The Digital Operational Resilience Act (DORA) will apply to the EU financial sector from 17 January 2025. This new regulation (EU 2022/2554) requires financial entities, and their critical Information and Communication Technology (ICT) suppliers, to implement contractual, organisational and technical measures to improve the level of digital operational resilience of the sector.
Like many, financial entities are adopting cloud computing technologies, in particular to improve the resilience of network and information systems supporting their financial services. Such outsourcing of ICT services also requires a clear definition of responsibilities, risks and mitigation between financial entities and ICT third-party service providers.
To that effect DORA defines the requirements applicable to financial entities, including:
- the management of ICT risks
- the management of ICT third-party risks
In this blog, we will provide insights on how financial entities such as banks or insurances, have successfully addressed both requirements and improved their security posture across the hybrid IT/multi-clouds.
What is the scope of DORA?
As set out in its Article 2, DORA applies to the entire financial services sector. That includes banks, insurances, payment institutions, stock market, and many financial management firms (trading, crypt-assets, etc). And as they play a central role in the security and resilience of the network and information systems of financial entities, the ICT third-party providers themselves are also regulated.
DORA is a Regulation, meaning that it is the law, not an industry standard, not a technical recommendation, not a set of nice-to-have best practises. Regulated entities mentioned above must comply to DORA. Non-compliance can lead to administrative penalties and remedial measures defined by supervisory authorities, as well as possible criminal penalties.
The Article 1 of DORA sets out the requirements applicable to:
- The financial entities themselves in relation to:
- ICT risk management
- ICT-related incident management, classification, and reporting
- Digital operational resilience testing
- Information and intelligence sharing
- Management of ICT third-party risk — the contractual terms between financial entities and ICT third-party service providers
- the ICT third-party providers themselves, when defined as “critical”
- the relations between the different supervisory authorities
Cloud and operational resilience, that is the question!
The adoption of cloud computing is a way to improve the security and the resilience of ICT services.
- The security first, because the security of the cloud, responsibility of the cloud service providers, is usually at or close to the state of the art. Hyperscalers in particular spend unprecedented amounts of money and resources to make sure their platforms are as safe as possible.
- The resilience also, because most cloud services come with service level agreements (SLA) in terms of availability, geographical redundancy, 24/7 support etc. SLA that in-sourced network and information systems are sometime not able to match.
On the other hand, cloud services are outsourcing engagements, to third party service providers. Which has two major impacts:
- The dependence on third-party providers is a loss of direct control over a critical infrastructure supporting a service the financial entity is responsible for. Cloud users remain responsible for the security in the cloud.
- The complexity, even the possible conflicts, brought by multinational law enforcement. The laws of the financial entity’s operations, the laws of the third-party service providers.
DORA makes it possible for financial entities to adopt cloud computing services providing that financial services remain responsible and manage both impacts above, related to risks on cybersecurity as defined in Article 9, risks on third party as in Article 28.
Protection and Prevention of ICT security risk (DORA Article 9)
With DORA, financial entities must assess and mitigate their cybersecurity risks and in particular “maintain high standards of security, confidentiality and integrity of data, whether at rest, in use or in transit.”
The Article 9 states explicitly that “financial entities shall implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes”.
Key Management System (KMS) are “dedicated control systems” that protect cryptographic keys, define role-based access controls and policies, and enforce them by mean of encryption.
Third Party Risk Management (DORA Article 28)
DORA also emphasizes the need for financial entities to control their level of dependence on third-party providers and in particular “remain fully responsible for compliance with, and the discharge of, all obligations under this Regulation and applicable financial services law”. This becomes essential when it comes to cloud services, as stated in the lines above.
A first implication is that financial entities are responsible to implement the mitigation measures of Article 9, such as encryption and a KMS, even when the data are in the cloud.
Then, financial entities must be able to migrate application and data from one service provider to another and thus define an “exit strategy” which Article 28 defines as the ability for financial entities to “develop transition plans enabling them to remove the contracted ICT services and the relevant data from the ICT third-party service provider and to securely and integrally transfer them to alternative providers or reincorporate them in-house”.
Unlike the physical world where a file cannot be in two places at once, moving a digital file from a server to another requires 2 operations: first to copy the file to the destination, then to delete the file from the original location. To transfer “securely and integrally” a data (and demonstrate it!) requires financial entities to ensure that there is no trace of the data in the original location. This is called cyber shredding.
In short, cyber shedding requires to encrypt data and control the encryption key separately in a KMS. When “moving” data from A to B, the key protecting the original data is deleted. Whatever might be left behind in A would be encrypted data and thus unreadable/worthless (without the key).
How Thales CipherTrust Data Security Platform Can Help
Thales CipherTrust Data Security Platform (CDSP) supports financial entities in their compliance with DORA, especially in managing cybersecurity and resilience risks with 3rd party cloud providers.
- CipherTrust Manager is a Key Management System, as required by Article 9. CipherTrust helps financial entities certify that a key is well protected throughout its lifecycle, logs access to keys, and can be used to demonstrate that a key has been deleted for instance (cyber shredding use case)
- CipherTrust Encryption connectors allows to encrypt data at rest and in use, as required by Article 9
- Financial entities can define and enforce role-based access control with CipherTrust Data Security Platform, for strong authentication as required by Article 9
- CipherTrust Data Security Platform is an enterprise-grade centralised platform integrated with all major cloud service providers and on-premises virtual environment, enabling financial entities to implement their controls across hybrid IT/multi-clouds, as required by Article 28
Successful DORA Compliance in the Cloud
The Thales 2023 Data Threat Report states, “83% of respondents were very or somewhat concerned that data sovereignty and/or privacy regulations will affect their organization’s cloud deployment plans”. IDC data suggested that that concern would turn into mandates, revealing that “65% of major enterprises will mandate data sovereignty controls from their cloud service providers to adhere to data protection and privacy regulatory requirements.”
DORA mandates financial entities to implement sovereign controls such as encryption and key management when using ICT third party service providers such as cloud computing services.
In its Article 28, DORA states: “Financial entities shall have appropriate contingency measures in place”.
Thales CipherTrust is the world leading Data Security Platform for data obfuscation and strong cryptographic key management in hybrid IT. It is well-integrated with all major cloud providers, putting financial entities one step ahead of the game and be ready when DORA is applied in January 2025.