Artifact GuideGLOBALETSI EN 319 411-2

ETSI EN 319 411-2 Trusted-list evidence

Evidence guidance for showing how an EU qualified certificate reliance claim is tied to the appropriate EU trusted-list entry for the QTSP.

Use this page to review relying-party notice wording, service-identifier mapping, validation records, and recheck triggers.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Sections
4

Structured answer sets in this page tree.

Primary sources
8

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

ETSI EN 319 411-2 makes trusted-list evidence a relying-party issue, not just an issuer-side filing. The notice to relying parties must explain that, for a certificate to be relied on as an EU Qualified Certificate, the validation trust anchor is identified in the service digital identifier of an appropriate EU trusted-list entry for the qualified trust service provider.

Section 1

What trusted-list claim needs evidence?

Start with the exact reliance claim: a certificate is being presented or used as an EU qualified certificate under an EN 319 411-2 qualified certificate policy. The evidence should connect that claim to the issuing QTSP, the certificate service, the certificate policy identifier, and the trusted-list service digital identifier that relying parties are told to use.

Do not treat a certificate chain, policy OID, CP/CPS statement, or repository page as enough by itself. EN 319 411-2 ties qualified-certificate reliance to the appropriate EU trusted-list entry for the QTSP, while eIDAS supplies the legal framework for qualified trust services and EU trusted lists.

  • Name the QTSP, certificate service, CA or issuing service boundary, certificate population, and qualified policy profile in scope.
  • Record the trusted-list entry and service digital identifier used as the validation trust-anchor reference.
  • Keep the relying-party notice text with the CP/CPS or terms section that publishes or references it.
  • Separate the standards evidence from legal or supervisory status evidence so reviewers can see what each source supports.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 relying-party trusted-list notice
OVR-6.3.5-12 requires the notice to relying parties to identify the EU trusted-list service digital identifier used as the trust anchor for validating an EU qualified certificate.
Regulation (EU) No 910/2014 (eIDAS)
Legal framework referenced by EN 319 411-2 for qualified trust services, qualified certificates, and EU trusted-list context.
Recommended next step

Operationalize trusted-list evidence

Use this EN 319 411-2 guide to assign relying-party notice, service-identifier mapping, validation-record, and exception-review work before an assessment or customer review.

Assessment workflow
Open Assessment Autopilot for EN 319 411-2

Convert trusted-list evidence into accountable tasks, evidence requests, and review milestones.

Explore next step
Research workflow
Research EN 319 411-2 source questions

Resolve trusted-list, QTSP, certificate-validation, and relying-party notice questions against cited source material.

Explore next step
Talk to Sorena
Talk through trusted-list evidence

Review trusted-list scope, evidence records, owners, and the next compliance actions with Sorena.

Explore next step
Section 2

Evidence fields to keep with the certificate service

A useful trusted-list evidence record should be reviewable without opening private systems first. It should show the public statement made to relying parties, the trusted-list entry used for that statement, and the validation procedure or source used to interpret the trusted-list data.

Keep this evidence per qualified certificate service or certificate population. A one-time screenshot is weak unless it is paired with the service boundary, date checked, service identifier, profile claim, reviewer or system owner, and the event that would require the check to be refreshed.

  • Relying-party notice: exact published wording, publication location, CP/CPS or terms version, and approval date.
  • Service mapping: QTSP name, qualified trust service, service digital identifier, certificate policy identifier, CA or issuing service, and certificate population covered.
  • Validation record: trusted-list source, date checked, result, validation method, reviewer or automated job owner, and exception outcome.
  • Traceability: link the trusted-list record to certificate samples, CP/CPS sections, repository evidence, and any assessment or supervisory evidence used for the same claim.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 trusted-list validation references
The notes below OVR-6.3.5-12 reference Implementing Decision 2015/1505 for trusted-list formats and ETSI TS 119 615 for validating a certificate against EU trusted lists.
Commission Implementing Decision (EU) 2015/1505 on trusted-list specifications
Official EU source for the technical specifications and formats for trusted lists under Article 22(5) of eIDAS.
Section 3

How to use the referenced trusted-list standards

Use EN 319 411-2 to identify the relying-party notice obligation, then use the trusted-list standards it references to document the validation route. ETSI TS 119 612 is referenced for the trusted-list service digital identifier, and ETSI TS 119 615 is referenced for procedures for using and interpreting EU Member State national trusted lists.

Keep certificate validation evidence separate from signature or seal validation evidence. EN 319 411-2 points to ETSI TS 119 172-4 for a validation policy describing how to validate a digital signature against EU trusted lists when the outcome is whether it can be considered a qualified electronic signature or seal.

