Artifact GuideGLOBALETSI EN 319 411-2

ETSI EN 319 411-2 How should qualified trust service providers handle qualified certificates under ETSI EN 319 411-2

A standalone FAQ answer on matching EU qualified certificate services to the EN 319 411-2 policy family, certificate identifiers, and evidence records.

Grounded in ETSI EN 319 411-2, ETSI EN 319 411-1, and eIDAS source material.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
3

Structured answer sets in this page tree.

Primary sources
3

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

Short answer: a qualified certificate service under ETSI EN 319 411-2 should be tied to the correct EU qualified certificate policy, shown in the certificate through the applicable policy identifier or policy OID, and supported by lifecycle evidence for issuance, maintenance, status, revocation, and records. EN 319 411-2 helps define the policy requirements, but it does not by itself make a TSP or certificate qualified under eIDAS.

Search this module

Find a question or answer quickly

3 of 3 questions
Question 1

How should qualified trust service providers handle qualified certificates under ETSI EN 319 411-2?

Start by separating ETSI policy conformance from EU qualification status. EN 319 411-2 says it incorporates the general certificate policy and security requirements from EN 319 411-1 and adds requirements intended to meet eIDAS requirements for TSPs issuing EU qualified certificates, but it also states that conformance to the standard alone does not imply that the TSP or its certificates are qualified under eIDAS.

For each certificate service, identify which EN 319 411-2 policy family is being used: QCP-n for qualified certificates issued to natural persons, QCP-l for legal persons, QCP-n-qscd or QCP-l-qscd when the related private key resides in a QSCD, and QEVCP-w, QNCP-w, or QNCP-w-gen for qualified website authentication certificates. The selected policy drives the certificate-policy statement, CPS controls, certificate profile, subscriber obligations, and evidence set.

  • Do not describe a generic certificate as qualified unless the service, certificate policy, trusted-list status, and eIDAS qualification context support that claim.
  • For signature and seal certificates, distinguish natural-person, legal-person, and QSCD-backed routes before choosing the QCP identifier or local policy OID.
  • For website authentication certificates, distinguish the EVCP-based QEVCP-w route, the BRG and OVCP or IVCP based QNCP-w route, and the general-purpose QNCP-w-gen route.
Citations
Question 2

What evidence should support qualified certificates under ETSI EN 319 411-2?

The evidence should prove that the certificate was issued and managed under the claimed EN 319 411-2 policy, not merely that the organization has a PKI program. Keep the certificate policy, Certification Practice Statement, terms and conditions, certificate profile, identity-verification record, status-service evidence, and revocation records aligned to the selected QCP route.

For QSCD-backed QCP-n-qscd and QCP-l-qscd certificates, the evidence needs to show the QSCD basis, including the certificate profile treatment of the ETSI EN 319 412-5 QSCD qcStatement and the standard's rule that the QSCD statement is not included in certificates outside those QSCD policies.

  • Map each public certificate or service claim to QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
  • Retain the policy identifier or policy OID mapping used in issued certificates, including any locally allocated OID and the EN 319 411-2 policy it adopts as the basis.
  • Keep certificate database, validity-status, revocation, and records-retention evidence because eIDAS article 24 duties are mapped in EN 319 411-2 to certificate lifecycle and recordkeeping controls.
Citations
Recommended next step

Map EN 319 411-2 certificate policies to your QTSP evidence

Use this FAQ as a starting point for checking certificate-policy selection, CPS coverage, certificate identifiers, QSCD evidence, and lifecycle records.

Assessment workflow
Map controls to certificate policies

Convert QCP route selection, CPS checks, and lifecycle evidence into accountable review tasks.

Explore next step
Research workflow
Check a scoped certificate claim

Use cited research support when a QCP route, QSCD signal, or trusted-list implication needs review.

Explore next step
Talk to Sorena
Talk through evidence gaps

Review certificate-policy selection, CPS evidence, and lifecycle records with Sorena.

Explore next step
Question 3

What checklist should teams use before claiming EN 319 411-2 qualified certificate coverage?

Use the checklist to prevent the common error of treating all certificates, all certificate policies, or all QTSP services as interchangeable. The useful review is certificate-policy specific and should be repeated when the certificate profile, CPS, QSCD route, website certificate route, trusted-list status, or relevant ETSI/eIDAS source changes.

  • Confirm that the service is an EU qualified certificate service for electronic signatures, electronic seals, or website authentication before applying EN 319 411-2 as the qualified-certificate policy layer.
  • Check that the certificate includes at least one allowed policy identifier or policy OID for the selected EN 319 411-2 route.
  • Verify that any QSCD claim is limited to QCP-n-qscd or QCP-l-qscd certificates and is reflected consistently in CPS controls, subscriber obligations, and certificate-profile evidence.
  • Confirm that lifecycle evidence covers issuance, maintenance, revocation, validity-status publication, certificate database handling, and records that remain accessible for the required period.
Citations
Primary sources

References and citations

ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements
etsi.org
Referenced sections
  • Primary source for qualified certificate policy profiles, QSCD-related routes, qualified website authentication certificates, and QTSP certificate operations.
"Policy and security requirements for Trust Service Providers issuing certificates; Part 2: Requirements for trust service providers issuing EU qualified certificates"
Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • Primary legal source for EU trust services, qualified trust services, supervisory framing, and qualified certificate context.
"electronic identification and trust services"
Related guides

Explore more topics

eIDAS QTSP supervision workflow for ETSI EN 319 411-2
Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records.
EN 319 411-2 vs EN 319 411-1 Qualified Certs
Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries.
ETSI EN 319 411-2 compliance checklist
Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services.
ETSI EN 319 411-2 FAQ for EU Qualified Certificates
Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.
ETSI EN 319 411-2 Identity Proofing
How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks.
ETSI EN 319 411-2 QSCD Route
When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned.
ETSI EN 319 411-2 QTSP supervision evidence workflow
Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls.
ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation
Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices.
ETSI EN 319 411-2 Qualified Certificate Scope
Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context.
ETSI EN 319 411-2 requirements map
Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references.
ETSI EN 319 411-2 trusted-list evidence
Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers.
ETSI EN 319 411-2 trusted-list validation workflow
Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence.
ETSI EN 319 411-2 vs eIDAS Qualified Trust Services
Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework.
ETSI EN 319 411-2: Certificate Revocation FAQ
Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain.
ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow
Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records.
ETSI EN 319 411-2: Legal vs Natural Person Certs
ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.
ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection
Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile
Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication.
How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?
A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.
How should relying parties use trusted lists under ETSI EN 319 411-2?
FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.
QSCD Requirements in ETSI EN 319 411-2
How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence.
QTSP Supervision and ETSI EN 319 411-2
How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation.
What are the qualified certificate policies in ETSI EN 319 411-2?
FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers.
Which QWAC Profile Fits ETSI EN 319 411-2?
Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.