To comply with regulations such as the Digital Operational Resilience Act (DORA), it is crucial to choose the right cybersecurity tools. This requires an extensive understanding of the overall cybersecurity landscape and the particular requirements outlined in the legislation.
In this article, we help break down the criteria, offering a comprehensive understanding of the necessary cybersecurity measures. This is particularly important in light of the implementation of DORA entering into force on the 16th of January, 2023.
For further insights and details on how to improve your cyber resilience and security in compliance with DORA, watch our webinar “How to Achieve DORA Compliance with Data Protection”.
What is DORA?
The Digital Operational Resilience Act (DORA ) is a legislative framework that aims to bolster cybersecurity and operational resilience within the financial sector. It imposes obligations on financial institutions, market infrastructures, and digital service providers.
DORA came into force on January 16th, 2023, and will apply as of January 17th, 2025. It signals a new era of heightened cybersecurity standards to mitigate digital risks and ensure the stability of financial systems.
DORA's objective is to fortify the IT security of financial entities, encompassing banks, insurance companies, and investment firms. The goal is to ensure that the European financial sector maintains robust resilience in the face of significant operational disruptions.
Operational resilience stands as a firmly established strategic cornerstone within the financial services sector and extends its significance across information, communication, and technology enterprises catering to financial institutions.
Organizations affected are financial entities such as banks, insurance companies, and investment firms.
Who is affected?
Article 2 of the DORA EU regulation defines the following entities that need to comply:
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutions
- Investment firms
- Crypto-asset service providers
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- Institutions for occupational retirement provision
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitization repositories
- ICT third-party service providers
The DORA legislation seeks to enhance the cybersecurity of financial institutions and bolster their ability to withstand cyber-attacks or other IT-related disruptions. Consequently, the legislation encompasses regulations and mandates concerning:
- ICT risk management
- ICT-related incident management
- Digital operational resilience testing
- Third-party management
- Information sharing
DORA mandates that data is protected at rest and in motion, regardless of the environment. Data transfer between financial institutions should always be secured, and data should be maintained with high integrity and confidentiality.
Read Utimaco’s earlier article on The EU Digital Operational Resilience Act (DORA) to learn more about who is affected.
Articles of DORA - Safeguarding Resilience through Protection and Prevention
To fulfill the objectives outlined in DORA, financial entities are required to utilize ICT solutions and processes. These solutions and processes must:
Ensure integrity and confidentiality of data whether the data is at rest or in motion
Recommendation
- Use an encryption tool that protects both data at rest and data in motion
- Ensure that the tool is user-friendly for employees (ideally featuring transparent encryption for seamless operation)
Minimize the risk of data corruption or loss of data, unauthorized access, and technical flaws that may hinder business
Recommendation
- Ensure access management by user roles and groups to ensure that certain sensitive data is only accessible to authorized users
- In case data is lost, ensure that it is still encrypted and that unauthorized users cannot read the information (be it internal or external)
Ensure that data is protected from risks arising from data management, including poor administration, processing-related risks, and human error
Recommendation
- Minimize the risk of human error by granting only essentially administrative rights
- Adhere to a strict role-split methodology, separating network management responsibilities from security management duties (Separation of Duties)
Strengthen Your Resilience and Ensure Compliance with LAN Crypt File and Folder Encryption by Utimaco
Utimaco’s innovative file and folder encryption solution, LAN Crypt File and Folder Encryption represents a pinnacle in data protection technology, providing unparalleled security for the protection of sensitive data. With a comprehensive suite of features including:
- Protecting Data at Rest and Data in Motion
- Minimizing the risk of data exposure
- Ensuring confidentiality at all times with persistent encryption
- Avoiding an all-powerful administrator with separation of duties
For further insights and details on how to improve your cyber resilience and security in compliance with DORA, we invite you to watch our webinar “How to Achieve DORA Compliance with Data Protection”.