  • Certificate evidence: show how the certificate was checked against the EU trusted-list entry and whether it can be considered an EU qualified certificate.
  • Signature or seal evidence: add the validation-policy record when the relying-party conclusion concerns a qualified electronic signature or seal.
  • Identifier evidence: preserve the service digital identifier and do not replace it with only a provider name, CA certificate, or marketing label.
Sources for this answer
ETSI TS 119 612 V2.4.1 trusted lists
Referenced by EN 319 411-2 for the service digital identifier of the appropriate EU trusted-list entry.
ETSI TS 119 615 V1.2.1 trusted-list procedures
Referenced by EN 319 411-2 as guidance for validating a digital certificate against EU trusted lists.
ETSI EN 319 411-2 V2.6.1 signature and seal validation reference
EN 319 411-2 references ETSI TS 119 172-4 for validation policy when determining whether a signature or seal can be considered qualified using EU trusted lists.
Section 4

Review triggers and exception handling

Trusted-list evidence should be refreshed when the fact pattern behind the reliance claim changes. The trigger is not a generic review cadence; it is a change to the certificate service, profile, QTSP status context, trusted-list entry, validation method, or relying-party notice that could alter how the certificate is relied on as qualified.

When a check fails or the trusted-list entry does not match the claim, record the issue as an exception before publishing or reusing the qualified-certificate claim. The exception should identify whether the gap is a standards implementation issue, a trusted-list recognition issue, a CP/CPS publication issue, or a legal or supervisory question outside the standard.

  • Recheck after a trusted-list entry, service status, service digital identifier, or QTSP name changes.
  • Recheck after CP/CPS updates, relying-party notice updates, certificate policy identifier changes, CA hierarchy changes, or qualified service boundary changes.
  • Escalate mismatches between the certificate policy claim and trusted-list evidence before customers or auditors rely on the claim.
  • Keep exception records with the affected certificate population, owner, source clause, decision, remediation, and date the evidence was refreshed.
Sources for this answer
ETSI EN 319 411-2 V2.6.1 qualified certificate requirements
Supports the need to keep trusted-list reliance tied to the qualified certificate service, policy context, and relying-party notice.
Regulation (EU) No 910/2014 (eIDAS)
Supports separating EN 319 411-2 evidence from legal and supervisory questions about qualified trust services.
Primary sources

References and citations

ETSI EN 319 411-2 V2.6.1 relying-party trusted-list notice
etsi.org
Referenced sections
  • OVR-6.3.5-12 requires the notice to relying parties to identify the EU trusted-list service digital identifier used as the trust anchor for validating an EU qualified certificate.
"service digital identifier of an appropriate EU trusted list entry"
ETSI EN 319 411-2 V2.6.1 trusted-list validation references
etsi.org
Referenced sections
  • The notes below OVR-6.3.5-12 reference Implementing Decision 2015/1505 for trusted-list formats and ETSI TS 119 615 for validating a certificate against EU trusted lists.
"validate a digital certificate against the EU trusted lists"
ETSI TS 119 612 V2.4.1 trusted lists
etsi.org
Referenced sections
  • Referenced by EN 319 411-2 for the service digital identifier of the appropriate EU trusted-list entry.
"Trusted Lists"
ETSI TS 119 615 V1.2.1 trusted-list procedures
etsi.org
Referenced sections
  • Referenced by EN 319 411-2 as guidance for validating a digital certificate against EU trusted lists.
"Procedures for using and interpreting European Union Member States national trusted lists"
Regulation (EU) No 910/2014 (eIDAS)
eur-lex.europa.eu
Referenced sections
  • Supports separating EN 319 411-2 evidence from legal and supervisory questions about qualified trust services.
"trust services"
Related guides

