Artifact GuideGLOBALETSI EN 319 411-2

ETSI EN 319 411-2 QCP, QNCP, and QEVCP profile selection

Select the EN 319 411-2 policy identifier that matches the qualified certificate subject, website-authentication use, and QSCD requirement.

Use this guide to separate natural-person, legal-person, QSCD, EV website, OV/IV website, and general website-authentication certificate profiles.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
9

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

ETSI EN 319 411-2 builds on EN 319 411-1 and adds EU qualified certificate requirements for trust service providers issuing qualified certificates for electronic signatures, electronic seals, and website authentication. The profile choice matters because the policy identifier in the certificate signals which EN 319 411-2 policy the certificate was issued and managed under.

Section 1

Start with the certificate use case

Profile selection should start with what the certificate is meant to support. EN 319 411-2 distinguishes certificates for natural persons, legal persons, natural-person signatures using a QSCD, legal-person seals using a QSCD, and qualified website authentication.

Do not choose a profile only because it sounds higher assurance. The standard ties each profile to a specific certificate purpose, subject type, and policy base inherited from EN 319 411-1.

  • Use QCP-n for an EU qualified certificate issued to a natural person when the QSCD-specific profile is not the selected policy.
  • Use QCP-l for an EU qualified certificate issued to a legal person when the QSCD-specific profile is not the selected policy.
  • Use QCP-n-qscd when the natural person's private key related to the certified public key resides in a Qualified Signature Creation Device.
  • Use QCP-l-qscd when the legal person's private key related to the certified public key resides in a Qualified Seal Creation Device.
  • Use a website-authentication profile when the qualified certificate is for website authentication rather than for an electronic signature or electronic seal.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 qualified certificate policy profiles
Defines the EN 319 411-2 policy set for natural persons, legal persons, QSCD-based certificates, and qualified website authentication certificates.
ETSI EN 319 411-1 V1.5.1 certificate policy foundation
Explains the Certificate Policy and Certification Practice Statement relationship that EN 319 411-2 builds on.
Regulation (EU) No 910/2014 (eIDAS)
Provides the EU legal context for qualified trust services, qualified certificates, signatures, seals, and website authentication.
Section 2

Map QCP profiles to the EN 319 411-1 policy base

QCP-n and QCP-l add EU qualified certificate requirements on top of EN 319 411-1 Normalized Certificate Policy requirements. If the TSP's terms and conditions require a secure cryptographic device, EN 319 411-2 points these profiles to the NCP+ requirements instead.

The dedicated QSCD profiles go further. QCP-n-qscd incorporates QCP-n and NCP+ requirements for natural-person qualified electronic signatures, while QCP-l-qscd incorporates QCP-l and NCP+ requirements for legal-person qualified electronic seals.

  • Record whether the subject is a natural person or legal person before choosing between QCP-n and QCP-l.
  • Record whether the policy requires a secure cryptographic device; that choice determines whether NCP or NCP+ applies for QCP-n and QCP-l.
  • Do not include the QSCD qcStatement unless the certificate is issued under QCP-n-qscd or QCP-l-qscd.
  • For a TSP-managed QSCD, capture how the private key is limited to QSCD use and how sole control or control is preserved for the subject.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 qualified certificate policy profiles
Specifies the QCP-n, QCP-l, QCP-n-qscd, and QCP-l-qscd inheritance from EN 319 411-1 NCP or NCP+ requirements.
ETSI EN 319 411-1 V1.5.1 certificate policy foundation
Defines NCP and NCP+ as the normalized certificate policy bases used by EN 319 411-2.
Recommended next step

Operationalize the EN 319 411-2 profile decision

Use the selected QCP, QNCP, or QEVCP profile to drive CP/CPS updates, certificate policy identifiers, QSCD evidence, website-authentication validation, and assessor-ready traceability.

Assessment workflow
Open Assessment Autopilot for ETSI EN 319 411-2

Convert the selected profile into CP/CPS tasks, evidence requests, policy identifier checks, and assessor review items.

Explore next step
Research workflow
Research ETSI EN 319 411-2 source questions

Resolve profile, QSCD, website-authentication, and EN 319 411-1 inheritance questions against cited source material.

Explore next step
Talk to Sorena
Talk through ETSI EN 319 411-2 implementation

Review QCP, QNCP, and QEVCP profile scope, certificate policy identifiers, and evidence gaps with Sorena.

Explore next step
Section 3

Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for website certificates

Qualified website authentication certificates have three separate policy routes. QEVCP-w is based on Extended Validation Certificate Policy; QNCP-w is based on NCP plus Organization Validated or Individual Validated Certificate Policy; QNCP-w-gen is based on NCP plus selected EN 319 411-1 requirements tagged for web-authentication certificates.

This distinction is important for browser-facing certificates because EN 319 411-2 says that, for QEVCP-w and QNCP-w, the latest CA/Browser Forum EV Guidelines or Baseline Requirements take precedence if they conflict with EN 319 411-2.

