Artifact GuideGLOBALETSI EN 319 411-2

ETSI EN 319 411-2 Qualified certificate policies FAQ

A source-grounded answer to which qualified certificate policy applies to a natural person, legal person, QSCD-backed certificate, or qualified website authentication certificate.

Use this page to align CP/CPS language, certificate policy OIDs, terms and conditions, and review evidence before claiming an EN 319 411-2 qualified certificate policy.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 27, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 27, 2026
Overview

ETSI EN 319 411-2 defines EU qualified certificate policy identifiers for TSPs issuing EU qualified certificates. The policy choice depends on the subject type, whether a qualified signature or seal creation device is required, and whether the certificate is for website authentication.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

What qualified certificate policies does ETSI EN 319 411-2 define?

ETSI EN 319 411-2 defines seven EU qualified certificate policies. QCP-n covers EU qualified certificates issued to natural persons, and QCP-l covers EU qualified certificates issued to legal persons. QCP-n-qscd and QCP-l-qscd are the corresponding policies when the private key related to the certified public key must reside in a qualified signature or seal creation device.

For qualified website authentication certificates, QEVCP-w is based on EVCP, QNCP-w is based on NCP plus OVCP or IVCP, and QNCP-w-gen is based on NCP plus requirements tagged as WEB in ETSI EN 319 411-1. The selected policy should be visible in the CP/CPS, terms and conditions, certificate profile, and policy identifier evidence.

  • Use QCP-n for natural-person EU qualified certificates and QCP-l for legal-person EU qualified certificates.
  • Use QCP-n-qscd or QCP-l-qscd when the qualified certificate route requires the private key to reside in a QSCD.
  • Use QEVCP-w, QNCP-w, or QNCP-w-gen for qualified website authentication certificates, depending on whether the route relies on EVCP, OVCP or IVCP, or the general WEB-tagged requirements.
Citations
Recommended next step

Map each qualified certificate policy to CP/CPS, OID, and issuance proof

Use this answer to check whether each qualified certificate route has the right EN 319 411-2 policy identifier, inherited baseline, QSCD decision, and evidence owner.

Assessment workflow
Turn policies into controls

Convert each QCP, QNCP, or QEVCP route into accountable checks and evidence requests.

Explore next step
Research workflow
Research a policy edge case

Use cited research support when QSCD use, website authentication, or baseline inheritance is unclear.

Explore next step
Talk to Sorena
Talk through implementation

Review policy identifiers, CP/CPS evidence, and the next EN 319 411-2 compliance actions with Sorena.

Explore next step
Question 2

How should a QTSP choose the correct EN 319 411-2 policy identifier?

Start with the certificate purpose and subject. Natural-person signature certificates point to QCP-n or QCP-n-qscd. Legal-person seal certificates point to QCP-l or QCP-l-qscd. Website authentication certificates point to QEVCP-w, QNCP-w, or QNCP-w-gen depending on the validation route and applicable CA/Browser Forum baseline or extended-validation requirements.

Then check the device and baseline inheritance. EN 319 411-2 states that QCP-n and QCP-l use NCP unless the TSP terms and conditions require a secure cryptographic device, in which case NCP+ applies. The QSCD-specific policies include the corresponding QCP policy plus QSCD provisions. Website routes inherit EVCP, NCP, OVCP or IVCP, and WEB-tagged requirements as applicable.

  • Record the subject category: natural person, legal person, or website authentication certificate subject.
  • Record whether the service requires a QSCD and whether the certificate policy must include a QSCD-specific identifier.
  • Record the inherited baseline: NCP, NCP+, EVCP, OVCP, IVCP, or WEB-tagged EN 319 411-1 requirements.
Citations
Question 3

What evidence should support a qualified certificate policy claim?

The evidence should prove that the selected policy identifier matches the certificate type and the service actually operated. Keep the CP/CPS section that names the policy, the certificate profile showing the policy OID, the terms and conditions that determine secure-device use, and issuance or audit evidence showing whether the service follows the inherited EN 319 411-1 requirements.

Do not treat Annex A as a legal conformance certificate. EN 319 411-2 says the annex maps policy references to eIDAS requirements, but also warns that the annex is not a definitive statement of conformance to eIDAS and that non-technical legal requirements are outside the standard's scope.

  • Keep the CP/CPS policy section and the exact policy OID used in issued certificates.
  • Keep terms and conditions showing whether QCP-n or QCP-l uses NCP or NCP+ because a secure cryptographic device is required.
  • Keep evidence that QSCD, EVCP, OVCP, IVCP, or WEB-tagged inherited requirements were applied when the selected policy depends on them.
  • Keep Annex A mapping as supporting traceability, not as a standalone legal-conformance conclusion.
Citations
Primary sources

References and citations

ETSI EN 319 411-1 V1.5.1 certificate policy baseline
etsi.org
Referenced sections
  • EN 319 411-2 builds its qualified policies on EN 319 411-1 NCP, NCP+, EVCP, OVCP, IVCP, DVCP, and WEB-tagged requirements.
"Policy and security requirements for Trust Service Providers issuing certificates"
Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • eIDAS is the legal framework referenced by EN 319 411-2 for EU qualified certificates and qualified website authentication certificates.
"electronic identification and trust services"
Related guides

Explore more topics

eIDAS QTSP supervision workflow for ETSI EN 319 411-2
Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records.
EN 319 411-2 vs EN 319 411-1 Qualified Certs
Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries.
ETSI EN 319 411-2 compliance checklist
Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services.
ETSI EN 319 411-2 FAQ for EU Qualified Certificates
Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.
ETSI EN 319 411-2 Identity Proofing
How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks.
ETSI EN 319 411-2 QSCD Route
When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned.
ETSI EN 319 411-2 QTSP supervision evidence workflow
Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls.
ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation
Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices.
ETSI EN 319 411-2 Qualified Certificate Scope
Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context.
ETSI EN 319 411-2 requirements map
Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references.
ETSI EN 319 411-2 trusted-list evidence
Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers.
ETSI EN 319 411-2 trusted-list validation workflow
Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence.
ETSI EN 319 411-2 vs eIDAS Qualified Trust Services
Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework.
ETSI EN 319 411-2: Certificate Revocation FAQ
Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain.
ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow
Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records.
ETSI EN 319 411-2: Legal vs Natural Person Certs
ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.
ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection
Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile
Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication.
How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?
A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.
How should relying parties use trusted lists under ETSI EN 319 411-2?
FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.
QSCD Requirements in ETSI EN 319 411-2
How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence.
QTSP Supervision and ETSI EN 319 411-2
How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation.
Qualified certificates under ETSI EN 319 411-2
FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence.
Which QWAC Profile Fits ETSI EN 319 411-2?
Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.