---
title: "ETSI EN 319 411-2 Qualified Certificate Scope"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope"
author: "Sorena AI"
description: "Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ETSI EN 319 411-2"
  - "EU qualified certificates"
  - "QCP-n"
  - "QCP-l"
  - "QEVCP-w"
  - "QNCP-w"
  - "QSCD"
  - "QCP"
  - "QEVCP"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 319 411-2 Qualified Certificate Scope

Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context.

*Artifact Guide* *GLOBAL* *ETSI EN 319 411-2*

## ETSI EN 319 411-2 Qualified Certificate Scope

A scope guide for deciding which EU qualified certificate policy profile applies before drafting CP/CPS text or issuing certificates.

Grounded in ETSI EN 319 411-2, ETSI EN 319 411-1, and eIDAS source material.

Use this page to define the boundary of an EU qualified certificate service under ETSI EN 319 411-2. The scope decision should identify the certificate policy profile, the subject type, whether the private key is tied to a QSCD, whether the certificate is for website authentication, and which evidence shows the service fits the selected profile.

## What EN 319 411-2 Adds To The Scope

ETSI EN 319 411-2 is not a general PKI checklist. Its scope is the issuance, maintenance, and lifecycle management of EU qualified certificates as defined under Regulation (EU) No 910/2014. It incorporates the general policy and security requirements in ETSI EN 319 411-1, then adds qualified-certificate requirements for electronic signatures, electronic seals, and website authentication.

The first scoping control is therefore a boundary statement: which trust service provider issues the certificates, which certificate service components are in scope, which qualified policy identifier is claimed, and which relying-party use case depends on the certificate being qualified. The standard also states that conformance to EN 319 411-2 alone does not itself make the TSP or its certificates qualified under eIDAS, so the scope file should keep the ETSI profile decision separate from supervisory or trusted-list status.

- Name the issuing TSP and the certificate service components covered by the CP/CPS.
- State whether the certificate is for an EU qualified electronic signature, electronic seal, or website authentication use case.
- Link the EN 319 411-2 scope to the corresponding EN 319 411-1 baseline requirements instead of treating Part 2 as a standalone control set.
- Record the qualified status evidence separately from the standards-conformance evidence.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the scope boundary for issuance, maintenance, and lifecycle management of EU qualified certificates and the warning that standards conformance alone is not qualified status.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the Part 1 baseline used by EN 319 411-2 for general certificate policy and security requirements.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Supports the legal context for EU qualified trust services, qualified certificates, and supervisory status.

*Recommended next step*

*Placement: after practical guidance*

## Operationalize Qualified Certificate Scope

Use this ETSI EN 319 411-2 scope guide to align policy profile choice, CP/CPS evidence, QSCD assumptions, and trusted-list reliance before issuance or assessment.

- [Open Assessment Autopilot for ETSI EN 319 411-2](/solutions/assessment.md): Convert the selected qualified policy profile into owners, evidence requests, and assessment-ready review items.
- [Research ETSI EN 319 411-2 source questions](/solutions/research-copilot.md): Resolve profile, QSCD, trusted-list, and CP/CPS questions against cited standards before implementation.
- [Talk through ETSI EN 319 411-2 implementation](/contact.md): Review the certificate scope, evidence boundary, and next actions with Sorena.

## Choose The Qualified Policy Profile

A useful scope record starts by selecting one of the EN 319 411-2 policy identifiers. The choice is not just a label: it decides which EN 319 411-1 policy family is inherited and which qualified-service additions must be covered.

For natural-person and legal-person qualified certificates, distinguish QCP-n and QCP-l from their QSCD variants. For website authentication, distinguish QEVCP-w from QNCP-w and QNCP-w-gen because the inherited CA/Browser Forum alignment differs.

- Use QCP-n for EU qualified certificates issued to natural persons.
- Use QCP-l for EU qualified certificates issued to legal persons.
- Use QCP-n-qscd or QCP-l-qscd only when the private key related to the certified public key resides in a QSCD.
- Use QEVCP-w for qualified website authentication certificates based on the EVCP profile.
- Use QNCP-w for qualified website authentication certificates based on NCP plus OVCP or IVCP; use QNCP-w-gen for the NCP plus web-tagged requirement route.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Defines the QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, and QNCP-w-gen policy identifiers used to scope the service.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supplies the NCP, NCP+, EVCP, OVCP, IVCP, and web-tagged requirement families inherited by EN 319 411-2 profiles.

## Scope Questions To Answer Before Issuance

Before issuing under a qualified profile, answer the questions that change the requirement set. The CP/CPS, terms and conditions, subscriber obligations, certificate profile, and relying-party notice should all reflect the same answers.

The highest-value scoping output is a compact profile matrix: subject type, policy identifier, inherited Part 1 policy family, QSCD dependency, certificate purpose, website-authentication route, trusted-list dependency, and owner for each evidence record.

- Is the subject a natural person, a legal person, or a website-authentication subscriber whose identity and domain link must be verified?
- Do the terms and conditions require a secure cryptographic device, causing the NCP+ route to apply for QCP-n or QCP-l?
- For a QSCD profile, who manages the device and how is the device certification, key generation route, and QSCD status monitored?
- For QEVCP-w or QNCP-w, which BRG or EVCG dependency applies, and how will conflicts with the ETSI profile be handled?
- What notice tells relying parties that the trust anchor must be identified through an appropriate EU trusted-list entry for a QTSP?

