--- title: "ETSI EN 319 401 Requirements (REQ-5/6/7 Map for Trust Service Providers)" canonical_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/requirements" source_url: "https://www.sorena.io/artifacts/global/etsi-en-319-401/requirements" author: "Sorena AI" description: "Clause-by-clause ETSI EN 319 401 requirements mapping for Trust Service Providers (TSPs): risk assessment (REQ-5)." published_at: "2026-03-04" updated_at: "2026-03-04" keywords: - "ETSI EN 319 401 requirements" - "ETSI EN 319 401 REQ-5 risk assessment" - "trust service practice statement REQ-6.1" - "information security policy REQ-6.3" - "terms and conditions REQ-6.2" - "network security REQ-7.8" - "vulnerability scan REQ-7.8-13" - "quarterly vulnerability scanning REQ-7.8-14" - "penetration test REQ-7.8-17" - "monitoring and logging REQ-7.9.1" - "incident response REQ-7.9.2" - "24 hour incident reporting REQ-7.9.3" - "evidence collection REQ-7.10" - "audit logs UTC synchronization REQ-7.10-06" - "trust service provider compliance" - "Trust Service Provider" - "Risk assessment" - "Monitoring and logging" - "Incident response" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # ETSI EN 319 401 Requirements (REQ-5/6/7 Map for Trust Service Providers) Clause-by-clause ETSI EN 319 401 requirements mapping for Trust Service Providers (TSPs): risk assessment (REQ-5). *Artifact Guide* *GLOBAL* ## ETSI EN 319 401 Requirements A practical map of ETSI EN 319 401 requirements for Trust Service Providers (TSPs). Translate REQ-5/6/7 into controls, tests, and audit-ready evidence for trust services, relying parties, and supervisory scrutiny. ETSI EN 319 401 is easiest to implement when you treat each requirement (REQ-*) as a verifiable claim: (1) the control exists, (2) it operates continuously, and (3) you can prove it with evidence tied to your scope (trust services, systems, facilities, people, and suppliers). This page maps the most operationally important requirements into implementation and evidence expectations. ## How to use this requirements map (avoid checklist failure) Build your program around the standard structure: risk assessment in clause 5, policies and practices in clause 6, and TSP management and operation in clause 7. The current release is ETSI EN 319 401 V3.1.1 (2024-06), adopted on 30 May 2024, with national endorsement by 28 February 2025. For every REQ you claim, attach: control owner, operating procedure, verification method, and evidence location. Make evidence generation part of normal operations (monitoring, change management, releases, and incident response). - Scope first: define which trust services and systems are in-scope, including external supporting organizations - Evidence first: treat REQ-7.10 evidence collection and retention as a system design problem - Operate continuously: monitoring/logging and incident response should run every day, not only before audits *Recommended next step* *Placement: after the requirement breakdown* ## Turn ETSI EN 319 401 Requirements into an operational assessment Assessment Autopilot can take ETSI EN 319 401 Requirements from turning the requirements into assigned actions to a reusable workflow inside Sorena. Teams working on ETSI EN 319 401 can keep owners, evidence, and next steps aligned without copying this guide into separate documents. - [Open Assessment Autopilot for ETSI EN 319 401 Requirements](/solutions/assessment.md): Start from ETSI EN 319 401 Requirements and turn the guidance into owned tasks, evidence requests, and review checkpoints. - [Talk through ETSI EN 319 401](/contact.md): Review your current process, evidence gaps, and next steps for ETSI EN 319 401 Requirements. ## Clause 5 - Risk assessment (REQ-5-01 to REQ-5-05) ETSI EN 319 401 requires the TSP to carry out a risk assessment covering business and technical issues, select risk treatment measures, determine security requirements and operational procedures to implement those measures, review and revise the risk assessment regularly, and have management approve and accept residual risk. Operationally, clause 5 is your control generator: it drives the minimum security baseline, the priorities, and the justification for why specific controls exist (or why certain controls are proportionate). - Risk assessment artifact: scope, assets, threats, vulnerabilities, impacts, likelihoods, and treatment decisions - Risk treatment plan: controls mapped to clause 6 policies and clause 7 operational controls - Management approval evidence: sign-off record and residual risk acceptance rationale ## Clause 6 - Policies and practices (REQ-6.1 and REQ-6.2) Clause 6 expects your policy layer to exist, be approved by management, published or communicated appropriately, and to be usable by subscribers and relying parties where required. This includes your Trust Service Practice Statement and your Terms and Conditions. A strong implementation turns these documents into operational interfaces: they describe how your service works, what relying parties can expect, and what evidence you can provide without exposing sensitive details. - Trust Service Practice Statement (REQ-6.1): practices/procedures addressing applicable trust service policy requirements and identifying external supporting organizations - Change notification (REQ-6.1-09 conditional): define when changes require notice and how you publish due notice - Terms and Conditions (REQ-6.2): include limitations, relying party info, retention periods for event logs, complaints/dispute processes, and availability undertakings ## Clause 6.3 - Information security policy (REQ-6.3-01 to REQ-6.3-09) ETSI EN 319 401 requires an information security policy approved by management, communicated to relevant third parties where applicable, documented/implemented/maintained with controls and operating procedures, and reviewed at planned intervals or after significant changes. The standard also expects configuration checks for policy violations with a documented maximum interval (in your practice statement), and approval for security-impacting changes by the management body. - Policy system: versioned security policy + topic policies + procedures that can be audited - Third-party comms: defined