--- title: "What are the qualified certificate policies in ETSI EN 319 411-2?" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies" author: "Sorena AI" description: "FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers." published_at: "2026-05-09" updated_at: "2026-05-27" keywords: - "ETSI EN 319 411-2" - "QCP-n" - "QCP-l" - "QCP-n-qscd" - "QCP-l-qscd" - "QEVCP-w" - "QNCP-w" - "qualified certificate policies" - "QCP" - "QNCP" - "QEVCP" - "FAQ" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # What are the qualified certificate policies in ETSI EN 319 411-2? FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers. *Artifact Guide* *GLOBAL* *ETSI EN 319 411-2* ## ETSI EN 319 411-2 Qualified certificate policies FAQ A source-grounded answer to which qualified certificate policy applies to a natural person, legal person, QSCD-backed certificate, or qualified website authentication certificate. Use this page to align CP/CPS language, certificate policy OIDs, terms and conditions, and review evidence before claiming an EN 319 411-2 qualified certificate policy. ETSI EN 319 411-2 defines EU qualified certificate policy identifiers for TSPs issuing EU qualified certificates. The policy choice depends on the subject type, whether a qualified signature or seal creation device is required, and whether the certificate is for website authentication. ## What qualified certificate policies does ETSI EN 319 411-2 define? ETSI EN 319 411-2 defines seven EU qualified certificate policies. QCP-n covers EU qualified certificates issued to natural persons, and QCP-l covers EU qualified certificates issued to legal persons. QCP-n-qscd and QCP-l-qscd are the corresponding policies when the private key related to the certified public key must reside in a qualified signature or seal creation device. For qualified website authentication certificates, QEVCP-w is based on EVCP, QNCP-w is based on NCP plus OVCP or IVCP, and QNCP-w-gen is based on NCP plus requirements tagged as WEB in ETSI EN 319 411-1. The selected policy should be visible in the CP/CPS, terms and conditions, certificate profile, and policy identifier evidence. - Use QCP-n for natural-person EU qualified certificates and QCP-l for legal-person EU qualified certificates. - Use QCP-n-qscd or QCP-l-qscd when the qualified certificate route requires the private key to reside in a QSCD. - Use QEVCP-w, QNCP-w, or QNCP-w-gen for qualified website authentication certificates, depending on whether the route relies on EVCP, OVCP or IVCP, or the general WEB-tagged requirements. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 qualified certificate policies](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 4.2.2 lists the seven EU qualified certificate policies and describes the subject, QSCD, and website-authentication routes. - [ETSI EN 319 411-1 V1.5.1 certificate policy baseline](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - EN 319 411-2 builds its qualified policies on EN 319 411-1 NCP, NCP+, EVCP, OVCP, IVCP, DVCP, and WEB-tagged requirements. ## How should a QTSP choose the correct EN 319 411-2 policy identifier? Start with the certificate purpose and subject. Natural-person signature certificates point to QCP-n or QCP-n-qscd. Legal-person seal certificates point to QCP-l or QCP-l-qscd. Website authentication certificates point to QEVCP-w, QNCP-w, or QNCP-w-gen depending on the validation route and applicable CA/Browser Forum baseline or extended-validation requirements. Then check the device and baseline inheritance. EN 319 411-2 states that QCP-n and QCP-l use NCP unless the TSP terms and conditions require a secure cryptographic device, in which case NCP+ applies. The QSCD-specific policies include the corresponding QCP policy plus QSCD provisions. Website routes inherit EVCP, NCP, OVCP or IVCP, and WEB-tagged requirements as applicable. - Record the subject category: natural person, legal person, or website authentication certificate subject. - Record whether the service requires a QSCD and whether the certificate policy must include a QSCD-specific identifier. - Record the inherited baseline: NCP, NCP+, EVCP, OVCP, IVCP, or WEB-tagged EN 319 411-1 requirements. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 certificate policy name and identification](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Clause 5.3 assigns policy identifiers to QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and QNCP-w-gen. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - eIDAS is the legal framework referenced by EN 319 411-2 for EU qualified certificates and qualified website authentication certificates. ## What evidence should support a qualified certificate policy claim? The evidence should prove that the selected policy identifier matches the certificate type and the service actually operated. Keep the CP/CPS section that names the policy, the certificate profile showing the policy OID, the terms and conditions that determine secure-device use, and issuance or audit evidence showing whether the service follows the inherited EN 319 411-1 requirements. Do not treat Annex A as a legal conformance certificate. EN 319 411-2 says the annex maps policy references to eIDAS requirements, but also warns that the annex is not a definitive statement of conformance to eIDAS and that non-technical legal requirements are outside the standard's scope. - Keep the CP/CPS policy section and the exact policy OID used in issued certificates. - Keep terms and conditions showing whether QCP-n or QCP-l uses NCP or NCP+ because a secure cryptographic device is required. - Keep evidence that QSCD, EVCP, OVCP, IVCP, or WEB-tagged inherited requirements were applied when the selected policy depends on them. - Keep Annex A mapping as supporting traceability, not as a standalone legal-conformance conclusion. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 Regulation and EU qualified certificate policy mapping](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Annex A maps EN 319 411-2 policy references to eIDAS requirements and states limits on using that mapping as definitive legal conformance. - [ETSI EN 319 401 V3.1.1 trust service provider requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - EN 319 401 provides general TSP policy and security requirements referenced by EN 319 411-2 and its eIDAS mapping annex. ## Primary sources - [ETSI EN 319 411-2 V2.6.1 qualified certificate policies](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for the EN 319 411-2 EU qualified certificate policy list, policy identifiers, inherited requirements, and Annex A mapping caveat. - Quote: "The EU qualified certificate policies are" - [ETSI EN 319 411-1 V1.5.1 certificate policy baseline](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Source for the NCP, NCP+, EVCP, OVCP, IVCP, DVCP, and WEB-tagged policy requirements inherited by EN 319 411-2 qualified policies. - Quote: "Policy and security requirements for Trust Service Providers issuing certificates" - [ETSI EN 319 401 V3.1.1 trust service provider requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Source for general TSP policy and security requirements used by EN 319 411-2 and its eIDAS policy mapping annex. - Quote: "general policy requirements" - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Legal framework referenced by EN 319 411-2 for EU qualified certificates and trust services. - Quote: "electronic identification and trust services" ## Topic Guides - [eIDAS QTSP supervision workflow for ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/eidas-qtsp-supervision-workflow.md): Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records. - [EN 319 411-2 vs EN 319 411-1 Qualified Certs](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-en-319-411-1.md): Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries. - [ETSI EN 319 411-2 compliance checklist](/artifacts/global/etsi-en-319-411-2/compliance.md): Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services. - [ETSI EN 319 411-2 FAQ for EU Qualified Certificates](/artifacts/global/etsi-en-319-411-2/faq.md): Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services. - [ETSI EN 319 411-2 Identity Proofing](/artifacts/global/etsi-en-319-411-2/identity-proofing.md): How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks. - [ETSI EN 319 411-2 QSCD Route](/artifacts/global/etsi-en-319-411-2/qscd-route.md): When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned. - [ETSI EN 319 411-2 QTSP supervision evidence workflow](/artifacts/global/etsi-en-319-411-2/qtsp-supervision-evidence-workflow.md): Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls. - [ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation](/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations.md): Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices. - [ETSI EN 319 411-2 Qualified Certificate Scope](/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope.md): Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context. - [ETSI EN 319 411-2 requirements map](/artifacts/global/etsi-en-319-411-2/requirements.md): Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references. - [ETSI EN 319 411-2 trusted-list evidence](/artifacts/global/etsi-en-319-411-2/trusted-list-evidence.md): Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers. - [ETSI EN 319 411-2 trusted-list validation workflow](/artifacts/global/etsi-en-319-411-2/trusted-list-validation-workflow.md): Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence. - [ETSI EN 319 411-2 vs eIDAS Qualified Trust Services](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-eidas-qualified-trust-services.md): Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework. - [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md): Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain. - [ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow](/artifacts/global/etsi-en-319-411-2/qualified-certificate-lifecycle-workflow.md): Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records. - [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md): ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers. - [ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection](/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection.md): Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. - [ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile](/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow.md): Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication. - [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md): A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2. - [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md): FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references. - [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md): How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence. - [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md): How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation. - [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md): FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence. - [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md): Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2. *Recommended next step* *Placement: after FAQ evidence* ## Map each qualified certificate policy to CP/CPS, OID, and issuance proof Use this answer to check whether each qualified certificate route has the right EN 319 411-2 policy identifier, inherited baseline, QSCD decision, and evidence owner. - [Turn policies into controls](/solutions/assessment.md): Convert each QCP, QNCP, or QEVCP route into accountable checks and evidence requests. - [Research a policy edge case](/solutions/research-copilot.md): Use cited research support when QSCD use, website authentication, or baseline inheritance is unclear. - [Talk through implementation](/contact.md): Review policy identifiers, CP/CPS evidence, and the next EN 319 411-2 compliance actions with Sorena. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies