ETSI EN 319 411-2 Requirements

EN 319 411-2 specifies additional requirements for trust service providers issuing EU qualified certificates. It incorporates the general requirements of EN 319 411-1 and adds qualified-specific rules to align with eIDAS expectations.

Conformance to EN 319 411-2 alone does not automatically make your service or certificates qualified under eIDAS. Qualification is a regulatory status that also depends on conformity assessment, supervisory treatment, and the relevant trusted-list publication.

EN 319 411-2 defines EU qualified certificate policy identifiers that can be included in certificates. Including one of these identifiers indicates the certificate is issued and managed according to EN 319 411-2 for that policy.

Treat this as relying-party semantics. The policy identifier is used to determine suitability and trustworthiness in an eIDAS context, so CP, CPS, certificate profiles, and subscriber obligations all have to match the asserted OID.

A large portion of EN 319 411-2 is composition. It says certain requirement sets in EN 319 411-1 apply, and then adds qualified-specific constraints. That means your compliance mapping has to include both documents, not one or the other.

In practice, build a two-layer mapping so assessors can follow policy choice, inherited baseline requirements, and the qualified deltas without guessing.

EN 319 411-2 adds qualified identity-verification requirements. It distinguishes natural-person and legal-person verification and provides a choice-based rule for qualified website-authentication policies depending on subscriber type.

Treat identity verification as a system that produces evidence. The output is not only a passed check but a reproducible record of sources used, checks performed, and who approved the decision.

Qualified certificates with QSCD requirements introduce a hard boundary: the private key cannot be used for signing except within a QSCD, and the private key has to stay under the required subject-control model for the asserted policy.

EN 319 411-2 also pushes obligations into subscriber obligations or TSP obligations when the TSP manages QSCD on behalf of the subject. Your documentation has to make those control flows explicit.

EN 319 411-2 requires the certificate policy to include a clear statement that the policy is for EU qualified certificates and whether it requires use of a QSCD. It also requires a PKI disclosure statement and relies on the ETSI certificate-profile stack, including QCStatements, to express qualified semantics in certificates.

Do not let CP, CPS, PKI disclosure text, certificate-profile configuration, and actual certificates diverge. Relying parties and assessors will compare them.

Relying parties do not infer qualified status from marketing text. They validate against EU trusted lists and related profile material. The EN 319 411-2 reference set explicitly points to trusted-list and validation specifications such as ETSI TS 119 612, ETSI TS 119 615, and ETSI TS 119 172-4.

Operationally, this means your evidence pack needs to show how your service is represented, how certificate validation against trusted lists works, and how you explain that validation path to relying parties and customers.

Qualified programs still inherit the EN 319 411-1 lifecycle and status-service expectations, but EN 319 411-2 also points directly to RFC 6960 and X.509 mechanisms relevant to long-lived relying-party validation.

If you keep expired revoked certificates on CRLs or use OCSP ArchiveCutOff handling, document the behavior clearly and make sure the profile, CPS, and status infrastructure all tell the same story.

For qualified website-authentication policies, EN 319 411-2 includes a conditional conflict rule: if there is conflict between EN 319 411-2 requirements and the latest relevant CA Browser Forum requirements, the CA Browser Forum requirements take precedence.

Operationally, you need a change-tracking process. You cannot freeze controls to a single version and assume continuing compliance for QNCP-w or QEVCP-w operations.