Compliance evidence
DORA — domain & certificate controls
EU financial entities — banks, insurers, investment firms, crypto-asset service providers — and their critical ICT third-party providers.
Authority: European Union
What DORA actually requires
DORA (applicable from January 17, 2025) harmonizes ICT risk management across EU financial services. Article 9 requires ICT risk management including protection of data in transit. Article 17 covers ICT-related incident reporting; cert-related outages can qualify.
Full name: DORA (Digital Operational Resilience Act, EU 2022/2554).
Controls that touch certificates and domains
These are the 3 controls most directly affected by TLS certificate and domain lifecycle. CertRadar produces evidence bundles mapped to each.
| Control | Title | How CertRadar helps |
|---|---|---|
Art. 9(3)(c) | Mechanisms and protocols that ensure the confidentiality and integrity of data in transit | TLS certificate lifecycle is core to this requirement. |
Art. 9(3)(d) | Mechanisms for the prevention and detection of cyber threats | Expired cert = incident; monitoring is detection. |
Art. 8 | Identification | Identification of ICT-supported business functions — domains and certs are in scope. |
What the evidence pack contains
CertRadar’s one-click export for DORA includes:
- DORA-mapped ICT asset register
- Incident classification log (cert-related items)
- Third-party cert register (vendor domains)
Example domains in DORA scope
Representative domains often monitored for DORA evidence. Check any of them live:
Ship the DORA evidence your auditor asks for.
CertRadar gives security, IT, and compliance teams a complete inventory of every domain and cert your company owns — plus a one-click evidence pack mapped to DORA controls. Beta in weeks. Early members get a lifetime Pro discount.
Join the waitlist