From eIDAS to NIS2, DORA to GDPR, European and global regulations increasingly require organizations to implement strong cryptographic controls. PKI is at the heart of meeting these requirements.
Regulatory compliance is no longer a checkbox exercise. For organizations operating in Europe and beyond, a growing body of legislation now explicitly requires strong cryptographic controls, identity verification, and data protection mechanisms. Public Key Infrastructure (PKI) sits at the centre of all three.
Digital certificates enable encrypted communications, authenticated identities, and verifiable digital signatures. These are the exact capabilities that regulators demand when they write about "appropriate technical measures" or "state of the art security." Without a well-managed PKI, meeting compliance obligations becomes significantly harder and, in some cases, impossible.
This chapter maps the most important regulations to specific PKI requirements, helping you understand not just what the law says, but how your certificate infrastructure needs to support it. Whether you are a CISO building a compliance roadmap or a PKI architect designing for auditability, the sections below give you a practical framework to work from. For a broader strategic perspective, see our chapter on building a CLM strategy.
The eIDAS regulation (electronic IDentification, Authentication and trust Services) is the European Union's framework for digital identity and trust services. The revised eIDAS 2.0, adopted in 2024, significantly expands its scope and introduces the European Digital Identity Wallet.
eIDAS defines Qualified Certificates as the highest assurance level for digital certificates. They must be issued by Qualified Trust Service Providers (QTSPs) who are audited and supervised by national authorities. These certificates carry legal weight equivalent to handwritten signatures across all EU member states.
Organizations (not just individuals) can use Qualified Electronic Seals to guarantee the origin and integrity of documents. This requires PKI infrastructure capable of issuing and managing seal certificates that meet strict technical standards defined in ETSI norms.
eIDAS 2.0 reintroduces Qualified Website Authentication Certificates (QWACs), requiring browsers to recognize them. For organizations, this means managing a distinct certificate type with specific issuance and renewal requirements alongside standard TLS certificates.
For PKI teams, eIDAS 2.0 means supporting multiple certificate types (qualified signatures, seals, and QWACs) from approved QTSPs, while maintaining full traceability of issuance, usage, and revocation. Your certificate policies must explicitly address eIDAS requirements.
The NIS2 Directive (Network and Information Security) is the EU's updated cybersecurity framework, applicable since October 2024. It dramatically expands the scope of organizations that must comply, covering essential and important entities across 18 sectors.
NIS2 requires "state of the art" encryption for network communications. TLS certificates, properly managed and promptly renewed, are the primary mechanism for achieving this. Organizations must demonstrate they have controls in place to prevent expired or misconfigured certificates.
The directive mandates that organizations assess and manage risks from their supply chain. This includes verifying the integrity of software and updates through code signing certificates, and authenticating third-party connections with mutual TLS.
NIS2 imposes strict incident reporting timelines (24 hours for initial notification). A certificate-related outage or compromise qualifies as a reportable incident. Having full visibility into your certificate inventory reduces both the risk and the response time.
Article 21 lists minimum security measures including cryptography, access control, and asset management. A well-governed PKI with centralized certificate lifecycle management directly addresses multiple items on this list.
The Digital Operational Resilience Act (DORA) targets financial entities: banks, insurance companies, investment firms, and their critical ICT service providers. Applicable since January 2025, DORA sets a high bar for digital operational resilience.
DORA requires comprehensive ICT risk management frameworks that include cryptographic controls. Financial entities must identify, classify, and protect all ICT assets, which includes every digital certificate deployed across their infrastructure.
DORA mandates regular testing of ICT systems, including threat-led penetration testing (TLPT). Certificate infrastructure must be resilient enough to withstand simulated attacks, and organizations must demonstrate they can rapidly rotate compromised certificates.
Financial entities must manage risks from third-party ICT providers, including Certificate Authorities. This means maintaining oversight of which CAs issue certificates for your organization, ensuring contractual safeguards, and having exit strategies if a CA is compromised or ceases operations.
