To comply with regulations such as the Digital Operational Resilience Act (DORA), it is crucial to choose the right cybersecurity tools. This requires an extensive understanding of the overall cybersecurity landscape and the particular requirements outlined in the legislation.
In this article, we help to break down the criteria, offering a comprehensive understanding of the cybersecurity measures necessitated. This is particularly important in light of the implementation of DORA entering into force on the 16th of January 2023.
What is DORA?
The Digital Operational Resilience Act (DORA ) is a legislative framework aimed at bolstering cybersecurity and operational resilience within the EU financial sector. It imposes obligations on financial institutions, market infrastructures, and digital service providers.
DORA came into force on January 16th, 2023, and will apply as of 17th January 2025, signaling a new era of heightened cybersecurity standards to mitigate digital risks and ensure the stability of financial systems.
DORA's objective is to fortify the IT security of financial entities, encompassing banks, insurance companies, and investment firms. The goal is to ensure that the European financial sector maintains robust resilience in the face of significant operational disruptions.
Operational resilience stands as a firmly established strategic cornerstone within the financial services sector and extends its significance across information, communication, and technology enterprises catering to financial institutions.
Organizations affected are financial entities such as banks, insurance companies and investment firms.
Who is affected?
Article 2 of the DORA EU regulation defines the following entities that need to comply:
- Credit institutions
- Payment institutions
- Account information service providers
- Electronic money institutionsInvestment firms
- Crypto-asset service providers
- Central securities depositories
- Central counterparties
- Trading venues
- Trade repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries and ancillary insurance intermediaries
- Institutions for occupational retirement provision
- Credit rating agencies
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitization repositories
- ICT third-party service providers
The DORA legislation seeks to enhance the cybersecurity of financial institutions and bolster their ability to withstand cyber-attacks or other IT-related disruptions. Consequently, the legislation encompasses regulations and mandates concerning:
- ICT risk management
- ICT-related incident management
- Digital operational resilience testing
- Third-party management
- Information sharing
Read Utimaco’s earlier article on The EU Digital Operational Resilience Act (DORA) to learn more about who is affected.
DORA - Strengthening Financial Sector Security through Operational Resilience
In an era marked by increasing digital threats, the DORA emerges as a beacon of security for the financial sector. Designed to fortify operational resilience, DORA stands at the forefront, ensuring the robustness of financial systems against evolving cyber risks.
Rising Cyber Threats Elevate Operational Risks
At its core, DORA mandates stringent measures to safeguard the operational fabric of financial institutions. By prioritizing operational resilience, DORA not only bolsters the security posture of individual entities but also fosters collective resilience across the financial landscape, ensuring the continued stability and integrity of the financial sector in the face of emerging threats.
Financial institutions must strengthen their operational frameworks and proactively mitigate risks to remain compliant with DORA. In addition to safeguarding vital financial infrastructure, this united effort toward resilience also gives stakeholders and consumers alike confidence.
Article 9 of DORA - Safeguarding Resilience through Protection and Prevention
DORA is a comprehensive framework that promotes resilience against cyber-attacks and prevents other IT-related incidents.
Article 9 of the regulation, titled "Protection and Prevention", mandates the creation of an information security policy. Paragraph 2 of this article outlines the required measures for data protection:
Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.
Article 9.2
Breaking Down The DORA Requirements - Enhancing the Adoption of Encryption
To fulfill the objectives outlined in Article 9, paragraph 2, financial entities are required to utilize ICT solutions and processes in accordance with Article 4. These solutions and processes must:
Ensure the security of the means of data transfer
Recommendation
- Use an encryption tool that protects both data at rest and data in motion
- Ensure that the tool is user-friendly for employees (ideally featuring transparent encryption for seamless operation)
Minimize the risk of data corruption or loss of data, unauthorized access, and technical flaws that may hinder business
Recommendation
- Ensure access management by user roles and groups to ensure that certain sensitive data is only accessible to authorized users
- In case data is lost, ensure that it is still encrypted and that the information can not be read by unauthorized users (be it internal or external)
Prevent the lack of data unavailability, the impairment of authenticity and integrity, the breaches of confidentiality, and the loss of data
Recommendation
- Implement authorized access controls to ensure confidentiality
- Restrict data editing privileges to users with appropriate access rights
- Utilize persistent encryption to maintain data confidentiality and encryption integrity, even in the event of a data breach
- Deploy effective data loss prevention measures to prevent unauthorized access to sensitive content by both internal users and external partners
Ensure that data is protected from risks arising from data management, including poor administration, processing-related risks, and human error
Recommendation
- Minimize the risk of human error by granting only essentially administrative rights
- Adhere to a strict role-split methodology, separating network management responsibilities from security management duties (Separation of Duties)
Strengthen Your Resilience and Ensure Compliance with u.trust LAN Crypt by Utimaco
Utimaco’s innovative file and folder encryption solution, u.trust LAN Crypt, represents a pinnacle in data protection technology, providing unparalleled security for the protection of sensitive data. With a comprehensive suite of features including:
- Protecting Data at Rest and Data in Motion
- Minimizing the risk of data exposure
- Ensuring confidentiality at all times with persistent encryption
- Avoiding an all-powerful administrator with separation of duties
For further insights and details on how to improve your cyber resilience and security in compliance with DORA, we invite you to download our brochure: "DORA - Building Your Cyber Resilience and Security."
Explore how Utimaco's file encryption solution can empower your organization to navigate the evolving landscape of digital threats with confidence.
