ETSI EN 319 421 V1.3.1 (2025-07)

Final draft ETSI EN 319 421 V1.3.1 (2025-05)

EUROPEAN STANDARD
Electronic Signatures and Trust Infrastructures (ESI);
Policy and Security Requirements for
Trust Service Providers issuing Time-Stamps

2 Final draft ETSI EN 319 421 V1.3.1 (2025-05)

Reference
REN/ESI-0019421v131
Keywords
e-commerce, electronic signature, security,
time-stamping, trust services
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from the
ETSI Search & Browse Standards application.
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format on ETSI deliver repository.
Users should be aware that the present document may be revised or have its status changed,
this information is available in the Milestones listing.
If you find errors in the present document, please send your comments to
the relevant service listed under Committee Support Staff.
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure (CVD) program.
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2025.
All rights reserved.
ETSI
3 Final draft ETSI EN 319 421 V1.3.1 (2025-05)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Introduction . 6
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 8
3 Definition of terms, symbols, abbreviations and notation . 9
3.1 Terms . 9
3.2 Symbols . 10
3.3 Abbreviations . 10
3.4 Notation . 10
4 General concepts . 11
4.1 General policy requirements concepts . 11
4.2 Time-stamping services . 11
4.3 Time-Stamping Authority (TSA) . 11
4.4 Subscriber . 11
4.5 Time-stamp policy and TSA practice statement . 12
5 Introduction to time-stamp policies and general requirements . 12
5.1 General requirements . 12
5.2 Policy name and identification . 12
5.3 User community and applicability . 13
5.3.1 Best practices time-stamp policy . 13
6 Policies and practices . 13
6.1 Risk assessment . 13
6.2 Trust Service Practice Statement . 13
6.3 Terms and conditions . 13
6.4 Information security policy . 13
6.5 TSA obligations . 14
6.5.1 General . 14
6.5.2 TSA obligations towards subscribers . 14
6.6 Information for relying parties . 14
7 TSA management and operation . 14
7.1 Introduction . 14
7.2 Internal organization. 14
7.3 Personnel security. 15
7.4 Asset management . 15
7.5 Access control . 15
7.6 Cryptographic controls . 15
7.6.1 General . 15
7.6.2 TSU key generation . 15
7.6.3 TSU private key protection . 16
7.6.4 TSU public key certificate . 16
7.6.5 Rekeying TSU's key . 17
7.6.6 Life cycle management of signing cryptographic hardware . 17
7.6.7 End of TSU key life cycle . 17
7.7 Time-stamping . 18
7.7.1 Time-stamp issuance. 18
7.7.2 Clock synchronization with UTC . 18
7.8 Physical and environmental security . 19
7.9 Operation security . 19
ETSI
4 Final draft ETSI EN 319 421 V1.3.1 (2025-05)
7.10 Network security . 20
7.11 Incident management . 20
7.12 Collection of evidence . 20
7.13 Business continuity management . 20
7.14 TSA termination and termination plans . 21
7.15 Compliance. 21
7.16 Supply chain . 21
8 Additional requirements for qualified electronic time-stamps as per Regulation (EU) No 910/2014 . 21
8.1 TSU public key certificate . 21
8.2 TSA issuing non-qualified and qualified electronic time-stamps as per Regulation (EU) No 910/2014 . 22
Annex A (informative): Potential liability in the provision of time-stamping services . 23
Annex B (informative): Model TSA disclosure statement . 24
B.1 Introduction . 24
B.2 TSA disclosure statement structure . 24
Annex C (informative): Coordinated Universal Time (UTC). 26
Annex D (informative): Long term verification of time-stamps . 27
Annex E (informative): Regulation (EU) No 910/2014 and qualified electronic time-stamp
policy cross-reference . 28
Annex F (informative): Possible implementation architectures - time-stamping service . 29
F.1 Managed time-stamping service . 29
F.2 Selective alternative quality . 29
Annex G (informative): Major changes from ETSI TS 102 023 . 31
Annex H (informative): Conformity Assessment Check list .
...

SLOVENSKI STANDARD
oSIST prEN 319 421 V1.3.0:2025
01-marec-2025
Elektronski podpisi in infrastrukture zaupanja (ESI) - Zahteve politike in varnosti
za ponudnike storitev zaupanja, ki izdajajo časovne žige
Electronic Signatures and Trust Infrastructures (ESI) - Policy and Security Requirements
for Trust Service Providers issuing Time-Stamps
Electronic Signatures and Infrastructures (ESI) - Policy and Security Requirements for
Trust Service Providers issuing Time-Stamps
Ta slovenski standard je istoveten z: ETSI EN 319 421 V1.3.0 (2025-01)
ICS:
35.030 Informacijska varnost IT Security
35.040.01 Kodiranje informacij na Information coding in general
splošno
oSIST prEN 319 421 V1.3.0:2025 en
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

oSIST prEN 319 421 V1.3.0:2025

oSIST prEN 319 421 V1.3.0:2025
Draft ETSI EN 319 421 V1.3.0 (2025-01)

EUROPEAN STANDARD
Electronic Signatures and Trust Infrastructures (ESI);
Policy and Security Requirements for
Trust Service Providers issuing Time-Stamps

oSIST prEN 319 421 V1.3.0:2025
2 Draft ETSI EN 319 421 V1.3.0 (2025-01)

Reference
REN/ESI-0019421v131
Keywords
e-commerce, electronic signature, security,
time-stamping, trust services
ETSI
650 Route des Lucioles
F-06921 Sophia Antipolis Cedex - FRANCE

Tel.: +33 4 92 94 42 00  Fax: +33 4 93 65 47 16

Siret N° 348 623 562 00017 - APE 7112B
Association à but non lucratif enregistrée à la
Sous-Préfecture de Grasse (06) N° w061004871

Important notice
The present document can be downloaded from the
ETSI Search & Browse Standards application.
The present document may be made available in electronic versions and/or in print. The content of any electronic and/or
print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any
existing or perceived difference in contents between such versions and/or in print, the prevailing version of an ETSI
deliverable is the one made publicly available in PDF format on ETSI deliver repository.
Users should be aware that the present document may be revised or have its status changed,
this information is available in the Milestones listing.
If you find errors in the present document, please send your comments to
the relevant service listed under Committee Support Staff.
If you find a security vulnerability in the present document, please report it through our
Coordinated Vulnerability Disclosure (CVD) program.
Notice of disclaimer & limitation of liability
The information provided in the present deliverable is directed solely to professionals who have the appropriate degree of
experience to understand and interpret its content in accordance with generally accepted engineering or
other professional standard and applicable regulations.
No recommendation as to products and services or vendors is made or should be implied.
In no event shall ETSI be held liable for loss of profits or any other incidental or consequential damages.

Any software contained in this deliverable is provided "AS IS" with no warranties, express or implied, including but not
limited to, the warranties of merchantability, fitness for a particular purpose and non-infringement of intellectual property
rights and ETSI shall not be held liable in any event for any damages whatsoever (including, without limitation, damages
for loss of profits, business interruption, loss of information, or any other pecuniary loss) arising out of or related to the use
of or inability to use the software.
Copyright Notification
No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and
microfilm except as authorized by written permission of ETSI.
The content of the PDF version shall not be modified without the written authorization of ETSI.
The copyright and the foregoing restriction extend to reproduction in all media.

© ETSI 2025.
All rights reserved.
ETSI
oSIST prEN 319 421 V1.3.0:2025
3 Draft ETSI EN 319 421 V1.3.0 (2025-01)
Contents
Intellectual Property Rights . 5
Foreword . 5
Modal verbs terminology . 5
Introduction . 6
1 Scope . 7
2 References . 7
2.1 Normative references . 7
2.2 Informative references . 8
3 Definitions of terms, symbols, abbreviations and notation . 9
3.1 Terms . 9
3.2 Symbols . 10
3.3 Abbreviations . 10
3.4 Notation . 10
4 General concepts . 11
4.1 General policy requirements concepts . 11
4.2 Time-stamping services . 11
4.3 Time-Stamping Authority (TSA) . 11
4.4 Subscriber . 11
4.5 Time-stamp policy and TSA practice statement . 12
5 Introduction to time-stamp policies and general requirements . 12
5.1 General requirements . 12
5.2 Policy name and identification . 12
5.3 User community and applicability . 13
5.3.1 Best practices time-stamp policy . 13
6 Policies and practices . 13
6.1 Risk assessment . 13
6.2 Trust Service Practice Statement . 13
6.3 Terms and conditions . 13
6.4 Information security policy . 13
6.5 TSA obligations . 14
6.5.1 General . 14
6.5.2 TSA obligations towards subscribers . 14
6.6 Information for relying parties . 14
7 TSA management and operation . 14
7.1 Introduction . 14
7.2 Internal organization. 14
7.3 Personnel security. 15
7.4 Asset management . 15
7.5 Access control . 15
7.6 Cryptographic controls . 15
7.6.1 General . 15
7.6.2 TSU key generation . 15
7.6.3 TSU private key protection . 16
7.6.4 TSU public key certificate . 16
7.6.5 Rekeying TSU's key . 17
7.6.6 Life cycle management of signing cryptographic hardware . 17
7.6.7 End of TSU key life cycle . 17
7.7 Time-stamping . 18
7.7.1 Time-stamp issuance. 18
7.7.2 Clock synchronization with UTC . 18
7.8 Physical and environmental security . 19
7.9 Operation security . 19
ETSI
oSIST prEN 319 421 V1.3.0:2025
4 Draft ETSI EN 319 421 V1.3.0 (2025-01)
7.10 Network security . 20
7.11 Incident management . 20
7.12 Collection of evidence . 20
7.13 Business continuity management . 20
7.14 TSA termination and termination plans . 21
7.15 Compliance. 21
8 Additional requirements for qualified electronic time-stamps as per Regulation (EU) No 910/2014 . 21
8.1 TSU public key certificate . 21
8.2 TSA issuing non-qualified and qualified electronic time-stamps as per Regulation (EU) No 910/2014 . 21
Annex A (informative): Potential liability in the provision of time-stamping services . 22
Annex B (informative): Model TSA disclosure statement . 23
B.1 Introduction . 23
B.2 TSA disclosure statement structure . 23
Annex C (informative): Coordinated Universal Time (UTC). 25
Annex D (informative): Long term verification of time-
...