The EU’s Digital Operational Resilience Act (DORA) marks a milestone in the regulation of digital resilience for financial institutions. It not only calls for robust IT systems but also places a new emphasis on managing risks within digital infrastructures – particularly those related to cryptographic assets such as digital certificates and keys.
For banks and financial service providers, this means that processes once viewed as purely technical now sit at the heart of regulatory expectations.

Table of Contents

Cryptographic assets – an underestimated risk factor Concrete requirements: What DORA demands The certificate register as a governance instrument Implementation in practice: A step-by-step approach Practical example: Support through essendi crypto solutions Outlook: From compliance to resilience

Cryptographic assets – an underestimated risk factor

From our consulting experience, many institutions have well-established systems to secure networks and applications. When it comes to cryptography, however, the picture is often fragmented. Certificates are managed in different departments, central oversight is lacking, and renewal or revocation processes are not consistently implemented. The result: expired or overlooked certificates can disrupt operations or jeopardise audits. DORA directly addresses this risk.

Concrete requirements: What DORA demands

According to Article 9 and related technical standards, DORA requires, among other things:

  • a complete, up-to-date inventory of cryptographic assets,
  • classification and assessment of their criticality,
  • traceable documentation of usage, location and responsibility, and
  • lifecycle management processes including monitoring, escalation and auditability.

These requirements affect not only technical systems but also organisational structures, processes and governance models.

The certificate register as a governance instrument

A central certificate register is therefore much more than a technical inventory. It serves as a connecting element between IT, compliance, risk management and internal audit. The key is that it must be actively managed: Who is responsible? Which processes apply in which situations? How are changes documented? Without clear responsibilities and defined workflows, such a register quickly loses its value.

Implementation in practice: A step-by-step approach

In DORA projects, a structured, phased approach has proven effective:

  • Maturity analysis: Which cryptographic assets are in use? How are they currently managed, and what plan for maturity improvement follows from this?
  • Governance definition: Establish roles, responsibilities and escalation paths. This often includes the introduction of an enterprise-wide cryptography policy – a measure increasingly expected by auditors.
  • Tool selection: Identify suitable technologies for asset discovery and management.
  • Integration: Embed processes and connect to existing systems such as Active Directory, CMDBs or ITSM tools.

This can be particularly challenging in complex, heterogeneous IT environments with decentralised responsibilities – a situation frequently encountered in the financial sector.

Practical example: Support through essendi crypto solutions

In DORA implementation projects, the essendi crypto solutions have proven to be a practical and adaptable approach. The product family combines two complementary software suites

  • essendi cd for automated discovery and inventory of cryptographic assets
  • essendi xc for structured lifecycle management.

Both solutions integrate seamlessly into existing system landscapes and help institutions manage their cryptographic assets not only from a technical perspective but also within a solid organisational framework.

In practice, clients particularly value that the software is tailored to the needs of regulated organisations while remaining flexible enough to align with individual processes, role models and governance structures.

Working closely with experienced professional services teams, implementations are guided efficiently – from initial maturity analysis through configuration to integration with overarching compliance processes. This reduces internal effort and ensures sustainable adoption within day-to-day operations.

Together, essendi cd and essendi xc provide a reliable foundation for meeting DORA requirements while positioning cryptography as a strategic element of long-term security management.

Outlook: From compliance to resilience

DORA should not be seen merely as a regulatory obligation but as an opportunity to embed cryptography strategically within the organisation. Institutions that invest now in structured processes and transparent management models will not only strengthen their audit readiness but also lay the groundwork for lasting digital resilience.

Cryptographic assets deserve the same level of attention as any other security-critical resource. A central certificate register is not the end goal – it is the essential first step toward digital resilience.

Ein Foto von Pablo Schmücker

Pablo Schmücker

More about the author

Our guest author Pablo Schmücker is an IT security expert at KPMG, advising leading companies in the financial and insurance sectors on artificial intelligence, cyber security, and cryptography.

More about the author

Daniel Schulz-Sembten

More about the author
Ein Foto von Daniel Schulz-Sembten

Our guest author Daniel Schulz-Sembten is Assistant Manager at KPMG and has been advising clients – particularly in the financial services sector – since 2021 on projects related to operational information security, with a focus on SOC, SIEM, and incident management.

More about the author

Subscribe to the free essendi it newsletter.

SIGN UP NOW AND STAY INFORMED.