Register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions
Requirement to Create and Maintain a Register (Article 7(4) RTS RMF)
Financial entities must create and maintain a register covering:
- all certificates, and
- all certificate-storing devices,
for at least those ICT assets that support critical or important functions.
This obligation is mandatory and forms part of the cryptographic key management framework under Articles 6–7 RTS RMF and the protection-and-prevention controls in Article 9 DORA.
Scope of the Register (Article 7(4) RTS RMF)
The register must include every certificate and every certificate-storing device used in connection with:
- ICT assets supporting critical functions, and
- ICT assets supporting important functions.
This includes, for example:
- SSL/TLS certificates,
- code-signing certificates,
- device certificates,
- hardware security modules (HSMs),
- smart cards or tokens storing certificates,
- any other secure storage media used to hold certificates or cryptographic material.
The provision does not limit the register to a particular certificate type, issuer, or technology; the requirement is comprehensive for the relevant scope.
Obligation to Keep the Register Up to Date (Article 7(4) RTS RMF)
Financial entities must ensure that the register is:
- kept up to date,
- updated in alignment with the lifecycle of certificates and certificate-storing devices, and
- consistent with changes in ICT asset inventory and configuration.
This includes updating the register whenever:
- certificates are issued, renewed, replaced, or revoked;
- certificate-storing devices are deployed, retired, or replaced;
- changes occur in the ICT assets supporting critical or important functions.