistently in CPS controls, subscriber obligations, and certificate-profile evidence. - Confirm that lifecycle evidence covers issuance, maintenance, revocation, validity-status publication, certificate database handling, and records that remain accessible for the required period. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for non-qualified certificate policy, CPS, subscriber identity, revocation, repository, CA/RA, and certificate lifecycle requirements. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Primary legal source for EU trust services, qualified trust services, supervisory framing, and qualified certificate context. ### [What qualified certificate policies does ETSI EN 319 411-2 define?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md#what-qualified-certificate-policies-does-etsi-en-319-411-2-define) *Module: [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md)* ETSI EN 319 411-2 defines seven EU qualified certificate policies. QCP-n covers EU qualified certificates issued to natural persons, and QCP-l covers EU qualified certificates issued to legal persons. QCP-n-qscd and QCP-l-qscd are the corresponding policies when the private key related to the certified public key must reside in a qualified signature or seal creation device. - Use QCP-n for natural-person EU qualified certificates and QCP-l for legal-person EU qualified certificates. - Use QCP-n-qscd or QCP-l-qscd when the qualified certificate route requires the private key to reside in a QSCD. - Use QEVCP-w, QNCP-w, or QNCP-w-gen for qualified website authentication certificates, depending on whether the route relies on EVCP, OVCP or IVCP, or the general WEB-tagged requirements. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 qualified certificate policies](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 4.2.2 lists the seven EU qualified certificate policies and describes the subject, QSCD, and website-authentication routes. - [ETSI EN 319 411-1 V1.5.1 certificate policy baseline](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - EN 319 411-2 builds its qualified policies on EN 319 411-1 NCP, NCP+, EVCP, OVCP, IVCP, DVCP, and WEB-tagged requirements. ### [How should a QTSP choose the correct EN 319 411-2 policy identifier?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md#how-should-a-qtsp-choose-the-correct-en-319-411-2-policy-identifier) *Module: [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md)* Start with the certificate purpose and subject. Natural-person signature certificates point to QCP-n or QCP-n-qscd. Legal-person seal certificates point to QCP-l or QCP-l-qscd. Website authentication certificates point to QEVCP-w, QNCP-w, or QNCP-w-gen depending on the validation route and applicable CA/Browser Forum baseline or extended-validation requirements. - Record the subject category: natural person, legal person, or website authentication certificate subject. - Record whether the service requires a QSCD and whether the certificate policy must include a QSCD-specific identifier. - Record the inherited baseline: NCP, NCP+, EVCP, OVCP, IVCP, or WEB-tagged EN 319 411-1 requirements. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 certificate policy name and identification](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 5.3 assigns policy identifiers to QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and QNCP-w-gen. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - eIDAS is the legal framework referenced by EN 319 411-2 for EU qualified certificates and qualified website authentication certificates. ### [What evidence should support a qualified certificate policy claim?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md#what-evidence-should-support-a-qualified-certificate-policy-claim) *Module: [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md)* The evidence should prove that the selected policy identifier matches the certificate type and the service actually operated. Keep the CP/CPS section that names the policy, the certificate profile showing the policy OID, the terms and conditions that determine secure-device use, and issuance or audit evidence showing whether the service follows the inherited EN 319 411-1 requirements. - Keep the CP/CPS policy section and the exact policy OID used in issued certificates. - Keep terms and conditions showing whether QCP-n or QCP-l uses NCP or NCP+ because a secure cryptographic device is required. - Keep evidence that QSCD, EVCP, OVCP, IVCP, or WEB-tagged inherited requirements were applied when the selected policy depends on them. - Keep Annex A mapping as supporting traceability, not as a standalone legal-conformance conclusion. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 Regulation and EU qualified certificate policy mapping](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Annex A maps EN 319 411-2 policy references to eIDAS requirements and states limits on using that mapping as definitive legal conformance. - [ETSI EN 319 401 V3.1.1 trust service provider requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - EN 319 401 provides general TSP policy and security requirements referenced by EN 319 411-2 and its eIDAS mapping annex. ### [How do the three QWAC profiles differ?