ETSI EN 319 411-2 Qualified Certificate Scope

ETSI EN 319 411-2 is not a general PKI checklist. Its scope is the issuance, maintenance, and lifecycle management of EU qualified certificates as defined under Regulation (EU) No 910/2014. It incorporates the general policy and security requirements in ETSI EN 319 411-1, then adds qualified-certificate requirements for electronic signatures, electronic seals, and website authentication.

The first scoping control is therefore a boundary statement: which trust service provider issues the certificates, which certificate service components are in scope, which qualified policy identifier is claimed, and which relying-party use case depends on the certificate being qualified. The standard also states that conformance to EN 319 411-2 alone does not itself make the TSP or its certificates qualified under eIDAS, so the scope file should keep the ETSI profile decision separate from supervisory or trusted-list status.

A useful scope record starts by selecting one of the EN 319 411-2 policy identifiers. The choice is not just a label: it decides which EN 319 411-1 policy family is inherited and which qualified-service additions must be covered.

For natural-person and legal-person qualified certificates, distinguish QCP-n and QCP-l from their QSCD variants. For website authentication, distinguish QEVCP-w from QNCP-w and QNCP-w-gen because the inherited CA/Browser Forum alignment differs.

Before issuing under a qualified profile, answer the questions that change the requirement set. The CP/CPS, terms and conditions, subscriber obligations, certificate profile, and relying-party notice should all reflect the same answers.

The highest-value scoping output is a compact profile matrix: subject type, policy identifier, inherited Part 1 policy family, QSCD dependency, certificate purpose, website-authentication route, trusted-list dependency, and owner for each evidence record.

The scope decision should be reviewable without asking the reader to infer why a profile was chosen. Keep evidence at the level of the actual service: the CP/CPS clause, the certificate policy identifier, the terms and conditions, the subscriber or subject identity record, the QSCD evidence where applicable, the certificate profile, and the relying-party notice.

For QSCD profiles, the evidence must show more than an internal design preference. EN 319 411-2 includes requirements for verifying QSCD certification, ensuring the public key to be certified is from a QSCD-generated key pair, handling QSCD status changes, and including or excluding the QSCD qcStatement according to the selected policy.

Most EN 319 411-2 scope problems come from mixing profiles or treating qualified status as a single generic claim. The review should expose profile-specific assumptions before the CP/CPS, certificate profile, and service evidence diverge.

A clean scope file does not try to prove the whole service. It proves that the selected qualified policy route is the right one and that the evidence set is complete enough for the next CP/CPS, assessment, or supervisory review.