---
title: "ETSI EN 319 411-2 Identity Proofing"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/identity-proofing"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/identity-proofing"
author: "Sorena AI"
description: "How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ETSI EN 319 411-2"
  - "identity proofing"
  - "qualified certificates"
  - "QCP-n"
  - "QCP-l"
  - "QEVCP-w"
  - "registration records"
  - "QTSP"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 319 411-2 Identity Proofing

How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks.

*Artifact Guide* *GLOBAL* *ETSI EN 319 411-2*

## ETSI EN 319 411-2 Identity Proofing

Map identity validation for EU qualified certificates to the policy profile, subject type, verification method, and registration evidence EN 319 411-2 expects.

Use this as standards implementation guidance for certificate-service design and audits, not for legal interpretation.

Use this page when a qualified certificate service needs to show how subscriber and subject identity is verified before issuance. ETSI EN 319 411-2 imports the general EN 319 411-1 identity-validation requirements and adds qualified-certificate rules for natural persons, legal persons, and qualified website authentication certificates.

## Start with the certificate policy and subject type

Identity proofing cannot be reviewed in isolation from the certificate policy. EN 319 411-2 uses different qualified certificate policy indicators for natural persons, legal persons, QSCD-backed certificates, and qualified website authentication certificates.

Before reviewing any registration file, identify whether the certificate is issued under QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. That choice decides whether the evidence must prove a natural person, a legal person and authorized representative, a website-domain link, a QSCD-related route, or a combination of those elements.

- For QCP-n and QCP-n-qscd, prove the natural person's identity and any certificate attributes before issuance.
- For QCP-l and QCP-l-qscd, prove the legal person's identity and the authority of the representative used for the registration.
- For QEVCP-w, QNCP-w, and QNCP-w-gen, prove the subscriber identity and the subscriber's link with the domain name to be certified.
- For QSCD policy profiles, keep the identity-proofing decision aligned with the QSCD and certificate-request checks before the certificate is issued.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines the qualified certificate policy identifiers and the additional identity-validation requirements for natural-person, legal-person, and qualified website certificate profiles.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Provides the general subscriber, subject, registration service, and certificate lifecycle requirements that EN 319 411-2 imports.

## Choose and document the verification route

For qualified natural-person certificates, EN 319 411-2 requires identity verification by physical presence or by a method that gives equivalent assurance and whose equivalence the TSP can prove. For legal-person certificates, the same structure applies to the authorized representative of the legal person.

Remote or delegated proofing should therefore leave a clear equivalence file. The file should show which route was used, which person or representative was checked, what attributes were validated, and why the route provides assurance comparable to physical presence for the certificate policy in scope.

- Record whether identity was checked through physical presence, attended remote proofing, unattended remote proofing, eID-based proofing, certificate-based proofing, or a delegated registration source.
- For natural-person subjects, capture the full name and distinguishing attributes required by the applicable policy, such as date and place of birth or a nationally recognized identity document reference.
- For legal-person subjects, retain the evidence used to identify the legal person and the authority or mandate of the representative.
- For website certificates, include the domain-name link evidence alongside the subscriber identity evidence so the certificate content can be checked against the registration file.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - States the physical-presence or equivalent-assurance routes for QCP-n/QCP-l profiles and the website certificate identity-link checks.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Requires collection and validation of direct evidence or an attestation from an appropriate authorized source, and points identity-proofing evidence collection to ETSI TS 119 461.

## Check the certificate request against the evidence

The identity-proofing outcome has to control certificate issuance, not just sit in a registration archive. EN 319 411-1 requires the TSP to check that certificate requests are accurate, authorized, and complete according to the collected evidence or attestation of identity.

Use a release gate that compares the registration file with the certificate request and the intended certificate profile. The gate should catch mismatches in subject name, organization, role, domain name, representative authority, QSCD indication, subscriber agreement choices, and any attribute that will appear in the certificate.

- Block issuance when the certificate request includes an identity attribute not supported by the registration evidence.
- Block issuance when a legal-person representative is not supported by mandate, corporate registry, or other authorized-source evidence.
- Block issuance when a website certificate lacks evidence linking the subscriber to the domain name being certified.
- Block issuance when a QSCD policy identifier or QSCD statement is used without the related QSCD route being verified under the applicable profile.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Connects qualified certificate profile selection, identity validation, website authentication profiles, and QSCD-specific certificate handling.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Requires certificate requests to be accurate, authorized, and complete against the collected identity evidence or attestation.

*Recommended next step*

*Placement: after identity proofing guidance*

## Operationalize identity proofing

Use this ETSI EN 319 411-2 guidance to align certificate profiles, registration procedures, certificate-request gates, and evidence records.

