Where do you begin a DORA implementation?

A natural starting point is a complete overview of ICT assets, including certificates and systems. Without knowing what you have, neither risk assessment, protection nor incident response can be carried out credibly. From there you run a gap analysis against DORA's five pillars.

What is the most common obstacle in DORA implementation?

A lack of visibility. Many entities can describe their processes on paper but struggle to produce a current, complete register of ICT assets — and therefore to evidence that the controls actually run. The asset overview is the foundation for everything else.

DORA Implementation: How Financial Entities Get Started

DORA now applies, and for many financial entities the question is no longer "what does the regulation require" but "where do we start". This guide offers a practical sequence — with certificate management as one of the most concrete places to begin. For the overarching framework, see our DORA page.

1. Start with an ICT asset overview

Almost everything in DORA rests on knowing what you have. Risk assessment, protection, incident response and testing all assume a current overview of ICT assets. Certificates are a good place to begin, because they are concrete, measurable and often unmanageable already: a complete register of every TLS certificate — internal and external, your own and your suppliers' — is both a quick win and a foundation for the rest. See the principles in TLS certificate inventory.

2. Run a gap analysis against the five pillars

With the overview in place, you can hold your current practice up against DORA's five pillars and find the gaps. For each pillar: what do we have, what is missing, and what is documented? A structured walkthrough of DORA's requirements pillar by pillar makes it easier to prioritise by risk rather than by what is easiest.

3. Get a grip on third-party providers

ICT third-party risk is one of the pillars that most often requires the most work, because it involves parties outside the organisation. Build a register of supplier arrangements, assess criticality and establish ongoing monitoring. For certificates, that means including the supplier systems running on your domains — they are part of your security posture, regardless of who operates them.

4. Build documentation and testing in continuously

DORA rewards documentable, sustained control — not a snapshot created for an audit. So arrange your processes so that documentation is generated continuously: asset registers that update automatically, alerts that are logged and reports that build over time. The same applies to testing: repeated vulnerability assessments catch weak TLS configuration and expired certificates before they become incidents.

A practical sequence

For most entities it makes sense to take it in this order: (1) establish the asset overview, starting with certificates; (2) run the gap analysis against the five pillars; (3) close the biggest gaps in risk management and third-party first; (4) automate documentation and monitoring so the control maintains itself. The point is to make the work continuous — not a one-off exercise before a deadline.

How CertControl helps with the certificate part

Certificates are the obvious place to show fast progress in a DORA implementation. CertControl builds a complete certificate inventory automatically — via Certificate Transparency logs and scanning, with no manual mapping — covers internal systems behind the firewall through an on-premise agent, keeps control alive between audits with TLS grading and early expiry alerts, and generates the ongoing reports and audit log that DORA supervision values.

DORA: requirements, pillars and certificate management → DORA requirements: the five pillars explained → What is DORA? A guide to the EU regulation →

See the DORA overview Book a walkthrough