  • Select QEVCP-w when the qualified website certificate must follow the EVCP route and at least the Extended Validation assurance level.
  • Select QNCP-w when the website certificate follows the BRG route and needs OVCP or IVCP support for a natural or legal person.
  • Select QNCP-w-gen for a general-purpose qualified website-authentication certificate based on NCP and the EN 319 411-1 web-tagged requirements.
  • For all website profiles, verify the subscriber's identity and the subscriber's link with the domain name to be certified.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 website-authentication profiles
Defines QEVCP-w, QNCP-w, and QNCP-w-gen and their relationship to EVCP, NCP, OVCP, IVCP, BRG, and EVCG.
ETSI EN 319 411-1 V1.5.1 web certificate policies
Defines EVCP, OVCP, IVCP, NCP, and web-tagged requirements used by the EN 319 411-2 website profiles.
Section 4

Evidence to keep for a defensible profile selection

The profile decision should be visible in the Certificate Policy, Certification Practice Statement, certificate policy identifiers, and subscriber-facing terms. EN 319 411-1 describes the CP as the statement of what must be adhered to and the CPS as the statement of how the TSP adheres to it.

For EN 319 411-2, the evidence pack should show why the selected policy profile fits the subject type, certificate use, QSCD status, website-authentication route, and EU qualified certificate context.

  • Keep a profile selection record naming the selected identifier: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
  • Keep CP/CPS clauses showing the certificate purpose, subject eligibility, identity proofing route, certificate usage limits, and policy identifier usage.
  • For QSCD profiles, keep device certification evidence, key-generation route, status-monitoring evidence, and CPS measures for a change in QSCD status during certificate validity.
  • For website profiles, keep domain-link validation evidence and the EV, OV, IV, BRG, EVCG, or web-tagged requirement mapping that supports the chosen route.
  • Where a certificate contains only a TSP-allocated OID, document which EN 319 411-2 policy it adopts as its basis.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 certificate policy identifiers
Requires certificates to include applicable policy identifiers and addresses TSP-allocated OIDs, QSCD statements, and CP management.
ETSI EN 319 411-1 V1.5.1 CP and CPS concepts
Supports the evidence distinction between the certificate policy, practice statement, terms and conditions, and PKI disclosure material.
Section 5

Profile selection mistakes that create audit friction

Most profile-selection failures are mismatches: a natural-person certificate treated like a legal-person certificate, a QSCD statement added without the QSCD policy route, or a website-authentication certificate selected without the matching EV, OV, IV, BRG, EVCG, or web-tagged basis.

A clean selection record should let an assessor trace the claim from the certificate policy identifier to the CP/CPS, the subscriber agreement, the certificate content, and the operational evidence.

  • Do not use QCP-n-qscd or QCP-l-qscd unless the QSCD route is actually required and evidenced.
  • Do not treat QEVCP-w, QNCP-w, and QNCP-w-gen as interchangeable website profiles; each has a different policy base.
  • Do not rely on EN 319 411-2 alone for the general certificate policy requirements; the standard incorporates EN 319 411-1 requirements.
  • Do not publish a policy identifier without a CP/CPS explanation of the certificate use, subject class, and whether QSCD use is required.
  • Do not let a TSP-allocated OID obscure the EN 319 411-2 policy basis adopted by the certificate policy.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 qualified certificate requirements
Grounds the profile-specific differences, inherited requirements, QSCD restrictions, and policy identifier rules that should be checked before release.
Regulation (EU) No 910/2014 (eIDAS)
Provides the qualified certificate and qualified trust service context for the EN 319 411-2 profiles.
Primary sources

References and citations

ETSI EN 319 411-1 V1.5.1 CP and CPS concepts
etsi.org
Referenced sections
  • Supports the evidence distinction between the certificate policy, practice statement, terms and conditions, and PKI disclosure material.
"Certification Practice Statement"
Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • Provides the qualified certificate and qualified trust service context for the EN 319 411-2 profiles.
"qualified certificate"
Related guides

Explore more topics

eIDAS QTSP supervision workflow for ETSI EN 319 411-2
Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records.
EN 319 411-2 vs EN 319 411-1 Qualified Certs
Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries.
ETSI EN 319 411-2 compliance checklist
Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services.
ETSI EN 319 411-2 FAQ for EU Qualified Certificates
Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.
ETSI EN 319 411-2 Identity Proofing
How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks.
ETSI EN 319 411-2 QSCD Route
When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned.
ETSI EN 319 411-2 QTSP supervision evidence workflow
Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls.
ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation
Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices.
ETSI EN 319 411-2 Qualified Certificate Scope
Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context.
ETSI EN 319 411-2 requirements map
Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references.
ETSI EN 319 411-2 trusted-list evidence
Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers.
ETSI EN 319 411-2 trusted-list validation workflow
Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence.
ETSI EN 319 411-2 vs eIDAS Qualified Trust Services
Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework.
ETSI EN 319 411-2: Certificate Revocation FAQ
Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain.
ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow
Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records.
ETSI EN 319 411-2: Legal vs Natural Person Certs
ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.
ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile
Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication.
How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?
A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.
How should relying parties use trusted lists under ETSI EN 319 411-2?
FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.
QSCD Requirements in ETSI EN 319 411-2
How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence.
QTSP Supervision and ETSI EN 319 411-2
How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation.
Qualified certificates under ETSI EN 319 411-2
FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence.
What are the qualified certificate policies in ETSI EN 319 411-2?
FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers.
Which QWAC Profile Fits ETSI EN 319 411-2?
Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.