channels to communicate relevant policy changes to subscribers/relying parties/assessment bodies/supervisors - Configuration compliance: documented checking interval, detection of policy-violating changes, and follow-up actions ## Clause 7.8 - Network security, vulnerability scanning, and pen testing (REQ-7.8-01 to REQ-7.8-17) Clause 7.8 is unusually concrete for a policy standard: it covers segmentation into zones, restricting zone communications, disabling unneeded connections/services, separating production from dev/test, trusted channels between trustworthy systems, and security testing expectations. Two audit magnets: evidence of regular vulnerability scans (including independence/competence) and penetration tests after significant upgrades or modifications. - Zone design evidence: network diagrams, segmentation rules, and rule-set review records - Vulnerability scanning evidence (REQ-7.8-13): scan scope (public/private IPs), scan cadence, and competence/independence proof - Quarterly scan expectation (REQ-7.8-14): adopt quarterly as the default unless your risk model justifies otherwise - Pen testing (REQ-7.8-17): trigger criteria for significant changes, test scope, remediation tracking ## Clause 7.9 - Monitoring/logging, incident response, and 24-hour reporting (REQ-7.9.1-7.9.5) ETSI EN 319 401 expects continuous monitoring and logging, detection and alarming on abnormal activities, and regular review of logs with automatic processing and alerting for critical events. It also sets expectations for incident response procedures, communication plans, documentation, testing of roles/procedures, and specific time-bound handling such as addressing critical vulnerabilities within 48 hours after discovery and establishing notification procedures to appropriate parties within 24 hours for significant breaches. - Logging scope (REQ-7.9.1-04): network traffic, privileged activities, configuration changes, backups, physical access (where appropriate), and security-relevant logs - Critical vulnerability clock (REQ-7.9.2-09): 48-hour handling expectation for critical vulnerabilities - Breach notification readiness (REQ-7.9.3-01): procedures to notify appropriate parties within 24 hours for significant impact breaches - Post-incident reviews (REQ-7.9.5): root cause, recurrence mitigation, and ensuring reviews actually happen ## Clause 7.10 - Evidence collection and audit logs (REQ-7.10-01 to REQ-7.10-08) Clause 7.10 requires recording and keeping accessible relevant information for an appropriate period (including after TSP activities cease) to provide evidence and continuity, while maintaining confidentiality and integrity of records and ensuring availability for legal proceedings. A key detail: the time used to record events in the audit log must be synchronized with UTC at least once a day. - Evidence retention system: retention periods, integrity controls, and access governance - Audit log time integrity (REQ-7.10-06): daily UTC synchronization and proof that it occurs - Tamper resistance (REQ-7.10-08): design logs so they cannot be easily deleted/destroyed (or are safely transferred) ## Clause 7.14.3 - Supply chain and outsourcing controls The 2024 release gives more weight to supplier and third-party governance than many older EN 319 401 summaries show. When a TSP uses subcontracting, outsourcing, cloud providers, or external trust service components, the TSP keeps overall responsibility for conformance with its policy and security requirements. This is where many programs are too light. Contracts alone are not enough. You need review cycles, security expectations, and evidence that supplier cybersecurity practices are monitored and re-evaluated. - Document agreements and contractual relationships covering relevant security obligations and service levels - Define how external trust service components and cloud services are approved, monitored, and re-assessed after incidents or major changes - Keep evidence that direct suppliers and service providers take security measures aligned with the TSP risk assessment - Review supply-chain policy and supplier cybersecurity practices at planned intervals and after relevant incidents ## Primary sources - [ETSI EN 319 401 V3.1.1 (Official PDF via ETSI Deliver)](https://www.etsi.org/deliver/etsi_en/319400_319499/319401/03.01.01_60/en_319401v030101p.pdf?ref=sorena.io) - Primary source for REQ-5/6/7 requirements referenced throughout this requirements map. - [ETSI EN 319 403-1 (Official PDF via ETSI Deliver)](https://www.etsi.org/deliver/etsi_en/319400_319499/31940301/01.05.01_60/en_31940301v010501p.pdf?ref=sorena.io) - Companion conformity-assessment standard for TSP assessors. - [ETSI Coordinated Vulnerability Disclosure Program](https://www.etsi.org/standards/coordinated-vulnerability-disclosure?ref=sorena.io) - ETSI's public reporting channel referenced in the standard's front matter. - [ETSI IPR Database](https://ipr.etsi.org/?ref=sorena.io) - Use for IPR due diligence when adopting ETSI deliverables in compliance statements or contracts. ## Related Topic Guides - [ETSI EN 319 401 Audit & Conformity Assessment (Evidence Pack + Checklist)](/artifacts/global/etsi-en-319-401/audit-and-conformity-assessment.md): Audit readiness guide for ETSI EN 319 401 Trust Service Providers: how conformity assessment works in practice, what auditors sample. - [ETSI EN 319 401 Compliance Playbook for Trust Service Providers (TSPs)](/artifacts/global/etsi-en-319-401/compliance.md): How to operationalize ETSI EN 319 401 compliance for Trust Service Providers: scope definition, governance, risk assessment to control mapping. - [ETSI EN 319 401 FAQ for Trust Service Providers (TSPs)](/artifacts/global/etsi-en-319-401/faq.md): Frequently asked questions about ETSI EN 319 401 for Trust Service Providers: what a Trust Service Practice Statement is, how risk assessment drives controls. - [ETSI EN 319 401 vs eIDAS (Mapping to Article 19 & 24 TSP Obligations)](/artifacts/global/etsi-en-319-401/etsi-en-319-401-vs-eidas.md): Practical mapping of ETSI EN 319 401 requirements to the EU eIDAS Regulation (EU) No 910/2014. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/global/etsi-en-319-401/requirements