--- title: "QSCD Requirements in ETSI EN 319 411-2" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/qscd" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/qscd" author: "Sorena AI" description: "How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-2" - "QSCD" - "QCP-n-qscd" - "QCP-l-qscd" - "qualified certificates" - "FAQ" - "compliance evidence" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # QSCD Requirements in ETSI EN 319 411-2 How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence. *Artifact Guide* *GLOBAL* *ETSI EN 319 411-2* ## ETSI EN 319 411-2 How QSCD fits qualified certificate issuance ETSI EN 319 411-2 uses QSCD-specific qualified certificate policies when the private key related to the certified public key resides in a qualified signature or seal creation device. Use this FAQ to separate QCP-n-qscd and QCP-l-qscd evidence from ordinary qualified certificate evidence. Short answer: for ETSI EN 319 411-2, QSCD is not a general security label. It changes the certificate policy route, key-use controls, certificate profile, and CPS evidence for qualified certificates issued under QCP-n-qscd or QCP-l-qscd. ## How should qualified trust service providers handle QSCD under ETSI EN 319 411-2? A QTSP should handle QSCD by first selecting the right ETSI EN 319 411-2 qualified certificate policy. QCP-n-qscd applies to qualified certificates for natural persons where the private key and related certificate reside on a QSCD. QCP-l-qscd applies to qualified certificates for legal persons where the private key and related certificate reside on a QSCD. The QSCD route brings in the ordinary QCP-n or QCP-l requirements and the NCP+ baseline, then adds QSCD-specific provisions. The standard ties those provisions to subject device provisioning, key pair and certificate usage, key generation and installation, certificate profile statements, and terms and conditions. - Record whether the certificate is QCP-n-qscd or QCP-l-qscd, not just that it is an EU qualified certificate. - Show that the private key related to the certified public key resides in the QSCD for the selected policy route. - Keep CPS and certificate profile evidence aligned with the QSCD route, including the required QSCD qcStatement only for QCP-n-qscd or QCP-l-qscd certificates. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines QCP-n-qscd and QCP-l-qscd as ETSI EN 319 411-2 policy routes where the private key and related certificate reside on a QSCD. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Referenced by ETSI EN 319 411-2 for EU qualified certificate context and for the legal definition of a qualified electronic signature or seal creation device. ## What QSCD controls does ETSI EN 319 411-2 call out? When the TSP manages the QSCD for the subject, ETSI EN 319 411-2 restricts use of the private key for signing to the QSCD and distinguishes natural-person sole control from legal-person control. The same area of the standard ties natural-person QSCD keys to electronic signatures and legal-person QSCD keys to electronic seals. For key generation and installation, the TSP has to verify that the device is certified as a QSCD, ensure the public key to be certified comes from a key pair generated by a QSCD, address third-party managed devices where applicable, and document CPS measures for changes in QSCD status during the certificate validity period. - For QCP-n-qscd, preserve evidence that the subject's private key is used under the subject's sole control. - For QCP-l-qscd, preserve evidence that the subject's private key is used under the subject's control. - For certificate issuance, preserve proof of QSCD certification status, key-generation route, third-party TSP qualification where used, and CPS handling of QSCD status changes. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the QSCD-specific requirements for private-key use, subject control, QSCD certification verification, public-key origin, third-party managed devices, and QSCD status changes. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the base certificate policy, lifecycle, revocation, repository, and cryptographic module controls that ETSI EN 319 411-2 incorporates before adding QSCD-specific qualified certificate requirements. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - ETSI EN 319 411-2 points to eIDAS Annex II and device certification rules when explaining QSCD certification expectations. ## What mistakes should QTSP teams avoid with QSCD evidence? The main risk is treating QSCD as a marketing or procurement attribute instead of a certificate-policy condition. If the service claims QCP-n-qscd or QCP-l-qscd, the evidence must trace from the policy identifier through device certification, key generation, subject control, certificate profile, CPS text, and revocation or status-change handling. Another common error is putting the QSCD qcStatement on the wrong certificates. ETSI EN 319 411-2 requires the QSCD qcStatement for QCP-n-qscd and QCP-l-qscd certificates and says it must not be included for certificates that are not issued under those requirements. - Do not cite QCP-n or QCP-l evidence alone as proof of a QSCD-backed policy route. - Do not rely on a device name or supplier assertion without evidence that the device is certified as a QSCD for the relevant use. - Do not leave the CPS silent on measures for QSCD status changes before certificate expiry. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the warning against misplaced QSCD claims by requiring the QSCD qcStatement only on certificates issued under QCP-n-qscd or QCP-l-qscd requirements. - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supplies the underlying certificate lifecycle and revocation framework that ETSI EN 319 411-2 references when QSCD status changes can affect non-expired certificates. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the EU legal context for qualified trust services and QSCD certification that ETSI EN 319 411-2 maps into certificate policy requirements. ## Primary sources - [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines the QCP-n-qscd and QCP-l-qscd policy routes and their QSCD-specific controls for qualified certificate issuance. - Quote: "Qualified electronic Signature/Seal Creation Device" - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the incorporated base certificate policy, CPS, lifecycle, revocation, repository, and cryptographic controls used by ETSI EN 319 411-2. - Quote: "Policy and security requirements for Trust Service Providers issuing certificates" - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the EU legal context for qualified trust services and qualified signature or seal creation devices referenced by ETSI EN 319 411-2. - Quote: "electronic identification and trust services" ## Topic Guides - [eIDAS QTSP supervision workflow for ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/eidas-qtsp-supervision-workflow.md): Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records. - [EN 319 411-2 vs EN 319 411-1 Qualified Certs](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-en-319-411-1.md): Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries. - [ETSI EN 319 411-2 compliance checklist](/artifacts/global/etsi-en-319-411-2/compliance.md): Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services. - [ETSI EN 319 411-2 FAQ for EU Qualified Certificates](/artifacts/global/etsi-en-319-411-2/faq.md): Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services. - [ETSI EN 319 411-2 Identity Proofing](/artifacts/global/etsi-en-319-411-2/identity-proofing.md): How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks. - [ETSI EN 319 411-2 QSCD Route](/artifacts/global/etsi-en-319-411-2/qscd-route.md): When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned. - [ETSI EN 319 411-2 QTSP supervision evidence workflow](/artifacts/global/etsi-en-319-411-2/qtsp-supervision-evidence-workflow.md): Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls. - [ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation](/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations.md): Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices. - [ETSI EN 319 411-2 Qualified Certificate Scope](/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope.md): Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context. - [ETSI EN 319 411-2 requirements map](/artifacts/global/etsi-en-319-411-2/requirements.md): Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references. - [ETSI EN 319 411-2 trusted-list evidence](/artifacts/global/etsi-en-319-411-2/trusted-list-evidence.md): Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers. - [ETSI EN 319 411-2 trusted-list validation workflow](/artifacts/global/etsi-en-319-411-2/trusted-list-validation-workflow.md): Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence. - [ETSI EN 319 411-2 vs eIDAS Qualified Trust Services](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-eidas-qualified-trust-services.md): Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework. - [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md): Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain. - [ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow](/artifacts/global/etsi-en-319-411-2/qualified-certificate-lifecycle-workflow.md): Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records. - [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md): ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers. - [ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection](/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection.md): Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. - [ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile](/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow.md): Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication. - [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md): A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2. - [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md): FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references. - [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md): How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation. - [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md): FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence. - [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md): FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers. - [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md): Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2. *Recommended next step* *Placement: after practical guidance* ## Map QCP-n-qscd and QCP-l-qscd controls to owned evidence Use this ETSI EN 319 411-2 guidance to connect policy selection, QSCD certification, key-use controls, certificate profile statements, and CPS commitments. - [Build the evidence map](/solutions/assessment.md): Convert QSCD policy requirements into accountable controls, evidence requests, and review gates. - [Check a QSCD interpretation](/solutions/research-copilot.md): Use cited research support when certificate policy, qcStatement, device status, or third-party TSP scope is unclear. - [Talk through QSCD evidence](/contact.md): Review certificate scope, device evidence, CPS commitments, owners, and next compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/qscd