--- title: "ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection" author: "Sorena AI" description: "Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "ETSI EN 319 411-2" - "QCP-n" - "QCP-l" - "QCP-n-qscd" - "QCP-l-qscd" - "QEVCP-w" - "QNCP-w" - "QNCP-w-gen" - "QSCD" - "qualified certificates" - "QCP" - "QNCP" - "QEVCP" - "QTSP" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. *Artifact Guide* *GLOBAL* *ETSI EN 319 411-2* ## ETSI EN 319 411-2 QCP, QNCP, and QEVCP profile selection Select the EN 319 411-2 policy identifier that matches the qualified certificate subject, website-authentication use, and QSCD requirement. Use this guide to separate natural-person, legal-person, QSCD, EV website, OV/IV website, and general website-authentication certificate profiles. ETSI EN 319 411-2 builds on EN 319 411-1 and adds EU qualified certificate requirements for trust service providers issuing qualified certificates for electronic signatures, electronic seals, and website authentication. The profile choice matters because the policy identifier in the certificate signals which EN 319 411-2 policy the certificate was issued and managed under. ## Start with the certificate use case Profile selection should start with what the certificate is meant to support. EN 319 411-2 distinguishes certificates for natural persons, legal persons, natural-person signatures using a QSCD, legal-person seals using a QSCD, and qualified website authentication. Do not choose a profile only because it sounds higher assurance. The standard ties each profile to a specific certificate purpose, subject type, and policy base inherited from EN 319 411-1. - Use QCP-n for an EU qualified certificate issued to a natural person when the QSCD-specific profile is not the selected policy. - Use QCP-l for an EU qualified certificate issued to a legal person when the QSCD-specific profile is not the selected policy. - Use QCP-n-qscd when the natural person's private key related to the certified public key resides in a Qualified Signature Creation Device. - Use QCP-l-qscd when the legal person's private key related to the certified public key resides in a Qualified Seal Creation Device. - Use a website-authentication profile when the qualified certificate is for website authentication rather than for an electronic signature or electronic seal. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 qualified certificate policy profiles](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines the EN 319 411-2 policy set for natural persons, legal persons, QSCD-based certificates, and qualified website authentication certificates. - [ETSI EN 319 411-1 V1.5.1 certificate policy foundation](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Explains the Certificate Policy and Certification Practice Statement relationship that EN 319 411-2 builds on. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the EU legal context for qualified trust services, qualified certificates, signatures, seals, and website authentication. ## Map QCP profiles to the EN 319 411-1 policy base QCP-n and QCP-l add EU qualified certificate requirements on top of EN 319 411-1 Normalized Certificate Policy requirements. If the TSP's terms and conditions require a secure cryptographic device, EN 319 411-2 points these profiles to the NCP+ requirements instead. The dedicated QSCD profiles go further. QCP-n-qscd incorporates QCP-n and NCP+ requirements for natural-person qualified electronic signatures, while QCP-l-qscd incorporates QCP-l and NCP+ requirements for legal-person qualified electronic seals. - Record whether the subject is a natural person or legal person before choosing between QCP-n and QCP-l. - Record whether the policy requires a secure cryptographic device; that choice determines whether NCP or NCP+ applies for QCP-n and QCP-l. - Do not include the QSCD qcStatement unless the certificate is issued under QCP-n-qscd or QCP-l-qscd. - For a TSP-managed QSCD, capture how the private key is limited to QSCD use and how sole control or control is preserved for the subject. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 qualified certificate policy profiles](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Specifies the QCP-n, QCP-l, QCP-n-qscd, and QCP-l-qscd inheritance from EN 319 411-1 NCP or NCP+ requirements. - [ETSI EN 319 411-1 V1.5.1 certificate policy foundation](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Defines NCP and NCP+ as the normalized certificate policy bases used by EN 319 411-2. *Recommended next step* *Placement: after practical guidance* ## Operationalize the EN 319 411-2 profile decision Use the selected QCP, QNCP, or QEVCP profile to drive CP/CPS updates, certificate policy identifiers, QSCD evidence, website-authentication validation, and assessor-ready traceability. - [Open Assessment Autopilot for ETSI EN 319 411-2](/solutions/assessment.md): Convert the selected profile into CP/CPS tasks, evidence requests, policy identifier checks, and assessor review items. - [Research ETSI EN 319 411-2 source questions](/solutions/research-copilot.md): Resolve profile, QSCD, website-authentication, and EN 319 411-1 inheritance questions against cited source material. - [Talk through ETSI EN 319 411-2 implementation](/contact.md): Review QCP, QNCP, and QEVCP profile scope, certificate policy identifiers, and evidence gaps with Sorena. ## Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for website certificates Qualified website authentication certificates have three separate policy routes. QEVCP-w is based on Extended Validation Certificate Policy; QNCP-w is based on NCP plus Organization Validated or Individual Validated Certificate Policy; QNCP-w-gen is based on NCP plus selected EN 319 411-1 requirements tagged for web-authentication certificates. This distinction is important for browser-facing certificates because EN 319 411-2 says that, for QEVCP-w and QNCP-w, the latest CA/Browser Forum EV Guidelines or Baseline Requirements take precedence if they conflict with EN 319 411-2. - Select QEVCP-w when the qualified website certificate must follow the EVCP route and at least the Extended Validation assurance level. - Select QNCP-w when the website certificate follows the BRG route and needs OVCP or IVCP support for a natural or legal person. - Select QNCP-w-gen for a general-purpose qualified website-authentication certificate based on NCP and the EN 319 411-1 web-tagged requirements. - For all website profiles, verify the subscriber's identity and the subscriber's link with the domain name to be certified. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 website-authentication profiles](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines QEVCP-w, QNCP-w, and QNCP-w-gen and their relationship to EVCP, NCP, OVCP, IVCP, BRG, and EVCG. - [ETSI EN 319 411-1 V1.5.1 web certificate policies](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Defines EVCP, OVCP, IVCP, NCP, and web-tagged requirements used by the EN 319 411-2 website profiles. ## Evidence to keep for a defensible profile selection The profile decision should be visible in the Certificate Policy, Certification Practice Statement, certificate policy identifiers, and subscriber-facing terms. EN 319 411-1 describes the CP as the statement of what must be adhered to and the CPS as the statement of how the TSP adheres to it. For EN 319 411-2, the evidence pack should show why the selected policy profile fits the subject type, certificate use, QSCD status, website-authentication route, and EU qualified certificate context. - Keep a profile selection record naming the selected identifier: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen. - Keep CP/CPS clauses showing the certificate purpose, subject eligibility, identity proofing route, certificate usage limits, and policy identifier usage. - For QSCD profiles, keep device certification evidence, key-generation route, status-monitoring evidence, and CPS measures for a change in QSCD status during certificate validity. - For website profiles, keep domain-link validation evidence and the EV, OV, IV, BRG, EVCG, or web-tagged requirement mapping that supports the chosen route. - Where a certificate contains only a TSP-allocated OID, document which EN 319 411-2 policy it adopts as its basis. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 certificate policy identifiers](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Requires certificates to include applicable policy identifiers and addresses TSP-allocated OIDs, QSCD statements, and CP management. - [ETSI EN 319 411-1 V1.5.1 CP and CPS concepts](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the evidence distinction between the certificate policy, practice statement, terms and conditions, and PKI disclosure material. ## Profile selection mistakes that create audit friction Most profile-selection failures are mismatches: a natural-person certificate treated like a legal-person certificate, a QSCD statement added without the QSCD policy route, or a website-authentication certificate selected without the matching EV, OV, IV, BRG, EVCG, or web-tagged basis. A clean selection record should let an assessor trace the claim from the certificate policy identifier to the CP/CPS, the subscriber agreement, the certificate content, and the operational evidence. - Do not use QCP-n-qscd or QCP-l-qscd unless the QSCD route is actually required and evidenced. - Do not treat QEVCP-w, QNCP-w, and QNCP-w-gen as interchangeable website profiles; each has a different policy base. - Do not rely on EN 319 411-2 alone for the general certificate policy requirements; the standard incorporates EN 319 411-1 requirements. - Do not publish a policy identifier without a CP/CPS explanation of the certificate use, subject class, and whether QSCD use is required. - Do not let a TSP-allocated OID obscure the EN 319 411-2 policy basis adopted by the certificate policy. Sources for this answer: - [ETSI EN 319 411-2 V2.6.1 qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Grounds the profile-specific differences, inherited requirements, QSCD restrictions, and policy identifier rules that should be checked before release. - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the qualified certificate and qualified trust service context for the EN 319 411-2 profiles. ## Primary sources - [ETSI EN 319 411-2 V2.6.1 qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary ETSI source for EU qualified certificate policy identifiers, QCP/QNCP/QEVCP profile definitions, QSCD-specific routes, and website-authentication policy choices. - Quote: "EU qualified certificate policy identifiers" - [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary ETSI source for NCP, NCP+, EVCP, OVCP, IVCP, Certificate Policy, Certification Practice Statement, and web-tagged requirements incorporated by EN 319 411-2. - Quote: "Certificate Policy" - [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - EU legal context for qualified certificates, qualified trust service providers, electronic signatures, electronic seals, and website authentication. - Quote: "qualified trust service" ## Related Topic Guides - [eIDAS QTSP supervision workflow for ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/eidas-qtsp-supervision-workflow.md): Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records. - [EN 319 411-2 vs EN 319 411-1 Qualified Certs](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-en-319-411-1.md): Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries. - [ETSI EN 319 411-2 compliance checklist](/artifacts/global/etsi-en-319-411-2/compliance.md): Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services. - [ETSI EN 319 411-2 FAQ for EU Qualified Certificates](/artifacts/global/etsi-en-319-411-2/faq.md): Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services. - [ETSI EN 319 411-2 Identity Proofing](/artifacts/global/etsi-en-319-411-2/identity-proofing.md): How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks. - [ETSI EN 319 411-2 QSCD Route](/artifacts/global/etsi-en-319-411-2/qscd-route.md): When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned. - [ETSI EN 319 411-2 QTSP supervision evidence workflow](/artifacts/global/etsi-en-319-411-2/qtsp-supervision-evidence-workflow.md): Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls. - [ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation](/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations.md): Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices. - [ETSI EN 319 411-2 Qualified Certificate Scope](/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope.md): Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context. - [ETSI EN 319 411-2 requirements map](/artifacts/global/etsi-en-319-411-2/requirements.md): Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references. - [ETSI EN 319 411-2 trusted-list evidence](/artifacts/global/etsi-en-319-411-2/trusted-list-evidence.md): Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers. - [ETSI EN 319 411-2 trusted-list validation workflow](/artifacts/global/etsi-en-319-411-2/trusted-list-validation-workflow.md): Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence. - [ETSI EN 319 411-2 vs eIDAS Qualified Trust Services](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-eidas-qualified-trust-services.md): Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework. - [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md): Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain. - [ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow](/artifacts/global/etsi-en-319-411-2/qualified-certificate-lifecycle-workflow.md): Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records. - [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md): ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers. - [ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile](/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow.md): Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication. - [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md): A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2. - [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md): FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references. - [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md): How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence. - [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md): How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation. - [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md): FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence. - [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md): FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers. - [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md): Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection