The vendor may own the certificate, but the regulated organisation remains accountable for resilience, third-party oversight, and service continuity. That is why DORA-style governance has to include supplier certificate visibility, contractual renewal expectations, and evidence that dependency risk is monitored.
Why This Matters for Security Teams
When a vendor certificate expires or is revoked, the outage is often visible first as application failure, but the accountability question lands in governance, not procurement. Regulated organisations cannot outsource continuity risk just because the certificate sits with a supplier. Current guidance suggests the control objective is third-party oversight, dependency inventory, and evidence that renewal paths are monitored before expiry affects service delivery. NIST’s Cybersecurity Framework 2.0 frames this as a resilience and supplier-risk issue, while NHI lifecycle failures are a recurring theme in Ultimate Guide to NHIs — Regulatory and Audit Perspectives. The practical risk is that the regulated entity is left explaining service disruption, even when the certificate was technically managed by a vendor. In practice, many security teams encounter this only after an outage has already triggered incident review, audit questions, and contractual dispute over who should have acted first.How It Works in Practice
Accountability usually splits into operational ownership and regulatory accountability. The vendor may operate the certificate, but the regulated organisation still needs to prove it identified the dependency, set expectations for renewal, and monitored evidence of control effectiveness. That means treating certificates like critical NHI dependencies, not hidden technical details. The lifecycle lens in Ultimate Guide to NHIs — Lifecycle Processes for Managing NHIs is useful here because renewal, rotation, revocation, and expiry are all control moments. Practically, security and risk teams should ensure:- third-party registers include certificate-owning vendors and the services they affect;
- contracts define notice periods, renewal responsibilities, and escalation timelines;
- technical teams can observe expiry dates, issuer status, and replacement status before service impact;
- backup and failover options exist when a supplier misses renewal or revocation windows;
- audit evidence shows periodic review of certificate dependencies and exception handling.
Common Variations and Edge Cases
Tighter supplier oversight often increases operational overhead, requiring organisations to balance resilience against the friction of multi-party renewal workflows. There is no universal standard for this yet, but current guidance suggests the response should match the criticality of the service and the substitutability of the vendor. Edge cases matter:- If the vendor is contractually responsible but the service is customer-facing and regulated, accountability for impact still sits with the regulated organisation.
- If the certificate is embedded in a SaaS or managed platform, the buyer may not control renewal directly, but it still must demand evidence of monitoring and incident notification.
- If multiple vendors share a trust chain, one expiring intermediate certificate can affect several services at once, which turns a single control failure into a portfolio event.
- If regulators expect proof of resilience testing, the organisation should show what happens when a supplier misses a renewal window, not just that a contract exists.
Related resources from NHI Mgmt Group
- Who is accountable when a vendor-linked healthcare outage affects patient care?
- Who is accountable when a cloud outage interrupts regulated or customer-facing services?
- Who should be accountable for certificate-backed workload access in Kubernetes?
- Who is accountable for certificate trust and root distribution?
Deepen Your Knowledge
NHIMG Editorial Note
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org
Reviewed and updated by the NHIMG editorial team on July 12, 2026.
NHI Mgmt Group — the #1 independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org