PKI, HSM & IoT cryptography for Europe — banking, pharma & automotive
Vendor-neutral design, migrations, crypto audits and lifecycle automation across the EU/EEA & UK. We align technical controls with European frameworks (GDPR, NIS2, DORA, eIDAS) and sector obligations, and prepare teams for post-quantum.
PKI design & hierarchy modernisation
Offline root, issuing tiers, AIA/CDP/OCSP, HA revocation, ceremony evidence.
- Profiles/EKUs, naming & validity aligned to ENISA crypto guidance
- Qualified trust & signing patterns referencing eIDAS & ETSI trust service standards
- CLM integration (Venafi / EJBCA / Keyfactor), ACME/EST enrolment
HSM custody & key management
M-of-N ceremonies, RBAC/SoD, backup & restore with audit evidence.
- Key lifecycle aligned to ENISA recommendations
- Use of FIPS 140-3 validated modules where required by policy
- Evidence packs for internal/external assurance
Certificate lifecycle automation (CLM)
Discovery → policy → issuance → renewal across hybrid estates.
- Agents/APIs, ACME/EST; policy folders & approvals
- Dashboards & SLOs (expiry MTTR, OCSP freshness, CRL age)
- Change windows with blue/green rollovers
Post-quantum readiness
CBOM, hybrid certificates, pilot → rollout. Referencing NIST PQC selections and ENISA quantum-safe guidance.
- Algorithm policy & crypto-agility design
- Protocol & performance impact testing (handshake p95/p99)
- Parallel PKI design and deprecation plan
Cryptographic audits (infra & code)
CodeQL scans + infra review mapped to EU/UK controls.
IoT identity & industrial PKI
Device enrolment at scale, constrained profiles, secure boot & signing.
- Guidance aligned to ENISA IoT security & ISA/IEC 62443
- Firmware signing (LMS/HSS), supply-chain attestations
- Edge patterns for constrained sites and offline revocation
European regulatory & sector alignment (what we design for)
EU-wide frameworks
- GDPR (data protection & privacy)
- NIS2 Directive (network & information security)
- DORA (financial sector digital operational resilience)
- eIDAS (electronic identification & trust services)
- ENISA recommendations & cryptographic guidance
Banking & financial services
- DORA (ICT risk, testing, incident reporting)
- EBA Guidelines on ICT & Security Risk Management
- Interchange Fee / payments & PSD2 (incl. RTS on SCA & CSC)
- SWIFT Customer Security Programme (CSP)
Pharmaceutical & life sciences
- EU GMP Volume 4 (incl. Annex 11 — Computerised Systems)
- EMA guidance & data integrity expectations
- PIC/S (mutual GMP guidance)
Automotive & mobility
- UNECE R155 (cybersecurity management)
- UNECE R156 (software update management)
- ISO/SAE 21434 (road vehicles — cybersecurity engineering)
- ISO 24089 (software update engineering)
- TISAX (automotive information security assessment)
We don’t provide legal advice. Designs **align** technical controls and evidence with these frameworks so your legal/compliance teams can demonstrate conformity across EU member-state differences.
Banking & payments
PKI/CLM for high-availability services, incident-ready evidence and control mapping to DORA & EBA expectations.
- Certificate discovery & automation to eliminate expiry outages
- Key ceremonies with audit trails and tamper-evident artefacts
- Segregated trust zones and monitoring (OCSP freshness, CRL age)
Pharmaceutical & life sciences
GxP-aware PKI for batch release, code/firmware signing and data integrity under Annex 11.
- Qualified signing workflows & long-term validation
- CLM policy folders; exception handling & change control
- PQC impact analysis for validated systems
Automotive & mobility
Vehicle identity, secure update, plant PKI and supplier onboarding aligned to R155/R156 and ISO/SAE 21434.
- ECU/firmware signing (incl. LMS/HSS), OTA integrity & rollback
- Supplier profiles, attestation & TISAX readiness
- Edge distribution for revocation and constrained footprints