---
title: "ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile"
canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow"
source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow"
author: "Sorena AI"
description: "Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication."
published_at: "2026-05-09"
updated_at: "2026-05-09"
keywords:
  - "ETSI EN 319 411-2"
  - "QCP-n"
  - "QCP-l"
  - "QCP-n-qscd"
  - "QCP-l-qscd"
  - "QEVCP-w"
  - "QNCP-w"
  - "QNCP-w-gen"
  - "QSCD"
  - "qualified certificate policy"
  - "qualified certificates"
  - "certificate policy"
  - "QTSP"
---
**[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform

[Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io)

---

# ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile

Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication.

*Artifact Guide* *GLOBAL* *ETSI EN 319 411-2*

## ETSI EN 319 411-2 Qualified Profile Selector

Choose the EN 319 411-2 policy profile that matches the certificate subject, intended use, QSCD claim, and website-authentication route.

Use this as standards implementation guidance for certificate-policy scoping and evidence planning, not for legal interpretation.

ETSI EN 319 411-2 defines EU qualified certificate policy profiles for trust service providers issuing qualified certificates. This workflow helps certificate-policy owners decide which profile to use before they draft the CP/CPS, encode policy identifiers, claim QSCD support, or prepare assessor evidence.

## Start with the certificate purpose

The first selection question is not whether the service is generally secure. It is what the qualified certificate is meant to support: a natural person's electronic signature, a legal person's electronic seal, or website authentication.

EN 319 411-2 builds these qualified profiles on EN 319 411-1 policy families such as NCP, NCP+, EVCP, OVCP, IVCP, and web-authentication requirements, then adds eIDAS-qualified certificate requirements. That means the chosen profile determines both the base controls and the qualified-certificate additions.

- Use QCP-n when the qualified certificate is issued to a natural person for electronic-signature use without a QSCD-specific policy claim.
- Use QCP-l when the qualified certificate is issued to a legal person for electronic-seal use without a QSCD-specific policy claim.
- Use QEVCP-w, QNCP-w, or QNCP-w-gen only for qualified website-authentication certificates, not for ordinary signature or seal certificates.
- Document the reason for excluding other profiles so the CP/CPS reviewer can see that the profile was selected deliberately.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 qualified certificate policy profiles](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the selector's profile set and the distinction between natural-person, legal-person, QSCD, and website-authentication qualified certificate policies.
- [ETSI EN 319 411-1 V1.5.1 general certificate policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the base NCP, NCP+, EVCP, OVCP, IVCP, and WEB policy families that EN 319 411-2 incorporates for qualified certificate services.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Supports the EU legal context for qualified trust services, qualified certificates, electronic signatures, electronic seals, and website authentication.

## Select QCP-n, QCP-l, or a QSCD variant

For signature and seal certificates, the selector turns on two facts: the subject type and whether the policy requires the private key related to the certified public key to reside in a Qualified Signature Creation Device or Qualified Seal Creation Device.

The non-QSCD profiles still need an explicit policy decision. EN 319 411-2 says QCP-n and QCP-l include NCP requirements and qualified-certificate additions; if the terms and conditions require a secure cryptographic device, NCP+ requirements apply. The QSCD profiles go further and require the QSCD-specific policy path.

- Natural person, signature use, no QSCD policy claim: select QCP-n and map the applicable NCP or NCP+ base requirements.
- Legal person, seal use, no QSCD policy claim: select QCP-l and map the applicable NCP or NCP+ base requirements.
- Natural person with the private key in a QSCD: select QCP-n-qscd and collect QSCD certification, key-generation, and certificate-profile evidence.
- Legal person with the private key in a QSCD: select QCP-l-qscd and collect the same QSCD evidence for the seal-creation route.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 QSCD policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the QCP-n, QCP-l, QCP-n-qscd, and QCP-l-qscd selection rules and the QSCD evidence requirements in key-pair generation and certificate profiles.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Supports the qualified-signature, qualified-seal, and qualified device context used when deciding whether a QSCD-specific profile is appropriate.

## Select the website-authentication profile

Website-authentication certificates follow a separate branch. EN 319 411-2 defines three qualified website-authentication policy profiles, and the correct route depends on whether the certificate is based on EVCP, on NCP plus OVCP or IVCP, or on the general-purpose QNCP-w-gen route.

This branch should be decided before certificate templates and public disclosures are finalized because QEVCP-w and QNCP-w also depend on external CA/Browser Forum requirement families. EN 319 411-2 states that, for QEVCP-w and QNCP-w, the latest EVCG or BRG requirements take precedence if they conflict with EN 319 411-2 requirements.

- Use QEVCP-w for an EU qualified website-authentication certificate based on EVCP for a legal person.
- Use QNCP-w for an EU qualified website-authentication certificate based on NCP plus OVCP or IVCP.
- Use QNCP-w-gen for a general-purpose qualified website-authentication certificate based on NCP and EN 319 411-1 WEB-tagged requirements.
- Record whether BRG or EVCG requirements add or override implementation details for the selected website-authentication profile.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 website-authentication profiles](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the QEVCP-w, QNCP-w, and QNCP-w-gen branches and the precedence rule for BRG or EVCG conflicts.
- [ETSI EN 319 411-1 V1.5.1 web-authentication certificate requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Supports the NCP, EVCP, OVCP, IVCP, and WEB-tagged requirement families referenced by the website-authentication branch.

