DORA's requirements can look sprawling, but they are structured around five interconnected pillars. Understanding them individually makes it easier to see where a financial entity stands — and where certificate and TLS management is concretely affected. For the overarching framework, see our DORA page.
Pillar 1: ICT risk management
The core of DORA. The entity must have a governance framework for ICT risk in which the management body holds clear responsibility. The framework must cover the full cycle: identifying risks and assets, protecting systems and data, detecting anomalies, responding to incidents and recovering operations. A central element is an overview of ICT assets and the implementation of protective measures, including cryptographic controls.
Pillar 2: Managing and reporting ICT incidents
The entity must be able to detect, handle and classify ICT-related incidents against uniform criteria — and report the most significant ones to the relevant authorities within set deadlines. The aim is both to limit damage and to give authorities a picture of the threat landscape across the sector. A prerequisite for fast reporting is being able to establish what happened and which systems are affected.
Pillar 3: Digital operational resilience testing
DORA requires the entity to test its resilience regularly — from basic vulnerability assessments to, for the most significant entities, advanced threat-led penetration testing (TLPT). Testing should surface weaknesses before an attacker or an operational incident does. Weak TLS configuration and expired certificates are among the classic findings in this kind of testing.
Pillar 4: Managing ICT third-party risk
Financial entities depend heavily on ICT providers. DORA therefore requires active management of third-party risk: a register of arrangements, concrete contractual requirements, risk assessment before engagement and ongoing monitoring. Critical ICT third-party providers can also be brought under a dedicated oversight framework. Suppliers' certificates on your domains are part of this picture — see supplier certificate risk.
Pillar 5: Information sharing
The fifth pillar is voluntary: DORA encourages financial entities to share information on cyber threats and indicators within trusted communities. The idea is that the sector's collective resilience strengthens when knowledge of attacks is shared quickly.
Where TLS certificates are affected
Certificates do not appear as a pillar of their own, but they recur across several: as ICT assets and cryptographic controls (pillar 1), as a possible cause of an incident (pillar 2), as a typical finding in testing (pillar 3) and as part of the supplier picture (pillar 4). A complete certificate inventory with monitoring and documentation is therefore not a niche task — it supports several of the regulation's requirements at once.
How CertControl covers the certificate part
CertControl delivers the part of DORA work that concerns certificates and TLS — concretely and verifiably. It builds a complete certificate inventory automatically (the ICT asset overview auditors ask for), documents the cryptographic controls through TLS and cipher grading, prevents expiry-driven incidents with early alerts to named owners, and extends the same inventory and alerting to suppliers' certificates on your domains for third-party risk.