Explore more topics

eIDAS QTSP supervision workflow for ETSI EN 319 411-2
Operational workflow for qualified trust service providers using ETSI EN 319 411-2 to manage supervisory-body changes, incidents, termination evidence, trusted-list checks, and assessment records.
EN 319 411-2 vs EN 319 411-1 Qualified Certs
Compare ETSI EN 319 411-2 qualified certificate requirements with EN 319 411-1 general certificate-service requirements, including QCP profiles, QSCD evidence, CP/CPS reuse, and audit boundaries.
ETSI EN 319 411-2 compliance checklist
Compliance checklist for ETSI EN 319 411-2 qualified certificate services, covering policy selection, CP/CPS evidence, identity validation, QSCD status, trusted-list reliance, and certificate status services.
ETSI EN 319 411-2 FAQ for EU Qualified Certificates
Answers to common ETSI EN 319 411-2 questions about EU qualified certificate policies, QSCD use, identity validation, trusted lists, and revocation status services.
ETSI EN 319 411-2 Identity Proofing
How EN 319 411-2 applies identity validation for EU qualified certificates, including QCP natural-person, legal-person, website, and evidence-record checks.
ETSI EN 319 411-2 QSCD Route
When QCP-n-qscd or QCP-l-qscd is the right EN 319 411-2 route, what QSCD evidence is needed, and which certificate-profile claims must stay aligned.
ETSI EN 319 411-2 QTSP supervision evidence workflow
Build an assessment-ready QTSP supervision evidence pack for ETSI EN 319 411-2 qualified certificate services, covering policy identifiers, trusted-list checks, incident records, QSCD evidence, and termination controls.
ETSI EN 319 411-2 qualified certificate operations: issuance, suspension, and revocation
Operational guide for ETSI EN 319 411-2 qualified certificate services: policy identifiers, identity validation, issuance, QSCD handling, revocation status, and relying-party notices.
ETSI EN 319 411-2 Qualified Certificate Scope
Use ETSI EN 319 411-2 to scope EU qualified certificate services by certificate policy, subject type, QSCD use, website authentication profile, and eIDAS context.
ETSI EN 319 411-2 requirements map
Map ETSI EN 319 411-2 requirements for EU qualified certificate services across QCP profiles, CP/CPS documentation, QSCD use, certificate profiles, revocation, and eIDAS Annex A references.
ETSI EN 319 411-2 trusted-list validation workflow
Validate an EN 319 411-2 EU qualified-certificate claim by mapping the certificate service to the QTSP trusted-list entry, policy profile, relying-party notice, and status evidence.
ETSI EN 319 411-2 vs eIDAS Qualified Trust Services
Compare ETSI EN 319 411-2 certificate policy requirements with the eIDAS qualified-status, supervision, audit, and trusted-list framework.
ETSI EN 319 411-2: Certificate Revocation FAQ
Answer the ETSI EN 319 411-2 revocation question for qualified certificate services: CPS procedures, 24-hour publication, CRL or OCSP status, and evidence to retain.
ETSI EN 319 411-2: end-to-end qualified certificate lifecycle management workflow
Lifecycle workflow for ETSI EN 319 411-2 qualified certificate services, from policy selection and identity validation through issuance, renewal, re-key, modification, revocation, status services, and records.
ETSI EN 319 411-2: Legal vs Natural Person Certs
ETSI EN 319 411-2 separates qualified certificate policies for natural persons, legal persons, QSCD use, and website authentication subscribers.
ETSI EN 319 411-2: QCP, QNCP, and QEVCP Profile Selection
Choose the right ETSI EN 319 411-2 qualified certificate policy profile: QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen.
ETSI EN 319 411-2: workflow for selecting QCP-n, QCP-l, or QCP-w certificate profile
Select the right ETSI EN 319 411-2 qualified certificate policy profile for signatures, seals, QSCD use, and website authentication.
How should QTSPs select an ETSI EN 319 411-2 qualified certificate profile?
A focused FAQ on choosing QCP-n, QCP-l, QCP-n-qscd, QCP-l-qscd, QEVCP-w, QNCP-w, or QNCP-w-gen under ETSI EN 319 411-2.
How should relying parties use trusted lists under ETSI EN 319 411-2?
FAQ on EN 319 411-2 trusted-list reliance for EU qualified certificates: relying-party notices, QTSP service identifiers, validation evidence, and source references.
QSCD Requirements in ETSI EN 319 411-2
How ETSI EN 319 411-2 treats QSCD-backed qualified certificates, including QCP-n-qscd and QCP-l-qscd policies, key-use controls, QSCD verification, and certificate profile evidence.
QTSP Supervision and ETSI EN 319 411-2
How ETSI EN 319 411-2 supports QTSP supervision evidence for qualified certificate services, trusted-list reliance, liability responsibility, incident records, and audit preparation.
Qualified certificates under ETSI EN 319 411-2
FAQ answer for QTSPs on how ETSI EN 319 411-2 treats EU qualified certificates, policy identifiers, QSCD variants, website certificates, and lifecycle evidence.
What are the qualified certificate policies in ETSI EN 319 411-2?
FAQ on ETSI EN 319 411-2 qualified certificate policies, including QCP-n, QCP-l, QSCD variants, QEVCP-w, QNCP-w, and policy identifiers.
Which QWAC Profile Fits ETSI EN 319 411-2?
Choose between QEVCP-w, QNCP-w, and QNCP-w-gen for qualified website authentication certificates under ETSI EN 319 411-2.