DORA (Digital Operational Resilience Act) and its challenges for financial institutions and their service providers
The DORA EU regulation a major change for financial institutions that focuses on IT security and digital operational resilience. DORA obliges not only banks and financial service providers to protect their IT systems against cyber risks, but also their IT service providers.
The aim of DORA is to strengthen the digital resilience of EU financial companies and their ICT (Information and Communication Technology) service providers and to create a consisten regulatory framework across the EU. The aim is to reduce the risk of cyberattacks and ICT disruptions along the entire European financial value chain. As of 17 January 2025, companies, authorities and organizations affected by the regulation will have to implement a large number of regulations.
As a provider of a certificate management system (essendi xc) with customers the banking sector, we have first-hand knowledge of the requirements for certificate management.
Encryption and digital certificates are an essential part of cyber security under DORA and ensure that the digital operational resilience of financial institutions, as well as the protection of highly sensitive customer data, is guaranteed. Companies in the financial sector must implement efficient mechanisms to prevent IT risks.

DORA’s Five Key Areas of Action: An Overview of the Requirements for Financial Companies
I. Risk and Incident Management
Companies must develop comprehensive strategies to identify and assess potential IT risks at an early stage and to be able to respond quickly and effectively in the event of an incident.
DORA also requires a robust risk mitigation and incident response strategy that includes digital certificates. In the event of a cyber incident that could compromise the integrity or availability of certificates, clear processes must be in place to recover and secure communications. Certificate management plays a key role in ensuring that communication channels remain encrypted and trusted.
II. Reporting Requirements
Financial institutions are required to immediately report serious IT security incidents to the appropriate authorities in order to ensure transparency and protection of the financial system.
Organizations are required to report incidents that threaten the security of their IT infrastructure. If a digital certificate issue (such as an expired certificate, key compromise, or insecure algorithms) occurs that affects business operations or data security, it must be reported quickly to the appropriate authorities.
III. Regular Audits and Reviews
To ensure that IT security measures are always up to date, organizations need to conduct regular audits and reviews of their systems and processes.
Financial institutions are required to regularly review and audit their IT infrastructures, including certificate and key management systems. The goal is to identify and address potential vulnerabilities at an early stage. These audits must ensure that certificates are properly managed and used to ensure a resilient IT environment.
IV. Supplier and Third Party Management
Organizations need to ensure that their IT service providers and third parties also adhere to high security standards and that potential risks from external partners are monitored and minimized.
Financial institutions must ensure that external service providers they work with use secure IT infrastructures and also rely on trusted and up-to-date digital certificates. DORA requires companies to monitor and ensure that their third-party service providers comply with these requirements.
V. Security Standards and Encryption
To ensure the confidentiality, integrity and availability of data, companies must use the best available security standards and encryption technologies available.
DORA requires that financial institutions and critical IT service providers adhere to the strictest security standards to ensure the protection of IT systems. This includes the use of strong and state-of-the-art encryption methods supported by digital certificates to ensure the confidentiality, integrity and authenticity of data.
Certificate Management Challenges for Financial Service Providers
DORA requires clearly structured and regulated handling of digital certificates, which are a central component/factor of encrypted digital communication. This includes their secure deployment, monitoring, renewal and management as well as compliance with the highest security standards in order to minimize cyber risks. In addition, DORA requires that financial institutions remain capable of acting in the area of cryptography / encryption.
DORA also calls for the implementation of a complete certificate registry that must be kept up to date. This is an additional challenge for financial service providers, as it is costly to identify and inventory all certificates (and ideally all keys, encryption methods and other cryptographic components) used in their network. An incomplete inventory can lead to significant security risks.
Encryption and digital certificates are an essential part of cybersecurity under DORA, ensuring the digital operational resilience of financial institutions and the protection of highly sensitive customer data. DORA goes even further, requiring encryption not only of data at rest and data in motion, but also of data in use. This means that financial institutions must implement technologies that protect data while it is being processed – a requirement that is not only technologically challenging, but also requires new processes and systems.
An expired certificate can have serious consequences, from business disruption to cyber attacks. Banks must therefore not only ensure that their certificates are renewed on time, but also conduct regular tests and audits to keep their security architecture up to date and demonstrate their ability to act.
Requirements for an effective certificate management under DORA include
- Key management: The cryptographic keys associated with the certificates must be handled securely and in accordance with DORA specifications. This includes secure storage solutions and access protocols.
- Continuous validity monitoring: Financial institutions must ensure that digital certificates are always up-to-date and valid to avoid security breaches.
- Inventory and discovery: A key requirement is to establish and maintain a complete and up-to-date certificate registry that includes all relevant cryptographic assets. Automated tools for discovering and managing such assets are essential.
The regulation also makes it clear that financial institutions must implement effective mechanisms to prevent IT risks. This includes automated systems for monitoring and renewing certificates, such as essendi xc. They help minimize the risks associated with expired or non-renewed certificates. These systems can also help financial institutions manage their certificate inventories to ensure compliance with strict DORA requirements.
essendi xc und DORA
Wie unser Zertifikatsmanagement-System essendi xc Banken und Finanzdienstleister bei der Erfüllung der DORA-Anforderungen unterstützt
Unser Zertifikatsmanagement-System essendi xc kann Ihnen helfen, Anforderungen von DORA in Bezug auf digitale Zertifikate effizient zu erfüllen.
Die wichtigsten Funktionen von essendi xc auf einen Blick:
The tool supports common encryption algorithms (for experts: RSA, ECC, DSA) so that essendi xc can be integrated into the strict IT security architectures of banks.
essendi xc supports users and security administrators in the area of cryptography by creating sensitive key material and certificates within a compliance-compliant framework. Simple processes shorten process times and prevent errors. Administrators and certificate managers are supported throughout the entire lifecycle.
Sustainable solution
To meet future challenges, we are already integrating quantum-safe encryption methods into essendi xc. In this way, future threats that may arise from quantum computers can also be averted.
Reporting and Auditing
The dashboard can be used to generate all types of reports that are important for DORA-related audits. Banks are required to regularly review and document their IT security measures. essendi xc supports this process with clear and comprehensible reports. In addition, special audit roles are offered.
All certificates at a glance – essendi xc monitors and supports the entire lifecycle of certificates and alerts you in good time before they expire, including through an integrated crypto inventory.
Customizable automation
The level of automation in the system can be customized from manual administration to fully automated certificate application and auto-renewal. This reduces human error and ensures that certificates never expire unnoticed. This is what makes large volumes of digital certificates tradable.
Seamless integration into existing IT environments
essendi xc can be easily integrated into existing IT infrastructures and fits seamlessly into existing security and encryption solutions. Existing crypto tools and applications can continue to be used. Standard interfaces to popular user management systems simplify handling.
Compliance with International Security Standards
Our system supports the highest international standards such as ISO 27001, NIST and ITIL as well as PCI-DSS v4.0, ISO 11568, all BSI Technical Guidelines (TR) and others. This is critical for banks, as they are subject to strict regulations.Trust a solution that other Dax50 and FORBES 500 companies also trust.
Certificate Management as Key to DORA Compliance
DORA presents both banks and their IT service providers with new challenges in terms of cyber security and IT resilience. The ability to act must be demonstrated in the shortest possible time. Certificate management plays a central role here, as it forms the basis for secure communication and data transmission. Our certificate management tool essendi xc supports companies not only in the secure management of their certificates, but also in complying with the strict requirements of DORA.
With extensive automation, seamless integration and compliance with international security standards, we offer a future-proof solution.
In addition, essendi it GmbH is ISO 27001 certified, which means that the development processes of essendi xc also meet the highest security requirements.
Would you like learn out more? Arrange a live demo now and experience how essendi xc can optimally support your company.