The European standards suite (EN 319 401, 411, 412) defining comprehensive policy and security requirements for Trust Service Providers, governing PKI operations, qualified certificate issuance, and electronic signature formats.
The ETSI EN 319 series provides the technical backbone for eIDAS trust services. EN 319 401 defines general policy requirements for all TSPs. EN 319 411-1 and 411-2 specify requirements for CAs issuing certificates (non-qualified and qualified respectively). EN 319 412 covers certificate profiles.
Together, these standards form the operational framework that every Trust Service Provider must implement — from certificate policies and practice statements to key management, audit logging, and revocation services. Compliance is mandatory for qualified TSP status under eIDAS.
The EN 319 series is continuously evolving to address new trust service categories introduced by eIDAS 2.0, including electronic attestation of attributes and the technical requirements for the European Digital Identity Wallet trust framework.
Defines overarching policy and security requirements that all Trust Service Providers must implement, covering governance, risk management, and operational practices.
Specifies policy and security requirements for Certificate Authorities issuing non-qualified certificates, including certificate lifecycle and revocation practices.
Defines the stringent requirements for CAs issuing qualified certificates, including enhanced identity verification, HSM key protection, and supervisory body oversight.
Specifies standardized certificate profiles for qualified certificates, QWACs, and qualified electronic seal certificates, ensuring cross-border interoperability.
Requirements for TSP personnel, physical security, network security, incident management, and business continuity planning to ensure reliable trust service delivery.
TSPs must undergo regular conformity assessments by accredited bodies, demonstrating compliance with all applicable EN 319 standards to maintain qualified status.
ETSI publishes the first series of EN 319 standards, establishing the technical framework for Trust Service Providers in Europe.
Standards updated to align with eIDAS regulation requirements, becoming the de facto technical reference for qualified trust services.
Major revision of EN 319 411-2 strengthens requirements for qualified certificate issuance, key management, and conformity assessment.
Standards revised to accommodate eIDAS 2.0 requirements, including new trust service categories and the European Digital Identity Wallet framework.
Ongoing updates to support the EU Digital Identity Wallet trust framework, with new certificate profiles and validation requirements.
The ETSI EN 319 standards directly define how PKI must be operated for trust services in Europe. Here are the critical areas:
Directly governs Certificate Authority operational practices, including certificate issuance workflows, identity verification procedures, and certificate policy enforcement.
Mandates specific certificate profiles for qualified certificates (QC), qualified web authentication certificates (QWAC), and qualified electronic seal certificates (QSealC).
Specifies strict key management requirements including HSM usage for CA key protection, key ceremony procedures, and secure key lifecycle management from generation to destruction.
Defines operational standards for OCSP and CRL revocation services, including availability requirements, response time SLAs, and revocation information freshness.
EN 319 as operational framework — Stream implements EN 319 standards as its core operational framework, with built-in compliance for CA/RA/VA/TSA operations from day one.
Qualified certificate issuance — Built-in compliance with EN 319 411 requirements for both non-qualified and qualified certificate issuance, including identity verification workflows.
Automated OCSP/CRL services — Stream provides automated OCSP and CRL revocation services per EN 319 operational requirements, with built-in availability and freshness guarantees.
EN 319 412 certificate profiles — Horizon manages certificate lifecycle aligned with EN 319 412 profiles, ensuring all certificates conform to the required formats and extensions.
