The EU regulation establishing uniform ICT risk management requirements for the financial sector, including cryptographic key management, certificate governance, and third-party oversight.
The Digital Operational Resilience Act (DORA) creates a comprehensive framework for digital operational resilience across the entire EU financial sector. It establishes uniform requirements for ICT risk management, incident reporting, resilience testing, and third-party provider oversight.
Article 9 mandates that financial entities implement cryptographic controls and key management policies as part of their ICT security framework. Article 15 requires thorough ICT risk assessments that encompass certificate infrastructure and cryptographic assets. These requirements make robust PKI governance a regulatory necessity.
DORA applies broadly to banks, insurers, investment firms, crypto-asset service providers, and — critically — critical ICT third-party providers such as cloud services and infrastructure vendors. This wide scope means that certificate management practices must be governed not only internally but also across the entire supply chain.
Financial entities must establish and maintain a comprehensive ICT risk management framework, including identification, protection, detection, response, and recovery capabilities.
Entities must implement policies and procedures for the management of cryptographic keys throughout their lifecycle, including generation, storage, distribution, rotation, and destruction.
Financial entities must manage risks from ICT third-party providers, including contractual requirements for certificate management, security controls, and exit strategies.
Major ICT-related incidents — including certificate-related breaches and cryptographic failures — must be classified, reported, and communicated to competent authorities within strict timelines.
Entities must conduct regular testing of ICT systems, including threat-led penetration testing (TLPT) for significant institutions, covering certificate infrastructure and cryptographic controls.
Financial entities are encouraged to participate in cyber threat intelligence sharing arrangements, exchanging information on ICT risks, vulnerabilities, and indicators of compromise.
The EC proposes DORA as part of the Digital Finance Package, aiming to harmonize ICT risk management across the financial sector.
The European Parliament and Council formally adopt Regulation (EU) 2022/2554, establishing a comprehensive digital resilience framework for financial entities.
The European Supervisory Authorities (ESAs) publish detailed Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) for DORA compliance.
DORA becomes fully applicable across the EU. Financial entities and critical ICT third-party providers must comply with all requirements.
The ESAs begin exercising oversight powers over designated critical ICT third-party service providers, including cloud and infrastructure vendors.
DORA elevates certificate and key management from an operational concern to a regulatory requirement for the financial sector. Here are the critical areas:
Certificates must be inventoried and governed within the broader ICT risk management framework, with clear ownership, policies, and lifecycle controls.
Cryptographic key management must cover the full lifecycle — from generation through distribution, storage, rotation, and secure destruction — with documented policies and procedures.
Third-party ICT provider assessments must include review of their certificate management practices, CA trust chains, and cryptographic security controls.
Certificate compromises, CA breaches, and cryptographic failures must be classified and reported as ICT incidents under DORA's mandatory reporting framework.
Complete certificate inventory for ICT asset mapping — Discover and catalogue all certificates across your financial infrastructure, fulfilling DORA's ICT asset identification requirements.
Automated lifecycle for operational resilience — Prevent certificate-related outages with automated renewal and rotation, ensuring continuous operational resilience of critical financial systems.
Audit trails for regulatory reporting — Generate detailed certificate lifecycle logs and compliance reports ready for supervisory authority review under DORA's reporting obligations.
Multi-CA governance for third-party oversight — Manage certificates from multiple Certificate Authorities in a single pane of glass, enabling visibility into third-party ICT provider certificate practices.
