DORA: What are the encryption requirements?
DORA (Digital Operational Resilience Act - EU Regulation 2022/2554) imposes new strict digital security requirements for the European financial sector. Among these obligations, data encryption plays a central role. Here's a detailed examination of the encryption obligations imposed on financial institutions.
Digital Operational Resilience Act (DORA) in A Nutshell
DORA (EU Regulation 2022/2554 of December 14, 2022) is a European regulation that cames into effect on January 17, 2025. It aims to strengthen the digital operational resilience of the financial sector and applies to a wide range of financial institutions, such as:
Credit institutions
Investment firms
Payment service providers
Insurance and reinsurance companies
Fund managers
And other financial sector actors
Want to learn more about DORA Compliance?
Download our compliance brief to get an in-depth understanding of DORA encryption requirements, including key strategies and actionable insights for financial data encryption.
Encryption Requirements Imposed By Dora
Encryption Obligations Imposed by DORA DORA establishes several specific obligations regarding data security. Encryption plays a central role in ensuring the confidentiality, integrity, and availability of data within financial sector IT systems.
DORA defines 4 security pillars:
End-to-end data protection
Cryptographic key protection
Secure operations protection
Access governance
Let's examine in detail the specific obligations that frame these regulatory requirements:
1. End-to-End Data Protection
Article 9.3(d) of DORA imposes protection against data management risks. Encryption intervenes here at several levels:
Protection of data at rest in storage systems
Securing data in transit during transfers
Encryption of backups and archives
Protection of data during processing
2. Cryptographic Key Protection
Article 9.4(d) requires the implementation of specific protection measures for cryptographic keys. This requirement translates to:
Secure management of the complete key lifecycle
Regular key rotation mechanisms
Key backup and recovery procedures
3. Secure Operations Protection
Article 9.3(b) aims to minimize unauthorized access risks and technical vulnerabilities. Encryption plays an essential role in:
Securing internal and external communications
Protecting interfaces and access points
Encrypting operational data flows
Securing processing environments
4. Access Governance
Article 9.4(c) requires the implementation of policies limiting physical and logical access. Encryption contributes to this governance through:
Cryptographic control of data access
Traceability of access to encrypted data
Cryptographic data segregation
Encryption-based access rights management
Impact for Financial Institutions
To comply with these requirements, financial institutions must implement a comprehensive encryption strategy covering:
Data lifecycle management: identifying sensitive data requiring encryption and implementing encryption processes adapted to each data type. This also includes robust key management throughout their lifecycle and documentation and traceability of protection measures.
Technical solutions: deploying standards-compliant encryption tools, implementing key management infrastructure, and integrating encryption solutions into existing processes.
Governance: defining encryption policies and defining access to data and encryption keys based on role and identity.
Data Encryption for DORA Compliance
DuoKey offers an advanced encryption solution that meets DORA requirements. This approach, based on multiparty computation, presents distributed encryption without exposing the complete key. This encryption technology is DORA-compliant, which requires advanced sensitive data protection and secure encryption key management (Article 9).
Integration with Cloud Environments Microsoft 365, AWS, Google, Salesforce, Vault, etc.
Available as SaaS model or according to organisational needs
Access audit allowing granular management of access to keys and sensitive data
Strengthening of DORA Requirements through Delegated Act
As part of the European Commission's powers, a new technical regulation (delegated act) specifies the compliance requirements for competent authorities and market participants.
This delegated act, currently being developed, provides more detailed obligations regarding:
Encryption policy and cryptographic controls
Cryptographic key management
Documentation requirements
Here's a quick overview of the requirements in this delegated act:
Encryption Policy and Cryptographic Controls (Article 6)
The delegated act specifies that financial entities must develop, document, and implement a specific encryption policy based on their data classification and ICT risk assessment. This policy must detail:
Methods for encrypting data at rest and in transit
Procedures for encrypting data in use
Securing internal and external network connections
Complete cryptographic key management framework
Cryptographic Key Management (Article 7)
The delegated act establishes specific requirements regarding the management of cryptographic key lifecycle, including:
Detailed procedures for each lifecycle phase
Specific protection controls
Replacement methods in case of compromise
Rigorous certificate management
Documentation Requirements
According to Article 6 of the delegated act, financial entities will be required to document their technological choices, justifying any inability to follow reference standards and maintaining detailed records.
Conclusion
DORA encryption requirements, and its delegated act currently being developed, represent a significant challenge for financial institutions. Compliance with this European regulation requires a structured approach, combining appropriate technical solutions and robust organizational processes.
Financial institutions have until January 17, 2025 to comply with DORA. To succeed in their compliance efforts, they should view these obligations not as mere regulatory constraints, but as an opportunity to strengthen their overall security. The adoption of encryption solutions -- like DuoKey advanced data encryption in multi-cloud environments -- ensures compliance while also providing a competitive advantage in terms of customer trust.