## Translate the selected profile into certificate evidence

After the profile is selected, the evidence pack should prove that the certificate and the CP/CPS follow the selected EN 319 411-2 route. The profile decision should appear in the certificate policy name and identification, the certificate's policy identifier strategy, the CP/CPS control mapping, and the disclosure statement.

EN 319 411-2 requires qualified certificates to include at least one applicable policy identifier choice, and it restricts the QSCD qcStatement to the QSCD profiles. If the certificate uses only a TSP-allocated OID, the referenced certificate policy must clearly identify which EN 319 411-2 policy it adopts as the basis.

- Store the selected profile, rejected alternatives, subject type, intended certificate use, and QSCD decision in the CP/CPS working papers.
- Check that certificate policy identifiers match the selected profile and that any TSP-allocated OID clearly maps back to that EN 319 411-2 basis.
- For QCP-n-qscd and QCP-l-qscd, verify QSCD certification evidence, key-pair generation route, QSCD status monitoring, and the required QSCD qcStatement.
- For non-QSCD certificates, verify that the QSCD qcStatement is not included.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 certificate profile requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the policy-identifier checks, TSP-allocated OID handling, and QSCD qcStatement inclusion or exclusion rules.
- [ETSI EN 319 411-2 V2.6.1 CP and disclosure requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the requirement that the certificate policy clearly states the qualified-certificate purpose and whether QSCD use is required.

*Recommended next step*

*Placement: after practical guidance*

## Operationalize the profile decision

Use the selected qualified certificate profile to drive CP/CPS updates, certificate template checks, OID mapping, QSCD evidence, and disclosure review.

- [Open Assessment Autopilot for ETSI EN 319 411-2](/solutions/assessment.md): Convert the selected profile into CP/CPS tasks, certificate-template checks, and evidence requests.
- [Research ETSI EN 319 411-2 source questions](/solutions/research-copilot.md): Resolve profile, QSCD, policy identifier, and website-authentication questions against cited source material.
- [Talk through implementation](/contact.md): Review the selected policy profile, evidence gaps, and next implementation actions with Sorena.

## Profile selector worksheet

Use this worksheet as a pre-audit handoff. It is written as operational rows so it can be copied into a CP/CPS review ticket without losing the selection logic.

Step 1: Identify the certificate use. Choose signature, seal, or website authentication; name the subject type as natural person, legal person, or website-authentication subject.

Step 2: Decide the device claim. For signature or seal certificates, record whether the policy requires a QSCD and whether the TSP or another qualified TSP manages relevant key material.

Step 3: Select the profile. Map the facts to QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.

Step 4: Bind identifiers and disclosures. Confirm policy identifiers, TSP-allocated OIDs, CP/CPS statements, terms and conditions, and the PKI disclosure statement are consistent with the selected profile.

Step 5: Run a negative check. Confirm no website-authentication profile is being used for a signature or seal certificate, no QSCD qcStatement appears outside a QSCD profile, and no qualified claim relies only on EN 319 411-1.

- Evidence owner: certificate-policy owner or QTSP compliance owner.
- Engineering input: certificate template, policy OID configuration, qcStatements, CRL or OCSP profile assumptions, and key-management route.
- Legal or compliance input: eIDAS qualified-service claim, terms and conditions, supervisory or trusted-list evidence, and customer-facing limitations.
- Assessor input: mapping from selected profile to clauses 5 and 6 of EN 319 411-2 and incorporated EN 319 411-1 requirements.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 qualified profile selector basis](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the worksheet sequence by tying profile selection to certificate purpose, QSCD status, policy identifiers, CP/CPS statements, and incorporated requirements.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Supports the qualified-service and trusted-list context that should be checked before public qualified-certificate claims are made.

## Mistakes that break the profile decision

Most profile-selector failures are traceability failures. The certificate may look technically valid while the CP/CPS, policy OID, qcStatement, or website-authentication route points to a different EN 319 411-2 policy than the one the team intended.

Treat the profile decision as a release gate for qualified certificate services. A profile mismatch can affect assessor evidence, relying-party interpretation, trusted-list validation, and the legal framing of a qualified-certificate claim.

- Do not claim QCP-n-qscd or QCP-l-qscd unless the QSCD certification, key-generation route, and QSCD qcStatement evidence are present.
- Do not include the QSCD qcStatement in certificates that are not issued under QCP-n-qscd or QCP-l-qscd.
- Do not use QEVCP-w, QNCP-w, or QNCP-w-gen unless the service is actually issuing qualified website-authentication certificates.
- Do not treat EN 319 411-2 conformance by itself as proof that the TSP or certificate is qualified under eIDAS; qualification also depends on the legal and supervisory context.
- Do not let a TSP-allocated policy OID hide the EN 319 411-2 basis; the referenced certificate policy must identify the profile it adopts.

