Subscribe to the Non-Human & AI Identity Journal

Who is accountable when a vendor certificate outage affects regulated services?

The vendor may own the certificate, but the regulated organisation remains accountable for resilience, third-party oversight, and service continuity. That is why DORA-style governance has to include supplier certificate visibility, contractual renewal expectations, and evidence that dependency risk is monitored.

Why This Matters for Security Teams

When a vendor certificate expires or is revoked, the outage is often visible first as application failure, but the accountability question lands in governance, not procurement. Regulated organisations cannot outsource continuity risk just because the certificate sits with a supplier. Current guidance suggests the control objective is third-party oversight, dependency inventory, and evidence that renewal paths are monitored before expiry affects service delivery. NIST’s Cybersecurity Framework 2.0 frames this as a resilience and supplier-risk issue, while NHI lifecycle failures are a recurring theme in Ultimate Guide to NHIs — Regulatory and Audit Perspectives. The practical risk is that the regulated entity is left explaining service disruption, even when the certificate was technically managed by a vendor. In practice, many security teams encounter this only after an outage has already triggered incident review, audit questions, and contractual dispute over who should have acted first.

How It Works in Practice

Accountability usually splits into operational ownership and regulatory accountability. The vendor may operate the certificate, but the regulated organisation still needs to prove it identified the dependency, set expectations for renewal, and monitored evidence of control effectiveness. That means treating certificates like critical NHI dependencies, not hidden technical details. The lifecycle lens in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because renewal, rotation, revocation, and expiry are all control moments.

Practically, security and risk teams should ensure:

  • third-party registers include certificate-owning vendors and the services they affect;
  • contracts define notice periods, renewal responsibilities, and escalation timelines;
  • technical teams can observe expiry dates, issuer status, and replacement status before service impact;
  • backup and failover options exist when a supplier misses renewal or revocation windows;
  • audit evidence shows periodic review of certificate dependencies and exception handling.

This is consistent with control expectations in NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where organisations must demonstrate supplier oversight, continuity planning, and configuration discipline. The SailPoint research in The Critical Gaps in Machine Identity Management report notes that certificate expiry is the leading cause of outages for 45% of organisations, which shows why visibility cannot stop at the vendor boundary. These controls tend to break down when certificates are embedded in opaque managed services or renewal is handled inside a supplier portal that the regulated organisation cannot observe.

Common Variations and Edge Cases

Tighter supplier oversight often increases operational overhead, requiring organisations to balance resilience against the friction of multi-party renewal workflows. There is no universal standard for this yet, but current guidance suggests the response should match the criticality of the service and the substitutability of the vendor.

Edge cases matter:

  • If the vendor is contractually responsible but the service is customer-facing and regulated, accountability for impact still sits with the regulated organisation.
  • If the certificate is embedded in a SaaS or managed platform, the buyer may not control renewal directly, but it still must demand evidence of monitoring and incident notification.
  • If multiple vendors share a trust chain, one expiring intermediate certificate can affect several services at once, which turns a single control failure into a portfolio event.
  • If regulators expect proof of resilience testing, the organisation should show what happens when a supplier misses a renewal window, not just that a contract exists.

For broader NHI governance context, Top 10 NHI Issues and Ultimate Guide to NHIs — What are Non-Human Identities reinforce that visibility and ownership are usually the first failure points. The accountability answer becomes even harder when the organisation lacks an inventory of all supplier certificates or when renewal is tied to a third-party support queue with no SLA for emergency extension.