7 min read

Exploring DORA

Picture of Edlyn Teske Edlyn Teske : 21. March 2024

Key Management
Exploring DORA

Cryptomathic solutions support your financial institution towards compliance.

The financial sector is increasingly dependent on technology and on tech companies for the provision of financial services, which makes it vulnerable to cyber-attacks. Cyber risks have already been addressed at EU level, but the rules have been partial, fragmented and often unevenly implemented across Member States.

The Digital Operational Resilience Act (DORA) introduces uniform and harmonized principles to build resilience of entities across the EU financial sector. DORA has significant implications for financial institutions. Our Cryptomathic Key Management Solution can facilitate compliance, especially with Article 9 of DORA (Protection and Prevention). 

This article highlights DORA implications and shows how Cryptomathic can help. 


DORA - What is it about?

DORA entered into force on Jan 16, 2023, as EU regulation 2022/2554 and will be directly applicable in all Member States from Jan 17, 2025, by what date Member States must also notify their national laws, regulations and administrative provisions to the European Commission and the three European Supervisory Authorities EBA, ESMA, and EIOPA (the ESAs).

Just like the EU Directive 2022/2555 on Network and Information Systems (NIS2), DORA contains a framework of requirements for cybersecurity risk management and reporting. Both have a binding nature, the difference being that NIS2 mandates the Member States to adopt binding instructions while DORA is directly applicable in all Member States. NIS2 affects a variety of 18 different critical or highly critical sectors, and DORA focuses on the financial sector.

Specifically, DORA applies to a wide range of financial entities including all banks, insurance companies, investment firms, payment services, and alike that operate in the EU, altogether 20 different types, as well as their ICT third-party providers (see Figure 1).

Of course, the banking industry as a sector of high criticality is also covered under NIS2. Here, NIS2 delivers a general framework for a high common level of cybersecurity, while DORA substitutes core provisions of NIS2 via lex specialist status. 

DORA graphics

Figure 1: Scope of DORA (Microenterprises may be excluded)

DORA requires that financial entities have policies in place for the management and testing of ICT systems, controls and processes, as well as for managing ICT third-party risk. DORA also provides guidelines on incident reporting and information sharing among financial institutions (cf. Figure 2). 

DORA topics (1)

Figure 2: Topics covered under DORA

Key aspects of the DORA principles on ICT risk management are: Identification, Protection and Prevention, Detection, Response and Recovery, and Communication. 

Protection and Prevention -- Achieve DORA Compliance with Cryptomathic Key Management Solution! 
Cryptomathic’s Key Management Solution is a banking-grade key management solution that is perfectly suited to address the DORA provisions for Protection and Prevention (Article 9):

What DORA requires from financial entities What Cryptomathic KMS provides

(9.2) - To design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions.

- To maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.

Cryptomathic KMS uses of state-of-the-art strong encryption algorithms and cryptographic controls to protect the confidentiality, authenticity and integrity of data. Connected Hardware Security Modules (HMSs) are FIPS 140-2 Level 3 certified and can be used on premise or in cloud deployment.

For cloud-native applications, an alternative is to execute the cryptographic operation and store the keys in a secure enclave that is protected using the latest SGX-based confidential computing technology. This alternative offers a high level of protection (FIPS 140-2 Level 1) as well as high performance while decreasing the total cost of ownership.    
- Cryptomathic KMS is designed and built with high resilience, including back-up and disaster recovery; it allows for hot swaps of HSMs with zero downtime.
- Cryptomathic KMS integrates seamlessly with 3rd party certificate authorities or certificate lifecycle management systems.  

(9.3) -To use ICT solutions and processes that shall:

(a) ensure the security of the means of transfer of data;

(b)minimise the risk of corruption or loss of data, unauthorised access and technical flaws that may hinder business activity;

(c) prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data;

(d) ensure that data is protected from risks arising from data management, including poor administration, processing- related risks and human error.

Cryptomathic KMS provides centralized and automated key lifecycle management of all keys, and automated key distribution in standard key formats and manual air-gapped mode. 

It masters the complexity of relations between applications and keys and HSMs and ensures encryption keys are consistently updated and that appropriate keys are available at the correct place at the correct time.  

(9.4)

(a) To develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers, where applicable;

(b) To establish a sound network and infrastructure management structure using appropriate techniques, methods and protocols that may include implementing automated mechanisms to isolate affected information assets in the event of cyber-attacks;

(c) To implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof; 

(d) To implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes;

(e) To implement documented policies, procedures and controls for ICT change management, including changes to software, hardware, firmware components, systems or security parameters, that are based on a risk assessment approach and are an integral part of the financial entity’s overall change management process, in order to ensure that all changes to ICT systems are recorded, tested, assessed, approved, implemented and verified in a controlled manner;

(f) To have appropriate and comprehensive documented policies for patches and updates.

A policy requires developing, documenting, and maintaining appropriate standards. To enforce a policy typically requires the training of application developers and performing laborious code reviews and audits. A policy update usually requires checking, updating, reviewing, recompiling, retesting, and redeploying of large quantities of existing code.