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the profile-dependent scoping questions for secure cryptographic devices, QSCD routes, website-authentication profiles, and relying-party trusted-list notices.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Provides the eIDAS context for qualified certificates for signatures, seals, website authentication, and qualified trust service providers.

## Evidence That Makes The Scope Reviewable

The scope decision should be reviewable without asking the reader to infer why a profile was chosen. Keep evidence at the level of the actual service: the CP/CPS clause, the certificate policy identifier, the terms and conditions, the subscriber or subject identity record, the QSCD evidence where applicable, the certificate profile, and the relying-party notice.

For QSCD profiles, the evidence must show more than an internal design preference. EN 319 411-2 includes requirements for verifying QSCD certification, ensuring the public key to be certified is from a QSCD-generated key pair, handling QSCD status changes, and including or excluding the QSCD qcStatement according to the selected policy.

- Profile matrix: policy identifier, subject type, inherited EN 319 411-1 policy family, and applicable qualified additions.
- CP/CPS extract: the clauses that identify the certificate policy, certificate usage, PKI participants, and service responsibilities.
- Identity and domain evidence: records showing the verified subject and, for website authentication, the subject's link to the domain name.
- QSCD evidence: device certification, management responsibility, key-pair generation route, status monitoring, and qcStatement handling.
- Relying-party notice: the statement connecting qualified-certificate reliance to an appropriate EU trusted-list entry for the QTSP.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the concrete evidence list for policy identifiers, CP/CPS alignment, identity verification, QSCD handling, certificate profile requirements, and trusted-list reliance notices.
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the underlying CP/CPS, repository, registration, revocation, and certificate lifecycle controls inherited by qualified profiles.

## Scope Mistakes That Create Audit Rework

Most EN 319 411-2 scope problems come from mixing profiles or treating qualified status as a single generic claim. The review should expose profile-specific assumptions before the CP/CPS, certificate profile, and service evidence diverge.

A clean scope file does not try to prove the whole service. It proves that the selected qualified policy route is the right one and that the evidence set is complete enough for the next CP/CPS, assessment, or supervisory review.

- Do not label a service as qualified only because it maps to EN 319 411-2; keep supervisory and trusted-list evidence explicit.
- Do not use a QSCD policy identifier unless the private key and certificate route meet the QSCD-specific requirements.
- Do not mix QEVCP-w, QNCP-w, and QNCP-w-gen evidence because their inherited baseline requirements differ.
- Do not omit the EN 319 411-1 baseline; EN 319 411-2 builds on it instead of replacing it.
- Do not let the relying-party notice skip the EU trusted-list dependency for qualified-certificate reliance.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the cautions about qualified status, profile separation, QSCD-specific requirements, Part 1 inheritance, and trusted-list reliance.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Supports the distinction between standards scoping and the eIDAS legal framework for qualified certificates and qualified trust services.

## Primary sources

- [ETSI EN 319 411-2 V2.6.1 EU qualified certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Primary source for the EN 319 411-2 scope, qualified policy identifiers, QSCD-specific routes, website authentication profiles, certificate profile requirements, and trusted-list reliance notice.
  - Quote: "EU qualified certificates"
- [ETSI EN 319 411-1 V1.5.1 certificate policy and security requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Primary source for the general certificate policy and security requirements that EN 319 411-2 incorporates and extends.
  - Quote: "General requirements"
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Primary legal source for the EU qualified-certificate and qualified-trust-service context referenced by EN 319 411-2.
  - Quote: "trust services"

## Related Topic Guides

- [eIDAS QTSP supervision workflow for ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/eidas-qtsp-supervision-workflow.md): Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records.
- [EN 319 411-2 vs EN 319 411-1 Qualified Certs](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-en-319-411-1.md): Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries.
- [ETSI EN 319 411-2 compliance checklist](/artifacts/global/etsi-en-319-411-2/compliance.md): Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services.
- [ETSI EN 319 411-2 FAQ for EU Qualified Certificates](/artifacts/global/etsi-en-319-411-2/faq.md): Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.
- [ETSI EN 319 411-2 Identity Proofing](/artifacts/global/etsi-en-319-411-2/identity-proofing.md): How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks.
- [ETSI EN 319 411-2 QSCD Route](/artifacts/global/etsi-en-319-411-2/qscd-route.md): When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned.
- [ETSI EN 319 411-2 QTSP supervision evidence workflow](/artifacts/global/etsi-en-319-411-2/qtsp-supervision-evidence-workflow.md): Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls.
- [ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation](/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations.md): Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices.
- [ETSI EN 319 411-2 requirements map](/artifacts/global/etsi-en-319-411-2/requirements.md): Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references.
- [ETSI EN 319 411-2 trusted-list evidence](/artifacts/global/etsi-en-319-411-2/trusted-list-evidence.md): Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers.
- [ETSI EN 319 411-2 trusted-list validation workflow](/artifacts/global/etsi-en-319-411-2/trusted-list-validation-workflow.md): Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence.
- [ETSI EN 319 411-2 vs eIDAS Qualified Trust Services](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-eidas-qualified-trust-services.md): Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework.
- [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md): Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain.
- [ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow](/artifacts/global/etsi-en-319-411-2/qualified-certificate-lifecycle-workflow.md): Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records.
- [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md): ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.
- [ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection](/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection.md): Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
- [ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile](/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow.md): Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication.
- [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md): A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.
- [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md): FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.
- [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md): How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence.
- [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md): How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation.
- [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md): FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence.
- [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md): FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers.
- [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md): Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope