Guide
What Is DORA? A Guide to the EU Regulation
Background, purpose and timeline for DORA — and what the regulation means in practice for financial entities.
DORA · Financial sector
DORA: What the Regulation Requires of Financial Entities
Since 17 January 2025, DORA (Regulation EU 2022/2554) has set uniform requirements for digital operational resilience across the financial sector. Here are the regulation's five pillars, who it covers, and where certificate management and TLS fit in.
14-day free trial · No credit card required · EU hosted · Dedicated instance per customer
What is DORA?
One common framework for digital resilience in finance
DORA — the Digital Operational Resilience Act — is Regulation (EU) 2022/2554. It has applied since 17 January 2025 and consolidates the requirements for ICT security and operational resilience in the financial sector into a single rulebook.
A regulation, not a directive
As a regulation, DORA applies directly in every EU member state without national implementation. That gives uniform requirements across the union — unlike a directive such as NIS2, which is transposed into national law. See the difference in DORA and NIS2 in the financial sector.
Who is covered?
A broad range of financial entities: banks, insurance and reinsurance undertakings, investment firms, payment and e-money institutions, crypto-asset service providers and more. In addition, critical ICT third-party providers — such as certain cloud providers — can be brought under direct oversight.
How the regulation is structured
DORA's five pillars
DORA is built around five interconnected areas. Together they cover the full lifecycle of ICT risk in a financial entity.
1 · ICT risk management
A governance framework to identify, protect, detect, respond to and recover from ICT risks — including asset management and cryptographic controls.
2 · Incident reporting
Classifying and reporting major ICT-related incidents to the relevant authorities within set deadlines.
3 · Resilience testing
Regular testing of digital resilience — and, for certain entities, advanced threat-led penetration testing (TLPT).
4 · ICT third-party risk
Managing risk from ICT providers: contractual requirements, a register of arrangements and oversight of critical third-party providers.
5 · Information sharing
Voluntary sharing of cyber-threat information and indicators between financial entities to strengthen collective resilience.
→ In practice
Certificate and TLS management is most relevant to pillar 1 (assets and cryptography), pillar 2 (incidents) and pillar 4 (third parties).
The certificate angle
Where certificate management fits into DORA
DORA does not mention "TLS certificate" word for word, but certificates are both ICT assets and cryptographic controls — and are therefore relevant to several of the regulation's requirements.
ICT asset management
ICT risk management requires an overview of ICT assets. TLS certificates are ICT assets — a complete, current certificate inventory is a concrete part of that overview.
Protection and cryptography
DORA's protective measures include cryptographic controls. Valid certificates with strong protocol versions and cipher suites are a direct implementation.
Third-party risk
Suppliers' systems often run on your domains. Their certificate health is part of your ICT third-party risk — and should be tracked actively.
Incident reporting
A certificate expiry that takes a critical service down can be an ICT-related incident. An inventory with early alerts reduces both the risk and the response time.
Documentation and testing
Audit-ready reports on certificate status and an audit log support the documentation requirements and feed into the overall resilience picture.
→ How CertControl covers it
Complete certificate inventory, TLS grading, on-premise agent and automated reports — on one EU-hosted platform. See the platform →
Frequently asked questions
DORA — questions answered
What is DORA?
DORA (the Digital Operational Resilience Act, Regulation EU 2022/2554) is an EU regulation that sets uniform requirements for digital operational resilience in the financial sector. It has applied since 17 January 2025 and covers ICT risk management, incident reporting, resilience testing, third-party risk and information sharing.
Who is covered by DORA?
A broad range of financial entities — banks, insurance and reinsurance undertakings, investment firms, payment and e-money institutions, crypto-asset service providers and others. In addition, critical ICT third-party providers, such as certain cloud providers, can be brought under direct oversight.
What is the difference between DORA and NIS2?
NIS2 is a directive that applies broadly across critical sectors and is implemented in national law. DORA is a regulation that applies directly and specifically to the financial sector. For financial entities, DORA is largely the sector-specific framework — but both impose ICT security requirements, including certificate and TLS management.
Where does certificate management fit into DORA?
TLS certificates are ICT assets and cryptographic controls. They are relevant to DORA's requirements for ICT asset management and protection, third-party risk (suppliers' certificates) and incident reporting. A complete certificate inventory with monitoring and documentation supports several of the regulation's requirements.
Related resources
Guides on DORA and certificate compliance
Guide
DORA Requirements: The Five Pillars Explained
A walkthrough of DORA's requirements pillar by pillar, from ICT risk management to third-party risk.
Guide
DORA Implementation: How to Get Started
A practical sequence for financial entities — from asset overview to ongoing documentation.
Guide
DORA Audit Requirements: What Auditors Expect
What auditors and supervisors ask for under DORA — and how certificate documentation fits in.
Banks
DORA for Banks: What Compliance Requires
Banks are core entities under DORA. The biggest tasks — and where the certificate part fits in.
Financial sector
DORA and NIS2 Certificate Requirements in Financial Services
How DORA and NIS2 overlap on TLS certificate management for banks and insurers.
Related pages
Get certificates under control before the DORA audit
Inventory every certificate, monitor TLS health and generate audit-ready documentation — on one EU-hosted platform. Full access for 14 days.