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md#how-do-the-three-qwac-profiles-differ) *Module: [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md)* ETSI EN 319 411-2 defines three EU qualified website authentication certificate policy profiles: QEVCP-w, QNCP-w, and QNCP-w-gen. The profile choice is not cosmetic because the selected policy determines which EN 319 411-1 baseline, CA/Browser Forum dependency, and qualified-certificate additions must be reflected in the CP, CPS, certificate profile, and evidence pack. - QEVCP-w: legal-person QWAC route based on EVCP and the CA/Browser Forum Extended Validation Guidelines. - QNCP-w: natural-person or legal-person QWAC route based on NCP plus OVCP or IVCP and the CA/Browser Forum Baseline Requirements. - QNCP-w-gen: general-purpose QWAC route based on NCP plus selected web-authentication requirements in EN 319 411-1. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clauses 4.2.2, 5.1, and 5.3 define QEVCP-w, QNCP-w, and QNCP-w-gen and map them to EVCP, NCP, OVCP, IVCP, BRG, EVCG, and web-authentication dependencies. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - EN 319 411-1 supplies the EVCP, OVCP, IVCP, NCP, and web-authentication requirements that EN 319 411-2 builds on for qualified website authentication profiles. ### [What must be proven before issuing a QWAC?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md#what-must-be-proven-before-issuing-a-qwac) *Module: [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md)* For QEVCP-w, QNCP-w, and QNCP-w-gen, EN 319 411-2 ties initial validation to the subscriber type and the domain name. If the subscriber is a natural person, verify the subscriber identity and link with the domain name using the QCP-n route. If the subscriber is a legal person, verify the legal-person identity, authorized-representative route, and link with the domain name using the QCP-l route. - Record the selected policy identifier: QEVCP-w, QNCP-w, or QNCP-w-gen. - Keep separate evidence for subscriber identity, authority to request the certificate, and the subscriber's link with the domain name. - For QEVCP-w and QNCP-w, track conflicts or updates in the applicable BRG or EVCG route because EN 319 411-2 gives those requirements precedence in conflict cases. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 6.2.2 applies QCP-n or QCP-l identity validation to QWAC subscribers and adds verification of the subscriber's link with the domain name. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - eIDAS provides the EU legal context referenced by EN 319 411-2 for qualified certificates used for website authentication. ### [What review checks keep the QWAC profile defensible?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md#what-review-checks-keep-the-qwac-profile-defensible) *Module: [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md)* Review the QWAC profile whenever the QTSP changes its CP/CPS, certificate profile, subscriber validation workflow, CA/RA responsibility split, repository publication process, or CA/Browser Forum dependency. The review should confirm that the public certificate policy OID and the evidence trail still describe the same qualified website authentication route. - Do not market a certificate as a QWAC unless the EN 319 411-2 profile, qualified status context, and certificate-policy evidence all line up. - Do not reuse a generic TLS certificate checklist when the qualified website authentication route requires a specific EN 319 411-2 policy identifier. - Do not merge QEVCP-w, QNCP-w, and QNCP-w-gen findings into one control row; each route has different dependencies and evidence. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 5.3 lists the policy identifiers relying parties can use to assess certificate suitability and trustworthiness under the eIDAS framework. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - EN 319 411-1 provides the repository, subscriber validation, certificate lifecycle, and web-authentication controls that remain part of the QWAC evidence trail. ## FAQ Pagination - Canonical index (page 1): [/artifacts/global/etsi-en-319-411-2/faq/items](/artifacts/global/etsi-en-319-411-2/faq/items.md) - Page 1 rule: `/page/1` is intentionally not generated; use the canonical index markdown URL. - Current page: 2 of 2 Pages: [1](/artifacts/global/etsi-en-319-411-2/faq/items.md) | [2](/artifacts/global/etsi-en-319-411-2/faq/items/page/2.md) [Previous page](/artifacts/global/etsi-en-319-411-2/faq/items.md) *Recommended next step* *Placement: after FAQ guidance* ## Operationalize ETSI EN 319 411-2 Use this FAQ to connect qualified certificate policy choices, QSCD evidence, identity validation, trusted-list checks, and revocation-status records before an assessment or customer review. - [Open Assessment Autopilot for ETSI EN 319 411-2](/solutions/assessment.md): Convert the selected EN 319 411-2 policy profile into accountable controls, evidence requests, and review milestones. - [Research ETSI EN 319 411-2 source questions](/solutions/research-copilot.md): Resolve qualified certificate, QSCD, trusted-list, and revocation-status questions against cited ETSI and eIDAS source material. - [Talk through ETSI EN 319 411-2 implementation](/contact.md): Review certificate-service scope, source evidence, owner assignments, and next assessment actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/items/page/2