The policy engine of the Cryptomathic KMS simplifies this task: it separates the process of developing, enforcing, and updating policies from the application side, and performs these tasks without service interruption. 

Compared to the standard approach of a siloed architecture, our policy engine reduces the effort for policy development by a factor of 10.  

Access to keys and associated crypto algorithms is easily enforced through centrally managed crypto policies, ensuring that users are authorized to execute cryptographic operations before they are carried out. 

The crypto-agile design allows for the seamless update of crypto parameters and algorithms, with no notable change to system infrastructure or applications. This includes the seamless transition to quantum-secure crypto algorithms. 

User privileges are managed through role-based access control.

Cryptomathic KMS creates chained and integrity-protected audit logs, which contain information on all security-related events in the key management system, including all operations on system keys.

Each log entry is assigned a MAC value and time stamp; these logs can be used as evidence in court.  

Figure 3: Cryptomathic Key Management Solution: a perfect match for DORA provisions on Protection and Prevention

DORA’s Article 15 mandates that some DORA requirements be further specified, including DORA Article 9.2 (ICT security policies, procedure, protocols and tools) and DORA Article 9.4(c) (Human resources policy, identity management and access control). Accordingly, the Joint Committee of the three European Supervisory Authorities (EBA, EIOPA and ESMA – the ESAs) published their first set of final draft regulatory and implementary technical standards in January 2024.  JC 2023 86 expands on Articles 9.2, 9.4(c) with explicit requirements from financial institutions:

-    (Article 6 Encryption and Cryptographic Controls) Rules for the encryption of data at rest, in use (where necessary) and in transit; provisions for cryptographic key management; provisions to update or change the cryptographic technology on the basis of developments in cryptanalysis.
-    (Article 7 Cryptographic Key Management) To identify and implement controls to protect cryptographic keys through their whole life cycle; to implement methods to replace cryptographic keys in the case of lost, compromised or damaged key; to maintain a register for all certificates and certificate-storing devices and ensuring prompt renewal of certificates. 
-    (Article 20 Identity Management) To implement identity management policies and procedures to ensure the unique identification of natural persons and systems accessing the financial entities' information, along with maintenance of records and lifecycle management process of identities. 
-    (Article 21 Access Control) To implement and maintain a fine-grained, role-based and least-privilege based policy for granting and revoking access to ICT assets; to implement physical access control measures as well as (strong) authentication methods for remote access. 

As detailed in Figure 3, the Cryptomathic Key Management Solution is perfectly suited to ensure DORA’s compliance requirements for Strong Cryptography, Key Management, Identity Management and Access Control. Further, its crypto-agile design allows for the seamless update of crypto parameters and algorithms, including the transition to quantum-secure crypto algorithms as the need arises.

DORA Affects ICT third-party providers too!  

A significant part of DORA (Articles 28-44) is dedicated to risk management of ICT third-party providers which is a critical element of ICT risk management, especially in view of the ever-increasing number of third-party providers.
DORA contains specific requirements on the nature and content of the contractual arrangements that financial institutions enter with ICT third-party providers, and enables monitoring of these contractual arrangements, something that was not fully anchored into EU law before.
For ICT third-party service providers deemed as critical, DORA introduces an oversight framework, along with specifics on penalties for non-compliance -- up to 1% of the non-compliant provider’s average daily worldwide turnover -- and the requirement of an adequate business presence in the Union to simplify enforcement. 

Importantly, DORA assigns management of third-party risk to the full responsibility of the financial entity: Financial entities must
•    integrate a strategy on ICT third-party risk into their own risk management;
•    maintain a register of information in relation to all contractual arrangements on the use of third-party provided ICT services;
•    be prepared to document their contractual arrangements with third-party providers to the competent authorities; and
•    exercise access, inspection, and audit rights over the ICT third-party provider. 
Compliance with DORA provisions on third-party risk management can be challenging for financial entities, also in view of the ever-increasing number of third-party providers. For example, when a medium-sized financial entity wants to shift their applications and infrastructure onto the cloud using a cloud service provider (CSP) such as Microsoft or Google or Amazon, enforcing the DORA auditing requirements towards these giant providers can become tricky. Or, some third-party providers may themselves use third parties who in turn use third parties and so on, such that the financial entity potentially is faced with verifying compliance for an entire supply chain. 

Protect Your Digital Assets in the Cloud with Cryptomathic Enclave Security Module! 

The secure enclave technology offered by CSPs can provide secure and isolated computing environments in the cloud, thereby enabling confidential computing and enhancing overall security in a shared cloud infrastructure. Cryptomathic has leveraged this groundbreaking technology to develop a specialized Enclave Security Module (ESM). The ESM is designed to function seamlessly within the AWS Nitro Enclave environment and serves as a robust alternative to conventional Hardware Security Modules (HSMs). The ESM adds an extra layer of security and reduces the risk of unauthorized access or leaks, ensuring that you are in full control of your cryptographic keys for their entire life cycle even when used in the cloud. 

Contact us to discuss with one of our security experts how Cryptomathic can facilitate your financial institution’s compliance with DORA!