diff --git a/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go b/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go
index 05811eb28..90a2d9a2b 100644
--- a/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go
+++ b/v3/lints/rfc/lint_ecdsa_ee_invalid_ku.go
@@ -46,7 +46,7 @@ func NewEcdsaInvalidKU() lint.LintInterface {
 // CheckApplies returns true when the certificate is a subscriber cert using an
 // ECDSA public key algorithm.
 func (l *ecdsaInvalidKU) CheckApplies(c *x509.Certificate) bool {
-	return util.IsSubscriberCert(c) && c.PublicKeyAlgorithm == x509.ECDSA
+	return util.IsSubscriberCert(c) && c.PublicKeyAlgorithm == x509.ECDSA && util.HasKeyUsageOID(c)
 }
 
 // Execute returns a Notice level lint.LintResult if the ECDSA end entity certificate
diff --git a/v3/lints/rfc/lint_ecdsa_ee_invalid_ku_test.go b/v3/lints/rfc/lint_ecdsa_ee_invalid_ku_test.go
index 73abbcf41..445d147ea 100644
--- a/v3/lints/rfc/lint_ecdsa_ee_invalid_ku_test.go
+++ b/v3/lints/rfc/lint_ecdsa_ee_invalid_ku_test.go
@@ -36,6 +36,11 @@ func TestECDSAInvalidKU(t *testing.T) {
 			expectedStatus:  lint.Notice,
 			expectedDetails: "Certificate had unexpected key usage(s): KeyUsageCRLSign, KeyUsageCertSign",
 		},
+		{
+			name:           "ecdsa ee cert, without key usage",
+			filename:       "CNWithoutSANSeptember2021.pem",
+			expectedStatus: lint.NA,
+		},
 	}
 
 	for _, tc := range testCases {