If your certificate is issued before the deadline, it can still have the current maximum validity (398 days max). However, any certificate issued on or after 15 March 2026 must follow the new 200-day rule – even if the renewal process started earlier.

For Organisation Validation (OV) certificates, the reuse periods for domain and organisation validation are also shortening in line with the certificate lifetimes.

That means even your validation data (like proof of domain control) must be refreshed more frequently, reinforcing the need for automation.

CAs complying with the TLS Baseline Requirements are required to validate DNSSEC, when present, in the course of retrieving CAA records or performing DCV-related DNS lookups from Primary Network Perspectives. 

https://cabforum.org/2025/06/18/ballot-sc-085v2-require-validation-of-dnssec-when-present-for-caa-and-dcv-lookups/

This does not mean client authentication is going away — it means organisations must use private PKI, enterprise PKI services, or sector-specific solutions instead of public TLS certificates for mTLS. We recommend that TCS