Artifact GuideGLOBALETSI EN 319 411-2

ETSI EN 319 411-2 QSCD Route

Use this page to decide whether an EU qualified certificate service should use the QCP-n-qscd or QCP-l-qscd route.

It focuses on QSCD scope, certificate-policy evidence, certificate profile signals, and change handling under EN 319 411-2.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
5

Structured answer sets in this page tree.

Primary sources
6

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

The QSCD route is not a generic trust-service label. Under ETSI EN 319 411-2, it is the route for EU qualified certificates issued under QCP-n-qscd or QCP-l-qscd, where the private key related to the certified public key resides in a Qualified Signature or Seal Creation Device. Use it when a certificate policy, CPS, certificate profile, or audit pack needs to show why the QSCD claim is present and how the TSP verified it.

Section 1

When the QSCD route applies

Start by separating the basic qualified-certificate policies from the QSCD policies. QCP-n and QCP-l cover EU qualified certificates for natural and legal persons. QCP-n-qscd and QCP-l-qscd add the requirement that the private key related to the certified public key resides in a QSCD.

That distinction matters because EN 319 411-2 treats the QSCD route as more than a certificate label. The route changes the applicable policy baseline, certificate request checks, certificate profile content, CPS disclosures, and monitoring for device-status changes.

  • Use QCP-n-qscd when the subject is a natural person and the qualified certificate is issued on the basis that the private key resides in a QSCD.
  • Use QCP-l-qscd when the subject is a legal person and the qualified certificate is issued on the basis that the private key resides in a QSCD.
  • Do not put the QSCD route on qualified website-authentication policies such as QEVCP-w, QNCP-w, or QNCP-w-gen unless a separate source requires a different certificate-policy design.
  • If a QCP-n or QCP-l implementation requires a secure cryptographic device but not the QSCD policy route, keep that distinction visible in the terms, CP, CPS, and evidence pack.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 qualified certificate policies
Defines QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, and QNCP-w-gen, including the QSCD-specific routes for natural and legal persons.
Regulation (EU) No 910/2014 (eIDAS)
Provides the EU legal context for qualified certificates and qualified signature or seal creation devices referenced by EN 319 411-2.
Section 2

Evidence before issuing on the QSCD route

Before issuing under QCP-n-qscd or QCP-l-qscd, the TSP needs evidence that the device is certified as a QSCD, whether the device is prepared by the issuing TSP or by another party. The certificate request process also needs to show that the public key to be certified comes from a key pair generated by a QSCD.

Remote or delegated arrangements need extra attention. If a third-party TSP manages the device on behalf of the subject, the issuing TSP has to verify that the third-party TSP meets the appropriate qualification requirements. If the subject key pair is generated by a TSP and imported into the QSCD, the environmental assumptions and security objectives for the certified device have to remain met.

  • Keep the QSCD certificate or status evidence used to verify the device before issuance.
  • Record how the certificate request process proves that the certified public key belongs to a QSCD-generated key pair.
  • For third-party managed QSCD services, keep qualification evidence for the managing TSP and the contractual boundary between that TSP and the issuing TSP.
  • For imported or moved keys, document the certified-device assumptions, identified key-compromise vulnerabilities, and mitigations applied before issuance.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 QSCD key-pair requirements
Supports the issuance evidence needed for QSCD certification status, QSCD-generated key pairs, third-party managed devices, imported keys, and private-key movement.
Recommended next step

Review QSCD route evidence

Use the EN 319 411-2 route, device, certificate-profile, and status-change checks before relying parties or auditors see the QSCD claim.

Assessment workflow
Open Assessment Autopilot for ETSI EN 319 411-2

Turn QSCD route checks into assigned evidence requests and review gates.

Explore next step
Research workflow
Research EN 319 411-2 source questions

Resolve policy route, certificate profile, and QSCD status questions against the cited sources.

Explore next step
Talk to Sorena
Talk through implementation

Review the selected route, evidence gaps, and certificate-profile risks with Sorena.

Explore next step
Section 3

Certificate profile and disclosure checks

The certificate profile must match the selected route. For QCP-n-qscd and QCP-l-qscd certificates, EN 319 411-2 requires the QSCD qcStatement defined in ETSI EN 319 412-5. The same standard says that the QSCD qcStatement must not be included in certificates that are not issued according to QCP-n-qscd or QCP-l-qscd requirements.

The CP and subscriber-facing disclosure should also say plainly whether the policy is for EU qualified certificates and whether it requires use of a QSCD. This avoids a common mismatch: a certificate includes a QSCD signal while the CP, CPS, terms, or evidence pack cannot show the route and device checks behind it.

  • Check that the certificate contains the policy identifier for the selected route, or an allocated OID tied to a certificate policy built on the EN 319 411-2 route.
  • Include the QSCD qcStatement only for QCP-n-qscd or QCP-l-qscd certificates.
  • Remove the QSCD qcStatement from certificates issued under non-QSCD routes.
  • Make the CP, CPS, terms and conditions, and PKI disclosure statement consistent with the selected route.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 certificate profile requirements
Supports the route-specific certificate profile checks for policy identifiers, QSCD qcStatement inclusion, and non-QSCD exclusion.
Section 4

Monitoring and change handling

The QSCD route needs monitoring after issuance because the device status can change while certificates are still valid. EN 319 411-2 requires the TSP to take appropriate measures when QSCD status changes before the certificate validity period ends and to document those measures in the CPS.

The standard points to Member State notifications on designated bodies and certified QSCDs as a way to monitor status. It also notes that loss of QSCD certification status can trigger revocation for a non-expired certificate bearing the QSCD qcStatement because the change impacts certificate validity.

  • Track the QSCD status source used for each device or remote signing arrangement.
  • Define in the CPS what happens if the QSCD certification status changes before certificate expiry.
  • Connect the change process to certificate revocation handling for certificates that carry the QSCD qcStatement.
  • Keep revocation-status service evidence aligned with the certificate lifecycle and the CP/CPS explanation of how status information is made available.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 QSCD monitoring requirements
Supports the need to monitor QSCD status, document measures in the CPS, and treat loss of QSCD certification status as a validity-impacting change.
Section 5

QSCD route review checklist

Use this checklist when reviewing a new qualified certificate profile, an existing CP/CPS, or an audit evidence pack for a QSCD route claim.

  • Route: confirm that the service is actually issuing under QCP-n-qscd or QCP-l-qscd, not only using a secure cryptographic device under QCP-n or QCP-l.
  • Device evidence: keep proof that each relevant device or remote signing service is certified as a QSCD.
  • Key evidence: show that the public key in the certificate request comes from a QSCD-generated key pair, or document the controlled import scenario supported by EN 319 411-2.
  • Certificate profile: verify the correct policy identifier or allocated OID and the correct inclusion or exclusion of the QSCD qcStatement.
  • Disclosure: align the CP, CPS, terms and conditions, and PKI disclosure statement on whether QSCD use is required.
  • Status changes: define who monitors QSCD status, where the status source is recorded, and how certificate revocation is handled if status is lost.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements
Supports the checklist items by tying the QSCD route to policy selection, device verification, certificate request controls, certificate profile signals, and CPS disclosure.
Primary sources

References and citations

ETSI EN 319 411-2 V2.6.1 QSCD key-pair requirements
etsi.org
Referenced sections
  • Supports the issuance evidence needed for QSCD certification status, QSCD-generated key pairs, third-party managed devices, imported keys, and private-key movement.
"verify that the device is certified as a QSCD"
ETSI EN 319 411-2 V2.6.1 QSCD monitoring requirements
etsi.org
Referenced sections
  • Supports the need to monitor QSCD status, document measures in the CPS, and treat loss of QSCD certification status as a validity-impacting change.
"measures in case of modification of the QSCD status"
ETSI EN 319 411-2 V2.6.1 qualified certificate policies
etsi.org
Referenced sections
  • Defines QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, and QNCP-w-gen, including the QSCD-specific routes for natural and legal persons.
"private key related to the certified public key resides in the QSCD"
Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • Provides the EU legal context for qualified certificates and qualified signature or seal creation devices referenced by EN 319 411-2.
"electronic identification and trust services"
Related guides

Explore more topics

eIDAS QTSP supervision workflow for ETSI EN 319 411-2
Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records.
EN 319 411-2 vs EN 319 411-1 Qualified Certs
Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries.
ETSI EN 319 411-2 compliance checklist
Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services.
ETSI EN 319 411-2 FAQ for EU Qualified Certificates
Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.
ETSI EN 319 411-2 Identity Proofing
How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks.
ETSI EN 319 411-2 QTSP supervision evidence workflow
Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls.
ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation
Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices.
ETSI EN 319 411-2 Qualified Certificate Scope
Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context.
ETSI EN 319 411-2 requirements map
Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references.
ETSI EN 319 411-2 trusted-list evidence
Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers.
ETSI EN 319 411-2 trusted-list validation workflow
Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence.
ETSI EN 319 411-2 vs eIDAS Qualified Trust Services
Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework.
ETSI EN 319 411-2: Certificate Revocation FAQ
Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain.
ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow
Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records.
ETSI EN 319 411-2: Legal vs Natural Person Certs
ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.
ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection
Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile
Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication.
How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?
A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.
How should relying parties use trusted lists under ETSI EN 319 411-2?
FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.
QSCD Requirements in ETSI EN 319 411-2
How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence.
QTSP Supervision and ETSI EN 319 411-2
How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation.
Qualified certificates under ETSI EN 319 411-2
FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence.
What are the qualified certificate policies in ETSI EN 319 411-2?
FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers.
Which QWAC Profile Fits ETSI EN 319 411-2?
Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.