What NIS2 and DORA Really Mean for Your PKI & Certificate Lifecycle Management
As the European regulatory landscape shifts toward heightened cyber resilience, the arrival of the NIS2 Directive and the Digital Operational Resilience Act (DORA) has fundamentally changed the requirements for digital security. For organizations in critical sectors and the financial industry, compliance is no longer just about high-level policy; it now demands granular control over cryptographic infrastructure. At the heart of this shift lies Certificate Lifecycle Management (CLM) – a critical discipline for maintaining the trust, encryption, and operational uptime mandated by these new laws. In this post, we explore why manual certificate tracking is no longer a viable option and how an automated CLM strategy serves as the backbone for meeting the rigorous security standards set by NIS2 and DORA.
What is Certificate Lifecycle Management (CLM)?
Certificate Lifecycle Management (CLM) is the process of managing digital certificates and their private keys from start to finish.
It covers:
🔎 Discovering all certificates in your environment
📜 Issuing certificates securely
🔄 Renewing certificates before they expire
❌ Revoking compromised certificates
🔐 Protecting private keys (ideally in HSMs or secure vaults)
📊 Keeping audit logs and compliance evidence
In simple terms CLM ensures your certificates don’t expire, don’t get compromised, and don’t cause regulatory trouble.
Without CLM, organizations typically face:
-
Unexpected service outages due to expired TLS certs
-
Poor visibility of internal CAs
-
Weak key storage practices
-
No audit trail for regulators
What is NIS2?
NIS2 Directive is the EU’s updated cybersecurity law that applies to essential and important entities (energy, healthcare, finance, digital infrastructure, cloud providers, etc.). It came into force on 16 January 2023 while deadline to comply was 17 October 2024.
It requires organizations to:
-
Implement appropriate technical and organizational security measures
-
Use state-of-the-art cryptography
-
Manage risks across supply chains
-
Maintain incident reporting capabilities
-
Ensure operational resilience
While NIS2 does not explicitly say “implement CLM,” it expects controlled use of cryptography and trust services, which directly implies certificate and key management discipline.
What is DORA?
Digital Operational Resilience Act (DORA) is specifically for the financial sector (banks, insurance, fintech, investment firms, crypto service providers). It came into force on 6 January 2023 while deadline to comply was 17 October 2024. DORA is more explicit than NIS2 regarding cryptography.
It requires:
-
Full lifecycle management of cryptographic keys
-
Certificate inventory for critical ICT systems
-
Strong access control and protection of authentication mechanisms
-
Monitoring of third-party ICT providers
-
ICT risk management documentation
DORA clearly implies that unmanaged certificates = compliance risk.
Where CLM Fits in NIS2 and DORA
Below is a simplified mapping from a compliance perspective:
|
Regulation Reference |
What the Regulation Requires |
How CLM Helps |
|---|---|---|
|
NIS2 – Risk Management Measures |
Use of appropriate cryptographic controls |
CLM ensures certificates and keys are securely issued, renewed, and revoked |
|
NIS2 – Supply Chain Security |
Oversight of third-party ICT & trust providers |
CLM tracks external CAs, certificate providers, and expiration risks |
|
NIS2 – Incident Handling |
Ability to detect and report security incidents |
CLM alerts on compromised or expiring certificates |
|
DORA – ICT Risk Management |
Secure management of authentication & encryption |
CLM enforces certificate policies and key protection |
|
DORA – Cryptographic Key Lifecycle |
Full lifecycle control over keys |
CLM manages issuance, rotation, revocation, and destruction |
|
DORA – ICT Asset Inventory |
Inventory of critical ICT assets |
CLM provides a certificate inventory and health dashboard |
Detailed Mapping
|
Regulation |
Article/Recital |
Requirement Summary |
CLM Function Required |
|---|---|---|---|
|
NIS2 Directive (EU 2022/2555) |
Cybersecurity risk-management measures |
Requires “policies and procedures regarding the use of cryptography and, where appropriate, encryption”.
