ETSI EN 319 411-2 QTSP supervision evidence workflow

Open one evidence pack per qualified certificate service, not one pack for an entire PKI estate. Name the issuing qualified TSP, CA or RA components in scope, certificate policy identifier, CP and CPS versions, PKI disclosure statement, subscriber terms, repository location, and certificate population covered by the review.

EN 319 411-2 defines qualified certificate policies for natural persons, legal persons, QSCD-backed certificates, and qualified website authentication certificates. The supervision file should therefore show exactly which profile is claimed and which EN 319 411-1 baseline controls are inherited.

Use a trigger log so changes do not disappear into policy edits. A trigger should be opened when the qualified certificate service changes, when the QSCD route changes, when a trusted-list or status-service dependency changes, when a breach or loss of integrity may affect the service, when termination is planned, or when an assessor raises a finding.

The log should separate three decisions: whether the CP/CPS or disclosure material must be updated, whether assessment evidence must be refreshed, and whether the supervisory-body liaison needs to review the event. When national filing details are not present in the source material, record that as a local compliance action instead of inventing a public rule.

Treat the supervision pack as a row-level evidence register. Each row should name the claim, source requirement, evidence artifact, owner, review result, and assessor or supervisory relevance. This prevents a CP/CPS statement such as 'qualified certificate' from standing alone without the policy identifier, trusted-list evidence, QSCD route, or status-service proof behind it.

A useful register has enough detail to be reviewed without opening internal systems first. For example, a QSCD-backed QCP-n-qscd row should point to the QSCD certification evidence, key-pair generation evidence, certificate request control, CPS measure for QSCD status changes, and the certificate qcStatement evidence where relevant.

Supervision evidence should include more than normal certificate issuance records. EN 319 411-2 maps eIDAS incident, record-accessibility, certificate-database, revocation, status-information, and termination requirements to standard clauses, while warning that its Annex A is informative and not a definitive legal conformance statement.

For incidents, keep the awareness time, affected service, certificate population, integrity impact, personal-data impact, notification assessment, sent notices, containment result, and post-incident control changes. For retention and termination, keep evidence that information remains accessible beyond service termination, that the certificate database is kept updated, and that continuity planning has an accountable owner.

Close the workflow only when each open trigger has a decision and each material claim has evidence. The closeout should be short enough for an assessment lead to use, but specific enough to show which requirement, certificate policy, evidence artifact, and owner support each claim.

EN 319 411-2 references ETSI TR 119 411-4 as a checklist supporting audit of TSPs against EN 319 411-1 or EN 319 411-2. Keep requirement identifiers visible in the evidence register so the assessor can trace from the finding back to the CP/CPS, repository, log, certificate record, or change decision.