Sources for this answer:

- [ETSI EN 319 411-2 V2.6.1 conformance and profile limits](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Supports the warnings about QSCD qcStatement misuse, website-profile misuse, TSP-allocated OIDs, and the limit of EN 319 411-2 conformance alone.
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Supports the warning that qualified status is part of the wider eIDAS trust-service framework, not only a standards-document label.

## Primary sources

- [ETSI EN 319 411-2 V2.6.1 qualified certificate policy profiles](https://www.etsi.org/deliver/etsi_en/319400_319499/31941102/02.06.01_60/en_31941102v020601p.pdf?ref=sorena.io) - Source for the EN 319 411-2 qualified certificate policy profiles, profile identifiers, QSCD rules, certificate-profile rules, and warnings about qualification limits.
  - Quote: "EU qualified certificate policies"
- [ETSI EN 319 411-1 V1.5.1 general certificate policy requirements](https://www.etsi.org/deliver/etsi_en/319400_319499/31941101/01.05.01_60/en_31941101v010501p.pdf?ref=sorena.io) - Source for the base certificate-policy families incorporated by EN 319 411-2, including NCP, NCP+, EVCP, OVCP, IVCP, and WEB-tagged requirements.
  - Quote: "Policy and security requirements"
- [Regulation (EU) No 910/2014 (eIDAS)](https://eur-lex.europa.eu/eli/reg/2014/910/oj/eng?ref=sorena.io) - Source for the EU qualified trust-service context behind qualified signatures, seals, website authentication, qualified certificates, and qualified trust service providers.
  - Quote: "electronic identification and trust services"

## Related Topic Guides

- [eIDAS QTSP supervision workflow for ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/eidas-qtsp-supervision-workflow.md): Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records.
- [EN 319 411-2 vs EN 319 411-1 Qualified Certs](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-en-319-411-1.md): Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries.
- [ETSI EN 319 411-2 compliance checklist](/artifacts/global/etsi-en-319-411-2/compliance.md): Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services.
- [ETSI EN 319 411-2 FAQ for EU Qualified Certificates](/artifacts/global/etsi-en-319-411-2/faq.md): Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.
- [ETSI EN 319 411-2 Identity Proofing](/artifacts/global/etsi-en-319-411-2/identity-proofing.md): How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks.
- [ETSI EN 319 411-2 QSCD Route](/artifacts/global/etsi-en-319-411-2/qscd-route.md): When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned.
- [ETSI EN 319 411-2 QTSP supervision evidence workflow](/artifacts/global/etsi-en-319-411-2/qtsp-supervision-evidence-workflow.md): Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls.
- [ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation](/artifacts/global/etsi-en-319-411-2/qualified-certificate-operations.md): Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices.
- [ETSI EN 319 411-2 Qualified Certificate Scope](/artifacts/global/etsi-en-319-411-2/qualified-certificate-scope.md): Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context.
- [ETSI EN 319 411-2 requirements map](/artifacts/global/etsi-en-319-411-2/requirements.md): Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references.
- [ETSI EN 319 411-2 trusted-list evidence](/artifacts/global/etsi-en-319-411-2/trusted-list-evidence.md): Build EN 319 411-2 trusted-list evidence for EU qualified certificate reliance: relying-party notice text, QTSP service identifiers, validation records, and change triggers.
- [ETSI EN 319 411-2 trusted-list validation workflow](/artifacts/global/etsi-en-319-411-2/trusted-list-validation-workflow.md): Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence.
- [ETSI EN 319 411-2 vs eIDAS Qualified Trust Services](/artifacts/global/etsi-en-319-411-2/en-319-411-2-vs-eidas-qualified-trust-services.md): Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework.
- [ETSI EN 319 411-2: Certificate Revocation FAQ](/artifacts/global/etsi-en-319-411-2/faq/revocation.md): Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain.
- [ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow](/artifacts/global/etsi-en-319-411-2/qualified-certificate-lifecycle-workflow.md): Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records.
- [ETSI EN 319 411-2: Legal vs Natural Person Certs](/artifacts/global/etsi-en-319-411-2/faq/legal-and-natural-persons.md): ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.
- [ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection](/artifacts/global/etsi-en-319-411-2/qcp-qncp-and-qevcp-profile-selection.md): Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
- [How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?](/artifacts/global/etsi-en-319-411-2/faq/qualified-profile-selection.md): A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.
- [How should relying parties use trusted lists under ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/trusted-lists.md): FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.
- [QSCD Requirements in ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qscd.md): How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence.
- [QTSP Supervision and ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qtsp-supervision.md): How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation.
- [Qualified certificates under ETSI EN 319 411-2](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificates.md): FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence.
- [What are the qualified certificate policies in ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/qualified-certificate-policies.md): FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers.
- [Which QWAC Profile Fits ETSI EN 319 411-2?](/artifacts/global/etsi-en-319-411-2/faq/website-authentication-certificates.md): Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.


---

[Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us)

(c) 2026 Sorena AB (559573-7338). All rights reserved.

Source: https://www.sorena.io/artifacts/global/etsi-en-319-411-2/qualified-profile-selector-workflow