--- title: "ETSI EN 319 411-2: Legal vs Natural Person Certs" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons" author: "Sorena AI" description: "ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-2" - "qualified certificates" - "natural persons" - "legal persons" - "QCP-n" - "QCP-l" - "FAQ" - "QTSP identity validation" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 411-2: Legal vs Natural Person Certs ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers. *Artifact Guide* *GLOBAL* *ETSI EN 319 411-2* ## ETSI EN 319 411-2 How should qualified trust service providers handle legal and natural persons under ETSI EN 319 411-2 A focused answer on when to use QCP-n, QCP-l, QSCD variants, and qualified website authentication routes. Grounded in ETSI EN 319 411-2, ETSI EN 319 411-1, and eIDAS source material. Short answer: do not treat legal and natural persons as interchangeable certificate subjects. ETSI EN 319 411-2 defines separate EU qualified certificate policy identifiers for natural persons and legal persons, with additional QSCD variants, and applies different identity-validation evidence depending on whether the subject or subscriber is a natural person, a legal person, or a website-authentication subscriber. ## Choosing the right certificate policy route Start with the certificate policy. ETSI EN 319 411-2 names QCP-n for EU qualified certificates issued to natural persons and QCP-l for EU qualified certificates issued to legal persons. If the private key and related certificate reside on a QSCD, use the matching QSCD policy route: QCP-n-qscd for a natural person and QCP-l-qscd for a legal person. That distinction also changes the intended certificate use. QCP-n supports advanced electronic signatures based on a qualified certificate, while QCP-l supports advanced electronic seals based on a qualified certificate. The QSCD variants support qualified electronic signatures for natural persons and qualified electronic seals for legal persons. - Use QCP-n or QCP-n-qscd when the qualified certificate is issued to a natural person. - Use QCP-l or QCP-l-qscd when the qualified certificate is issued to a legal person. - For qualified website authentication certificates, check whether the subscriber is a natural or legal person and validate both the identity and the link with the domain name. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines QCP-n, QCP-l, their QSCD variants, and the qualified website authentication policy routes used to separate natural-person and legal-person certificate handling. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Explains the subscriber and subject roles that EN 319 411-2 relies on when a certificate is requested for a person, an organization, or a device. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal source for qualified certificate identity verification of the natural or legal person to whom the certificate is issued. ## What evidence should support legal and natural persons under ETSI EN 319 411-2? For a natural-person certificate, keep evidence that the person's identity and any specific attributes were verified either by physical presence or by a method for which the TSP can prove equivalent assurance. EN 319 411-1 adds the practical evidence categories: full name, date and place of birth or another distinguishing identity attribute, and records needed to verify the subject identity and any attribute limitations. For a legal-person certificate, keep evidence that the legal person's identity and attributes were verified through an authorized representative or an equivalent-assurance method. EN 319 411-1 expects evidence such as the organizational name, relevant registration information where applicable, representation authority, and any association between the legal person and an organizational unit shown in the certificate. - Record the selected policy identifier: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. - Keep the identity-proofing method, the evidence source, the validated attributes, and any proof that a remote or indirect method provides equivalent assurance. - When a subscriber acts for a separate subject, keep the representation agreement or authorization evidence required by EN 319 411-1. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Requires separate identity-validation routes for QCP-n/QCP-n-qscd and QCP-l/QCP-l-qscd, including equivalent-assurance proof when physical presence is not used. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Lists the evidence to collect for natural persons, natural persons associated with legal persons, legal persons, and subscriber authorization. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Article 24 is mapped in EN 319 411-2 to the qualified certificate identity-verification requirements for natural and legal persons. ## What checklist should teams use for legal and natural persons under ETSI EN 319 411-2? Use the checklist to prevent the common failure mode: issuing or describing a qualified certificate without proving whether the subject route, policy identifier, identity-proofing evidence, and subscriber authority match the actual natural-person, legal-person, or website-authentication scenario. - Classify the subject: natural person, natural person associated with a legal person, legal person, device or system operated by or for a person, or website-authentication subscriber. - Select the certificate policy and OID route that matches the subject and QSCD status. - For natural persons, verify the person and attributes through physical presence or an equivalent-assurance method and record distinguishing identity attributes. - For legal persons, verify the legal person through an authorized representative or equivalent-assurance method and record organization, registration, and representation evidence. - For website authentication, verify the subscriber identity and the subscriber's link with the domain name using the natural-person or legal-person route that applies. