Artifact GuideGLOBALETSI EN 319 411-2

ETSI EN 319 411-2 How QSCD fits qualified certificate issuance

ETSI EN 319 411-2 uses QSCD-specific qualified certificate policies when the private key related to the certified public key resides in a qualified signature or seal creation device.

Use this FAQ to separate QCP-n-qscd and QCP-l-qscd evidence from ordinary qualified certificate evidence.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Short answer: for ETSI EN 319 411-2, QSCD is not a general security label. It changes the certificate policy route, key-use controls, certificate profile, and CPS evidence for qualified certificates issued under QCP-n-qscd or QCP-l-qscd.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

How should qualified trust service providers handle QSCD under ETSI EN 319 411-2?

A QTSP should handle QSCD by first selecting the right ETSI EN 319 411-2 qualified certificate policy. QCP-n-qscd applies to qualified certificates for natural persons where the private key and related certificate reside on a QSCD. QCP-l-qscd applies to qualified certificates for legal persons where the private key and related certificate reside on a QSCD.

The QSCD route brings in the ordinary QCP-n or QCP-l requirements and the NCP+ baseline, then adds QSCD-specific provisions. The standard ties those provisions to subject device provisioning, key pair and certificate usage, key generation and installation, certificate profile statements, and terms and conditions.

  • Record whether the certificate is QCP-n-qscd or QCP-l-qscd, not just that it is an EU qualified certificate.
  • Show that the private key related to the certified public key resides in the QSCD for the selected policy route.
  • Keep CPS and certificate profile evidence aligned with the QSCD route, including the required QSCD qcStatement only for QCP-n-qscd or QCP-l-qscd certificates.
Citations
Regulation (EU) No 910/2014 (eIDAS)

Referenced by ETSI EN 319 411-2 for EU qualified certificate context and for the legal definition of a qualified electronic signature or seal creation device.

Question 2

What QSCD controls does ETSI EN 319 411-2 call out?

When the TSP manages the QSCD for the subject, ETSI EN 319 411-2 restricts use of the private key for signing to the QSCD and distinguishes natural-person sole control from legal-person control. The same area of the standard ties natural-person QSCD keys to electronic signatures and legal-person QSCD keys to electronic seals.

For key generation and installation, the TSP has to verify that the device is certified as a QSCD, ensure the public key to be certified comes from a key pair generated by a QSCD, address third-party managed devices where applicable, and document CPS measures for changes in QSCD status during the certificate validity period.

  • For QCP-n-qscd, preserve evidence that the subject's private key is used under the subject's sole control.
  • For QCP-l-qscd, preserve evidence that the subject's private key is used under the subject's control.
  • For certificate issuance, preserve proof of QSCD certification status, key-generation route, third-party TSP qualification where used, and CPS handling of QSCD status changes.
Citations
Question 3

What mistakes should QTSP teams avoid with QSCD evidence?

The main risk is treating QSCD as a marketing or procurement attribute instead of a certificate-policy condition. If the service claims QCP-n-qscd or QCP-l-qscd, the evidence must trace from the policy identifier through device certification, key generation, subject control, certificate profile, CPS text, and revocation or status-change handling.

Another common error is putting the QSCD qcStatement on the wrong certificates. ETSI EN 319 411-2 requires the QSCD qcStatement for QCP-n-qscd and QCP-l-qscd certificates and says it must not be included for certificates that are not issued under those requirements.

  • Do not cite QCP-n or QCP-l evidence alone as proof of a QSCD-backed policy route.
  • Do not rely on a device name or supplier assertion without evidence that the device is certified as a QSCD for the relevant use.
  • Do not leave the CPS silent on measures for QSCD status changes before certificate expiry.
Citations
Recommended next step

Map QCP-n-qscd and QCP-l-qscd controls to owned evidence

Use this ETSI EN 319 411-2 guidance to connect policy selection, QSCD certification, key-use controls, certificate profile statements, and CPS commitments.

Assessment workflow
Build the evidence map

Convert QSCD policy requirements into accountable controls, evidence requests, and review gates.

Explore next step
Research workflow
Check a QSCD interpretation

Use cited research support when certificate policy, qcStatement, device status, or third-party TSP scope is unclear.

Explore next step
Talk to Sorena
Talk through QSCD evidence

Review certificate scope, device evidence, CPS commitments, owners, and next compliance actions with Sorena.

Explore next step
Primary sources

References and citations

ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements
etsi.org
Referenced sections
  • Supplies the underlying certificate lifecycle and revocation framework that ETSI EN 319 411-2 references when QSCD status changes can affect non-expired certificates.
"Policy and security requirements for Trust Service Providers issuing certificates"
ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements
etsi.org
Referenced sections
  • Supports the warning against misplaced QSCD claims by requiring the QSCD qcStatement only on certificates issued under QCP-n-qscd or QCP-l-qscd requirements.
"shall not be included in certificates that are not issued according to"
Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • Provides the EU legal context for qualified trust services and QSCD certification that ETSI EN 319 411-2 maps into certificate policy requirements.
"electronic identification and trust services"
Related guides

Explore more topics

eIDAS QTSP supervision workflow for ETSI EN 319 411-2
Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records.
EN 319 411-2 vs EN 319 411-1 Qualified Certs
Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries.
ETSI EN 319 411-2 compliance checklist
Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services.
ETSI EN 319 411-2 FAQ for EU Qualified Certificates
Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.
ETSI EN 319 411-2 Identity Proofing
How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks.
ETSI EN 319 411-2 QSCD Route
When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned.
ETSI EN 319 411-2 QTSP supervision evidence workflow
Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls.
ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation
Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices.
ETSI EN 319 411-2 Qualified Certificate Scope
Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context.
ETSI EN 319 411-2 requirements map
Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references.
ETSI EN 319 411-2 trusted-list evidence
Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers.
ETSI EN 319 411-2 trusted-list validation workflow
Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence.
ETSI EN 319 411-2 vs eIDAS Qualified Trust Services
Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework.
ETSI EN 319 411-2: Certificate Revocation FAQ
Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain.
ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow
Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records.
ETSI EN 319 411-2: Legal vs Natural Person Certs
ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.
ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection
Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile
Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication.
How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?
A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.
How should relying parties use trusted lists under ETSI EN 319 411-2?
FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.
QTSP Supervision and ETSI EN 319 411-2
How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation.
Qualified certificates under ETSI EN 319 411-2
FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence.
What are the qualified certificate policies in ETSI EN 319 411-2?
FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers.
Which QWAC Profile Fits ETSI EN 319 411-2?
Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.