DORA Certificate Register

The Digital Operational Resilience Act (DORA) requires financial entities to maintain a complete, up-to-date inventory of all cryptographic assets and digital certificates. Article 7(4) of the RTS on ICT Risk Management (EU 2024/1774) states: "Financial undertakings shall establish and maintain a register of all certificates and certificate stores for at least those ICT assets supporting critical or important functions."

The certificate register is therefore not an optional governance instrument but a regulatory obligation. During inspections by the BaFin, ECB or other competent authorities, the register is used as evidence of ICT risk control. Missing or outdated entries can be classified as material control weaknesses.

Blackfort Technology supports financial entities and their ICT third-party providers in building and operating a DORA-compliant certificate register – from the initial discovery phase through process integration to tool selection.

Article 7(4) of the RTS on ICT Risk Management (EU 2024/1774) sets out four core technical requirements. First, comprehensive recording of all PKI certificates including type, issuance and expiry dates, and purpose. Second, automated monitoring with proactive alerts for upcoming expirations or anomalies. Third, compliance with current security standards to prevent unauthorised access and manipulation. Fourth, complete audit logging of all changes and access to the register.

These requirements are technically achievable – but only sustainable if they do not depend on manual processes or spreadsheets. In organisations with more than 500 employees, an average of 40–60% of all active certificates are not recorded in a central register. In the event of a regulatory inspection by the BaFin or ECB, such an inventory would not be audit-ready.

Particular attention must be paid to short-lived certificates (90-day certificates via Let's Encrypt and similar), which require an automated lifecycle management process. DORA implicitly requires that certificate expiry must not lead to unplanned outages – a direct link to the DORA requirement for ICT operational stability.

A robust certificate register consists of three layers: Discovery (finding all certificates), Inventory (structured recording in a central system) and Lifecycle Management (automated monitoring, renewal and alerting). Without automation in the discovery layer, complete inventories are not maintainable in mid-sized and large organisations.

Suitable tool foundations include dedicated Certificate Lifecycle Management (CLM) solutions such as Venafi, Keyfactor or AppViewX, as well as SIEM integration and internal PKI solutions (Microsoft ADCS, EJBCA). Blackfort assesses your existing PKI infrastructure and recommends the approach with the best cost-benefit ratio for your specific DORA compliance situation.

On the process side, the certificate register must be integrated into change management: every new system deployment, every supplier change and every infrastructure modification must trigger a certificate review. We help you embed this integration into your existing ITSM processes (ServiceNow, Jira Service Management or similar).

DORA places specific requirements on the certificate situation with ICT third-party providers. When a cloud provider or managed service provider manages certificates on behalf of the financial entity, the financial entity must still be able to maintain a complete overview and respond immediately in the event of outages or security incidents.

The RTS on DORA third-party risk (Joint RTS under Articles 28 ff.) require that contractual arrangements with ICT third-party providers explicitly include audit, information and data transfer rights in the area of certificates and cryptographic assets. Blackfort reviews your existing contracts for these requirements and supports renegotiation where needed.

For DORA-critical ICT third-party providers (subcategory under Article 31 DORA), enhanced requirements apply. Their certificate management must be reflected in your own register, and your monitoring process must ensure that their certificate expiry is also continuously tracked.