The General Data Protection Regulation is Europe's landmark data protection law. While GDPR does not prescribe specific technologies, Article 32 requires organizations to implement "appropriate technical and organisational measures" to ensure a level of security appropriate to the risk. Encryption is explicitly named as one such measure.
TLS certificates protect personal data as it moves between systems. Every API endpoint, web application, and internal service that handles personal data should use properly configured TLS. An expired certificate on a data-processing endpoint is not just an operational issue; it is a GDPR compliance gap.
GDPR encourages pseudonymisation as a protective measure. Client certificates can authenticate users without exposing personal identifiers in application logs, supporting data minimisation principles while maintaining strong identity assurance.
If a certificate compromise leads to unauthorized access to personal data, GDPR's 72-hour breach notification requirement applies. Maintaining a complete certificate inventory and monitoring for anomalies reduces the likelihood of such incidents and speeds up response when they occur.
Beyond regulations, several industry standards and frameworks set expectations for cryptographic controls and certificate management. Meeting these standards is often a prerequisite for doing business in specific sectors.
The international standard for information security management systems (ISMS). Annex A controls explicitly cover cryptographic key management (A.10), requiring organizations to define policies for the use, protection, and lifetime of cryptographic keys and certificates.
The Payment Card Industry Data Security Standard requires strong encryption for cardholder data in transit (Requirement 4) and robust key management practices (Requirement 3.5-3.7). Every certificate protecting payment data must be tracked, rotated on schedule, and issued by a trusted CA.
SOC 2 audits evaluate controls relevant to security, availability, processing integrity, confidentiality, and privacy. Encryption controls, including certificate management practices, are a common focus area. Auditors will ask how certificates are inventoried, renewed, and revoked.
The U.S. National Institute of Standards and Technology provides recommendations for key management. While not a regulation in Europe, many organizations reference NIST guidelines when designing their PKI architecture and certificate lifecycle policies.
Meeting regulatory requirements is not about bolting compliance onto an existing PKI after the fact. It requires deliberate design choices and operational practices that make auditability and control inherent to how certificates are managed.
You cannot demonstrate compliance over assets you do not know exist. A comprehensive, continuously updated certificate inventory is the foundation. Every certificate, regardless of issuing CA or deployment location, must be discovered, catalogued, and monitored.
Define certificate policies that encode regulatory requirements: minimum key lengths, approved algorithms, maximum validity periods, naming conventions, and allowed CAs. Then enforce them automatically so that non-compliant certificates cannot be issued.
Every certificate operation (issuance, renewal, revocation, policy change) should be logged with timestamps, user identities, and approval chains. These audit trails are what you present to regulators and auditors. Automated reporting dashboards reduce the burden of producing evidence on demand.
Manual processes introduce human error and create compliance gaps. Automating certificate enrollment, renewal, and deployment through protocols like ACME, SCEP, and EST ensures that certificates are always current, correctly configured, and issued according to policy.
Regulations evolve, and so do cryptographic standards. A compliance-ready PKI must be able to rapidly migrate to new algorithms (for example, post-quantum cryptography) without disrupting operations. This means avoiding hard-coded algorithm choices and maintaining flexibility in your certificate templates.
Regulation-aware policy engine: Evertrust CLM lets you define certificate policies mapped to specific regulations (eIDAS, NIS2, DORA, GDPR). Non-compliant certificate requests are automatically blocked before issuance.
Complete audit trails: Every certificate operation is logged with full context: who requested it, who approved it, which policy was applied, and when it was deployed. Export audit reports in formats ready for regulatory review.
Multi-CA governance: Manage certificates from public CAs, private CAs, and QTSPs in a single platform. Evertrust PKI enforces consistent policies regardless of the issuing authority, giving you unified compliance visibility.
Compliance dashboards: Real-time dashboards show your compliance posture at a glance: certificates approaching expiration, policy violations, weak algorithms in use, and coverage gaps across your infrastructure.