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Provides the policy identifiers and the choice rules for qualified website authentication where the subscriber can be a natural or legal person. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the checklist categories by defining subject types and the evidence needed when the subscriber represents the subject. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Supplies the eIDAS legal frame that EN 319 411-2 maps to qualified certificate identity verification. ## Primary sources - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines the natural-person, legal-person, QSCD, and website-authentication qualified certificate policy routes. - Quote: "certificate policy for EU qualified certificates issued to legal persons" - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Defines subscriber, subject, representation, and identity-evidence requirements used by EN 319 411-2. - Quote: "The TSP shall verify the identity" - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Primary legal context for qualified certificate identity verification and qualified trust service obligations. - Quote: "Verify, by appropriate means" ## Topic Guides - [eIDAS QTSP supervision workflow for ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/eidas-qtsp-supervision-workflow.md): Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records. - [EN 319 411-2 vs EN 319 411-1 Qualified Certs](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-en-319-411-1.md): Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries. - [ETSI EN 319 411-2 compliance checklist](/artifacts/global/etsi-en-319-411-2/compliance.md): Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services. - [ETSI EN 319 411-2 FAQ for EU Qualified Certificates](/artifacts/global/etsi-en-319-411-2/faq.md): Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services. - [ETSI EN 319 411-2 Identity Proofing](/artifacts/global/etsi-en-319-411-2/identity-proofing.md): How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks. - [ETSI EN 319 411-2 QSCD Route](/artifacts/global/etsi-en-319-411-2/qscd-route.md): When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned. - [ETSI EN 319 411-2 QTSP supervision evidence workflow](/artifacts/global/etsi-en-319-411-2/qtsp-supervision-evidence-workflow.md): Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls. - [ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation](/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations.md): Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices. - [ETSI EN 319 411-2 Qualified Certificate Scope](/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope.md): Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context. - [ETSI EN 319 411-2 requirements map](/artifacts/global/etsi-en-319-411-2/requirements.md): Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references. - [ETSI EN 319 411-2 trusted-list evidence](/artifacts/global/etsi-en-319-411-2/trusted-list-evidence.md): Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers. - [ETSI EN 319 411-2 trusted-list validation workflow](/artifacts/global/etsi-en-319-411-2/trusted-list-validation-workflow.md): Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence. - [ETSI EN 319 411-2 vs eIDAS Qualified Trust Services](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-eidas-qualified-trust-services.md): Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework. - [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md): Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain. - [ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow](/artifacts/global/etsi-en-319-411-2/qualified-certificate-lifecycle-workflow.md): Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records. - [ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection](/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection.md): Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. - [ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile](/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow.md): Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication. - [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md): A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2. - [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md): FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references. - [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md): How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence. - [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md): How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation. - [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md): FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence. - [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md): FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers. - [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md): Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2. *Recommended next step* *Placement: after practical guidance* ## Operationalize the answer for legal and natural persons under ETSI EN 319 411-2 Use the selected subject route, certificate policy, and identity-proofing evidence to drive assessment work for qualified certificate issuance. - [Map subject routes](/solutions/assessment.md): Translate QCP-n, QCP-l, QSCD, and website-authentication choices into reviewable controls. - [Check source interpretation](/solutions/research-copilot.md): Resolve questions about subscriber authority, identity evidence, and equivalent-assurance methods. - [Talk through implementation](/contact.md): Review the certificate policy route, identity-proofing records, and remaining evidence gaps with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons