Artifact GuideGLOBALETSI EN 319 411-2

ETSI EN 319 411-2 QTSP supervision evidence for qualified certificate services

ETSI EN 319 411-2 gives certificate-policy and security requirements for EU qualified certificate services, but it does not by itself make a provider or certificate qualified.

Use this FAQ to separate standards conformance evidence from trusted-list status, independent assessment, and supervisory records.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
2

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Short answer: use ETSI EN 319 411-2 as the evidence framework for a QTSP's EU qualified certificate service, not as the supervision decision itself. The supervision file should show the selected qualified certificate policy, the incorporated EN 319 411-1 controls, the trusted-list reliance path, incident and lifecycle records, and any independent assessment evidence.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

Does ETSI EN 319 411-2 make a TSP qualified?

No. ETSI EN 319 411-2 expressly warns that conformance to the standard alone does not mean that the TSP or its certificates are qualified. A supervision answer should therefore avoid treating an EN 319 411-2 audit result as a substitute for qualified status.

For a QTSP issuing EU qualified certificates, the standard is still central evidence. It incorporates EN 319 411-1 general policy and security requirements, then adds requirements for EU qualified certificates for signatures, seals, and website authentication.

  • Keep the qualified-status decision separate from EN 319 411-2 conformance evidence.
  • Identify the exact qualified certificate policy in scope, such as QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
  • Show how EN 319 411-2 adds EU qualified certificate requirements on top of the EN 319 411-1 certificate policy baseline.
Citations
Question 2

What should a QTSP supervision file contain?

A useful supervision file should start with the certificate service and policy identifier, then link the CPS, certificate profile, repository, identity proofing, revocation, status service, incident, and termination evidence to the relevant EN 319 411-2 and incorporated EN 319 411-1 requirements.

The file should also prove the relying-party path. EN 319 411-2 says relying-party notices for EU qualified certificates need to explain that the trust anchor is identified in an appropriate EU trusted-list service digital identifier for the QTSP.

  • Preserve the selected policy identifier and the certificate profile evidence used to signal that policy.
  • Attach CPS sections for issuance, maintenance, revocation, status services, records, and service termination.
  • Keep trusted-list evidence for the QTSP service digital identifier used as the relying-party trust anchor.
Citations
Question 3

What are the most common supervision mistakes?

The most common mistakes are to blur qualified-status evidence with standards conformance, omit the trusted-list reliance path, or leave the supervision file without a traceable link from the selected certificate policy to the operational records.

Another common problem is treating incident, revocation, and records-retention evidence as optional. EN 319 411-2 and EN 319 411-1 map those topics into the qualified-certificate supervision file, so they need to be present and easy to review.

  • Do not claim qualified status from EN 319 411-2 conformance alone.
  • Do not omit the trusted-list service digital identifier or the notice to relying parties.
  • Do not leave revocation, incident, and records-retention evidence outside the supervision pack.
Citations
Recommended next step

Map EN 319 411-2 evidence to qualified certificate supervision

Use this ETSI EN 319 411-2 guidance to connect policy identifiers, CPS commitments, trusted-list evidence, lifecycle controls, and audit records.

Assessment workflow
Build the supervision pack

Convert qualified certificate requirements into owned controls, evidence requests, and review gates.

Explore next step
Research workflow
Check a QTSP interpretation

Use cited research support when trusted-list status, policy identifiers, or lifecycle evidence is unclear.

Explore next step
Talk to Sorena
Talk through supervision evidence

Review certificate scope, CPS evidence, trusted-list records, owners, and next compliance actions with Sorena.

Explore next step
Primary sources

References and citations

ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements
etsi.org
Referenced sections
  • Supports the liability-responsibility point for the qualified TSP identified in the trusted list and the mapped controls for incidents, records, termination, revocation, and certificate status services.
"maintains overall responsibility"
Related guides

Explore more topics

eIDAS QTSP supervision workflow for ETSI EN 319 411-2
Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records.
EN 319 411-2 vs EN 319 411-1 Qualified Certs
Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries.
ETSI EN 319 411-2 compliance checklist
Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services.
ETSI EN 319 411-2 FAQ for EU Qualified Certificates
Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.
ETSI EN 319 411-2 Identity Proofing
How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks.
ETSI EN 319 411-2 QSCD Route
When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned.
ETSI EN 319 411-2 QTSP supervision evidence workflow
Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls.
ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation
Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices.
ETSI EN 319 411-2 Qualified Certificate Scope
Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context.
ETSI EN 319 411-2 requirements map
Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references.
ETSI EN 319 411-2 trusted-list evidence
Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers.
ETSI EN 319 411-2 trusted-list validation workflow
Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence.
ETSI EN 319 411-2 vs eIDAS Qualified Trust Services
Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework.
ETSI EN 319 411-2: Certificate Revocation FAQ
Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain.
ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow
Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records.
ETSI EN 319 411-2: Legal vs Natural Person Certs
ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.
ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection
Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile
Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication.
How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?
A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.
How should relying parties use trusted lists under ETSI EN 319 411-2?
FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.
QSCD Requirements in ETSI EN 319 411-2
How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence.
Qualified certificates under ETSI EN 319 411-2
FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence.
What are the qualified certificate policies in ETSI EN 319 411-2?
FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers.
Which QWAC Profile Fits ETSI EN 319 411-2?
Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.