- [Open Assessment Autopilot for ETSI EN 319 411-2](/solutions/assessment.md): Convert identity-proofing checks into accountable tasks, registration evidence requests, and audit review milestones.
- [Research ETSI EN 319 411-2 source questions](/solutions/research-copilot.md): Use cited source material to resolve profile, registration, evidence, and certificate-request questions before implementation.
- [Talk through implementation](/contact.md): Review identity-proofing scope, evidence gaps, owners, and the next certificate-service actions with Sorena.

## Keep registration records an auditor can replay

Identity proofing should produce a replayable registration record. EN 319 411-1 calls for logging registration events and recording the documents or attestations used, unique identification data where applicable, storage location of copies, subscriber agreement choices, the entity accepting the application, validation method, and the receiving TSP or submitting Registration Authority where applicable.

That record should also respect privacy expectations. The standard recognizes that evidence can include personal data such as identity-card or passport information and requires privacy of subject information and protection of registration data confidentiality and integrity.

- Log each registration event, including certificate re-key or renewal requests when identity evidence is reused or refreshed.
- Record the type of identity document or authorized attestation presented and the validation method used.
- Record where application copies, identity documents, and subscriber agreements are stored rather than embedding sensitive material in public-facing artifacts.
- State the retention period for registration information in the practice statements and identify what would be handed over through a termination plan.

Sources for this answer:

- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Lists the registration information to record, including document type, identification data, storage location, agreement choices, accepting entity, validation method, and RA/TSP information.
- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Maps qualified certificate policy requirements to eIDAS article 24 identity verification and recordkeeping expectations without presenting the annex as a legal-conformance statement.

## Common identity-proofing gaps

The most common failures are traceability failures: the certificate profile says one thing, the registration record proves another, or the proofing route is described without evidence that it is appropriate for the profile.

Review these gaps before an audit, conformity assessment, or production certificate issuance run. Each gap should be closed in the registration procedure, CPS, subscriber agreement, certificate request gate, or evidence-retention process.

- Using a QCP-n or QCP-l profile without recording whether the subject is a natural person, legal person, or natural person associated with a legal person.
- Treating remote proofing as equivalent to physical presence without retaining the equivalence rationale and the specific method used.
- Approving a website authentication certificate without evidence linking the subscriber identity to the domain name.
- Keeping copies of identity evidence without a clear storage location, access model, retention period, and privacy control.
- Publishing broad qualified-certificate claims while the CPS, certificate policy identifier, subscriber agreement, and registration record are not aligned.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the profile-specific identity proofing, website-link, and equivalent-assurance checks summarized in the gap list.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the registration-record, CPS, subscriber/subject, privacy, and certificate-request controls summarized in the gap list.

## Primary sources

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary standard for EU qualified certificate policy profiles and additional initial identity validation requirements for EN 319 411-2.
  - Quote: "Requirements for trust service providers issuing EU qualified certificates"
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Imported general requirements for subscriber and subject identity validation, registration evidence, certificate request checking, CPS disclosure, and records.
  - Quote: "Policy and security requirements for Trust Service Providers issuing certificates"

## Related Topic Guides

- [eIDAS QTSP supervision workflow for ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/eidas-qtsp-supervision-workflow.md): Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records.
- [EN 319 411-2 vs EN 319 411-1 Qualified Certs](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-en-319-411-1.md): Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries.
- [ETSI EN 319 411-2 compliance checklist](/artifacts/global/etsi-en-319-411-2/compliance.md): Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services.
- [ETSI EN 319 411-2 FAQ for EU Qualified Certificates](/artifacts/global/etsi-en-319-411-2/faq.md): Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.
- [ETSI EN 319 411-2 QSCD Route](/artifacts/global/etsi-en-319-411-2/qscd-route.md): When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned.
- [ETSI EN 319 411-2 QTSP supervision evidence workflow](/artifacts/global/etsi-en-319-411-2/qtsp-supervision-evidence-workflow.md): Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls.
- [ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation](/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations.md): Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices.
- [ETSI EN 319 411-2 Qualified Certificate Scope](/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope.md): Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context.
- [ETSI EN 319 411-2 requirements map](/artifacts/global/etsi-en-319-411-2/requirements.md): Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references.
- [ETSI EN 319 411-2 trusted-list evidence](/artifacts/global/etsi-en-319-411-2/trusted-list-evidence.md): Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers.
- [ETSI EN 319 411-2 trusted-list validation workflow](/artifacts/global/etsi-en-319-411-2/trusted-list-validation-workflow.md): Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence.
- [ETSI EN 319 411-2 vs eIDAS Qualified Trust Services](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-eidas-qualified-trust-services.md): Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework.
- [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md): Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain.
- [ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow](/artifacts/global/etsi-en-319-411-2/qualified-certificate-lifecycle-workflow.md): Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records.
- [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md): ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.
- [ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection](/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection.md): Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
- [ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile](/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow.md): Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication.
- [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md): A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.
- [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md): FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.
- [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md): How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence.
- [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md): How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation.
- [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md): FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence.
- [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md): FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers.
- [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md): Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/identity-proofing