By NHI Mgmt Group Editorial TeamDomain: Governance & RiskSource: eMudhraPublished May 28, 2026

TL;DR: NIS2 and DORA now push certificate lifecycle management from infrastructure hygiene into regulatory control, because encrypted communications, mutual authentication, audit trails, and third-party trust all depend on governed PKI according to eMudhra. The compliance gap is not the presence of certificates but the inability to inventory, renew, and retire them continuously across hybrid and vendor ecosystems.


At a glance

What this is: This is a PKI and compliance analysis showing that NIS2 and DORA make certificate lifecycle governance a regulatory requirement, not an optional infrastructure task.

Why it matters: It matters because IAM, PAM, and infrastructure teams now have to treat certificates as governed identities across systems, vendors, and regulated operations.

By the numbers:

👉 Read eMudhra's analysis of NIS2 and DORA compliance PKI


Context

NIS2 DORA compliance PKI is about governing certificates as identity credentials, because encryption, authentication, and non-repudiation all depend on them. In regulated environments, the problem is not whether certificates exist, but whether enterprises can discover, inventory, renew, and retire them before expiry creates an operational or compliance failure.

For IAM and infrastructure teams, the key challenge is that certificate lifecycle management now sits at the intersection of security, resilience, and third-party oversight. When certificate ownership is fragmented across cloud, on-premises, edge, and vendor systems, the control gap becomes a governance problem rather than a tooling problem.

That is typical for enterprises that have accumulated certificates over years without a single operating model for issuance, monitoring, renewal, and revocation. NIS2 and DORA simply make that hidden sprawl visible to auditors and regulators.


Key questions

Q: How should organisations govern certificate lifecycle management for NIS2 and DORA?

A: Treat certificate lifecycle management as a governed identity process with named ownership, tracked inventory, renewal deadlines, and revocation evidence. The goal is to prevent expiry from becoming a resilience failure. For regulated services, align renewal, logging, and accountability so auditors can see control, not just configuration.

Q: Why do expired certificates create such a high operational risk?

A: Expired certificates can break authentication, encrypted sessions, and service-to-service trust at the same time, which makes them availability and security issues rather than simple maintenance misses. The risk rises sharply when inventories are incomplete and renewal happens manually across hybrid estates.

Q: What do security teams get wrong about PKI in onboarding and registration?

A: They often focus on encryption strength and overlook governance. Strong cryptography does not fix weak identity proofing, shared signing keys, or unmanaged automation. If the registration workflow cannot show who approved trust, why it was granted, and when it should expire, the PKI design is only partially effective.

Q: Who is accountable when a vendor certificate outage affects regulated services?

A: The vendor may own the certificate, but the regulated organisation remains accountable for resilience, third-party oversight, and service continuity. That is why DORA-style governance has to include supplier certificate visibility, contractual renewal expectations, and evidence that dependency risk is monitored.


Technical breakdown

Certificate lifecycle management under NIS2 and DORA

Certificate lifecycle management means governing certificates from issuance through renewal, replacement, and retirement. Under NIS2 and DORA, that lifecycle matters because expired or orphaned certificates can interrupt encrypted communications, break mutual TLS, and weaken auditability. The technical risk is not just downtime. It is loss of identity assurance across systems that rely on certificates for trust decisions. Automated discovery, inventory, and renewal become essential because manual tracking cannot keep pace with hybrid estates or third-party dependencies.

Practical implication: build a complete certificate inventory and assign explicit ownership before expiry creates a resilience or compliance event.

Mutual TLS and certificate-based authentication

Mutual TLS, or mTLS, uses certificates on both sides of a connection so each endpoint verifies the other before exchanging data. That is why it matters for NIS2 and DORA. The control is not merely encryption in transit. It is authenticated encryption with proof of endpoint identity, which supports zero-trust style access to critical systems and regulated data flows. When certificate validity is unmanaged, trust breaks silently even if the network path still exists.

Practical implication: treat mTLS as an identity control and monitor certificate validity as closely as you monitor access entitlements.

Third-party certificate trust and supply-chain resilience

DORA places unusual weight on third-party ICT risk, and PKI is part of that risk surface. If a vendor, cloud provider, or integration partner mishandles certificate renewal, the failure can propagate into your environment as an outage, a broken trust chain, or a compliance issue. The architectural issue is shared trust without shared lifecycle visibility. You cannot claim operational resilience if your critical services depend on certificates you do not govern end to end.

Practical implication: extend certificate governance to vendors and service providers, not just internal infrastructure.


Threat narrative

Attacker objective: The practical objective in this failure pattern is to exploit unmanaged certificate trust so regulated services lose confidentiality, integrity, or availability at the point of exchange.

  1. entry: The weakest point is often unmanaged certificate sprawl, where expired, duplicated, or orphaned certificates remain hidden in hybrid infrastructure and third-party services.
  2. escalation: Once a certificate lapses or is not renewed on time, encrypted channels, authenticated transactions, and audit evidence all degrade at the same time.
  3. impact: The result is service interruption, failed identity verification, and a compliance event that can surface as an operational resilience breach.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Certificate lifecycle governance is now a compliance control, not an IT housekeeping task. NIS2 and DORA both turn certificate validity, ownership, and renewal into regulated obligations because expired credentials can break encryption, authentication, and auditability at once. The issue is not that certificates are technical objects. The issue is that regulators now treat unmanaged certificate state as an operational resilience failure. Practitioners should reclassify certificate lifecycle management as a governed identity process.

PKI exposes the same governance problem that NHI programmes face: hidden credentials with unclear ownership. A certificate is a non-human identity credential, and the failure mode is familiar: sprawl, orphaning, and uncertain revocation timing. That makes NIS2 DORA compliance PKI part of the broader identity governance conversation, not a separate infrastructure discipline. The practitioner conclusion is that certificate oversight belongs in identity governance, not only in operations.

Third-party certificate dependency creates an identity trust chain that outlives direct control. DORA especially makes this visible because vendor ICT risk can become your resilience failure when a supplier misses renewal or mismanages trust chains. That means the governance model has to track certificate accountability across organisational boundaries. Practitioners should assume external certificate ownership still creates internal regulatory exposure.

Automated renewal is only half the control if inventory and policy are weak. Automation can reduce outage risk, but it cannot compensate for missing ownership, incomplete discovery, or inconsistent issuance standards. The real control gap is not renewal speed alone. It is whether the organisation can prove which certificates exist, who owns them, and which systems depend on them. Practitioners need an auditable certificate operating model, not just automation tooling.

Identity and encryption controls are converging under resilience regulation. NIS2 and DORA do not let teams separate cryptographic hygiene from access governance, because both are needed to demonstrate trust, continuity, and incident evidence. That convergence is the important field-level signal. Practitioners should align PKI, IAM, and resilience governance under one operating model.

From our research:

  • Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
  • 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which is the same visibility problem that makes certificate supply chains hard to govern.
  • Follow the NHI Lifecycle Management Guide to align discovery, ownership, renewal, and offboarding into one auditable control model.

What this signals

Certificate governance is becoming an identity operations discipline, not a niche PKI task. As NIS2 and DORA push resilience expectations deeper into infrastructure, security teams will need one operating view for certificates, workload identity, and privileged access. That shift will expose organisations that still manage certificates through separate operational queues rather than a governed lifecycle. Teams should expect audit pressure to move from point-in-time proof to continuous lifecycle evidence.

With 85% of organisations lacking full visibility into third-party vendors connected via OAuth apps, per The State of Non-Human Identity Security, the same visibility gap now applies to external certificate chains. If a business cannot see its third-party identity dependencies clearly, it cannot prove resilience under DORA-style oversight. The programme implication is simple: vendor trust has to be measurable, not assumed.

The next maturity step is to converge PKI governance with broader non-human identity controls, including lifecycle ownership, recertification, and revocation evidence. That convergence matters because certificates, tokens, service accounts, and agents all fail differently but create the same accountability problem when no one owns their lifecycle. Security leaders should treat this as a governance redesign, not a tooling refresh.


For practitioners

  • Build a complete certificate inventory Start with servers, APIs, load balancers, IoT devices, code repositories, and vendor-managed endpoints. Assign ownership, expiry dates, and renewal paths so every certificate has a named accountability path.
  • Map certificate lifecycle controls to regulated services Separate certificates that support critical infrastructure or financial services from lower-risk use cases, then apply stricter renewal, logging, and approval controls to the regulated set.
  • Extend governance to third-party trust chains Require vendors and service providers to disclose certificate ownership, renewal cadence, and chain dependencies for any service that can impact your regulated operations.
  • Automate renewal with verification gates Use automation for renewal only after you have verified issuance policy, system dependencies, and rollback steps, so renewal does not create a service interruption during certificate replacement.
  • Embed certificate evidence into audit reporting Capture issuance, renewal, revocation, and dependency data in a form that can support incident response, resilience testing, and regulator review without manual reconstruction.

Key takeaways

  • NIS2 and DORA turn certificate lifecycle management into a regulated identity control, not an optional infrastructure practice.
  • The core failure mode is not certificate existence but unmanaged ownership, renewal, and third-party trust visibility.
  • Practical compliance depends on auditable inventory, automated renewal, and governance that extends across vendor certificate chains.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

NIST CSF 2.0 and NIST SP 800-53 Rev 5 set the technical controls, while NIS2 and DORA define the regulatory obligations.

FrameworkControl / ReferenceRelevance
NIST CSF 2.0PR.DS-1Encryption and data protection are central to the PKI obligations discussed here.
NIST SP 800-53 Rev 5IA-5Authenticator management fits certificate issuance, renewal, and revocation controls.
NIS2NIS2 directly drives the compliance requirements discussed in the article.
DORADORA frames third-party ICT resilience and continuous service availability.

Extend certificate governance to third-party services and prove renewal continuity for critical operations.


Key terms

  • Certificate Lifecycle Management: Certificate lifecycle management is the governance of digital certificates from issuance through renewal, revocation, and retirement. In practice, it turns certificates into auditable identity assets so organisations can prove ownership, prevent expiry, and maintain trust across systems, users, and vendors.
  • mTLS: Mutual TLS is a transport pattern where both sides of a connection authenticate each other with certificates. In NHI programmes, it is often the control that binds service identity to encrypted traffic, but its value depends on certificate lifecycle, protocol version, and enforcement consistency.
  • Private certificate authority: A private certificate authority issues certificates inside an organisation rather than for the public internet. It is used to establish trust for internal applications, workloads, devices, and service-to-service communication, which means its governance directly affects internal identity assurance and operational resilience.
  • Certificate Inventory: A certificate inventory is the authoritative list of all certificates in use across an environment, including owner, expiry, issuing authority, and deployment location. It is the control foundation for monitoring and renewal because teams cannot govern what they cannot reliably enumerate.

What's in the full article

eMudhra's full article covers the operational detail this post intentionally leaves for the source:

  • How emCA structures private CA issuance and custom certificate attributes for regulated environments
  • How CertiNext automates discovery, renewal, retirement, and alerting across hybrid infrastructure
  • How the article maps certificate lifecycle controls to NIS2 and DORA compliance expectations
  • How the vendor positions certificate governance for third-party ICT and supply-chain monitoring

👉 The full eMudhra article covers certificate lifecycle automation, third-party trust, and compliance reporting in more operational detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are building or maturing identity security governance across human and non-human systems, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org