|
Encryption and key management (use cryptography to protect data, implying key/certificate management) |
|
DORA Regulation (EU 2022/2554) |
Protection and prevention
|
Mandates implementation of strong authentication policies and “protection measures of cryptographic keys whereby data is encrypted based on … data classification and ICT risk assessment”. |
Cryptographic key management (protect and manage keys used for encryption) |
|
DORA Regulation (EU 2022/2554) |
Powers of the Lead Overseer |
Lead Overseer may recommend specific ICT security requirements “in particular in relation to … encryption and other security measures”. |
Encryption practice (requires key management for secure updates/patches) |
|
DORA Delegated Reg. (EU 2024/1774) – RTS |
Cryptographic key management
|
Entities must include in their key management policy requirements for managing keys through their whole lifecycle (generating, renewing, storing, … destroying). |
Full key lifecycle management (generation, storage, renewal, revocation, destruction, etc.) |
|
DORA Delegated Reg. (EU 2024/1774) – RTS |
Cryptographic key management |
Entities must implement controls to protect cryptographic keys throughout their lifecycle against loss, unauthorized access, disclosure, and modification. |
Key protection controls (secure storage, access control, encryption of keys, auditing) |
|
DORA Delegated Reg. (EU 2024/1774) – RTS |
Cryptographic key management Article 7(3) |
Entities must have methods to replace cryptographic keys in case keys are lost, compromised or damaged. |
Key rotation/replacement procedures |
|
DORA Delegated Reg. (EU 2024/1774) – RTS |
Cryptographic key management Article 7(4) |
Entities must create and maintain a register of all certificates and certificate-storing devices used for critical ICT functions, and keep it up to date. |
Certificate inventory management (tracking all issued certificates) |
|
DORA Delegated Reg. (EU 2024/1774) – RTS |
Cryptographic key management |
Entities must ensure prompt renewal of certificates in advance of their expiration. |
Automated certificate renewal |
CLM Compliance Checklist (NIS2 & DORA Ready)
If your organization can answer “Yes” to the below, you are in a strong position:
Visibility
-
Do we have a full inventory of all TLS, client, code-signing, and internal CA certificates?
-
Do we know who owns each certificate?
Expiry & Renewal
-
Are certificate renewals automated?
-
Do we receive alerts at least 30–60 days before expiry?
Key Protection
-
Are private keys stored in HSMs or secure vaults?
-
Is access to CA operations restricted and logged?
Revocation & Monitoring
-
Can we revoke a certificate immediately if compromised?
-
Are OCSP/CRL services monitored?
Audit & Documentation
-
Do we have a written cryptography/key management policy?
-
Can we export logs of issuance, renewal, and revocation events?
-
Can we demonstrate certificate health to auditors within minutes?
Simplify DORA & NIS2 compliance with PKI Insights
PKI Insights brings both together in a single platform CLM and PKI Posture simplifying your DORA and NIS2 compliance. It combines continuous PKI posture assessment deep visibility into CAs, trust relationships, permissions, cryptographic health and risk with certificate lifecycle management (CLM) capabilities that safely automate day-to-day operations.
Think of PKI Insights as a Swiss Army knife for your PKI infrastructure: it continuously evaluates whether your PKI is secure and enables automation only when the underlying trust is sound. This ensures enterprises don’t just automate certificates but automate PKI safely, confidently, and at scale.
A single instance of PKI Insights covers all aspects of PKI Posture and CLM for:
- CAs
- HSMs
- SSL end points
- Webservers & more
Final Takeaway
NIS2 and DORA are not “PKI regulations.” But they require disciplined cryptographic control.
That discipline is achieved through: Certificate Lifecycle Management (CLM). If your certificates are unmanaged, undocumented, or manually tracked – compliance exposure exists.
If your CLM is automated, monitored, and auditable – you are aligned with regulatory expectations.
Also checkout our blog on: What should an enterprise prioritize? PKI CLM or PKI Posture.
