The European Council adopted the Digital Operational Resilience Act (DORA) in November of 2022 to enhance the resilience of financial institutions to cyber-attacks. DORA does this by streamlining and harmonizing requirements in the European Union for the security of information systems and networks of organizations operating in the financial sector as well as critical third party providers of ICT (Information Communication Technologies)-related services.
The main pillars of DORA legislation are:
DORA applies to a broad range of financial service providers, including banks, credit institutions, payment institutions, e-money institutions, investment firms, and crypto-asset service providers, among others. But importantly, DORA defines critical ICT services provided to financial institutions. If an organization is a provider of critical ICT services to a financial institution, it will be subject to direct regulatory oversight under the DORA framework. That includes, for example, cloud platforms and data analytics services.
DORA entered into force on January 16, 2023, with an implementation period of two years. Financial entities and their ICT suppliers and service providers are expected to be compliant with the regulation by January 17, 2025.
Entities found in violation of the Act's requirements may face fines of up to two percent of their total annual worldwide turnover or, in the case of an individual, a maximum fine of EUR 1,000,000. The amount of the fine will depend on the severity of the violation and the financial entity's cooperation with authorities.
Learn how our data protection and access management solutions can help comply with DORA, NIS 2, GDPR, PCI DSS 4.0 and ISO 27001.
DORA lays out frameworks and guidelines for risk management intended to help build mature risk management programs and improve operational resiliency.
Article 8.1:
“…identify, classify and adequately document information assets…”
CipherTrust Data Discovery and Classification identifies structured and unstructured sensitive data on-premises and in the cloud. Built-in templates enable rapid identification of regulated data, highlight security risks, and help uncover compliance gaps.
Article 9.2:
“…maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.”
Protect Data at Rest:
CipherTrust Data Security Platform provides multiple capabilities for protecting data at rest in files, volumes, and databases. Among them:
Protect Data in Motion:
Thales High Speed Encryptors (HSE) provide network-independent, data in-motion encryption (layers 2, 3, and 4) ensuring data is secure as it moves from site-to-site or from on-premises to the cloud and back. Our network encryption solutions allow customers to better protect data, video, voice, and metadata from eavesdropping, surveillance, and overt and covert interception— without performance compromise. Thales HSEs are available as both physical and virtual appliances, supporting a wide spectrum of network speeds from 10 Mbps to 100 Gbps.
Article 9.3, b:
“…minimize the risk of corruption or loss of data; unauthorized access and of the technical flaws…”
Thales OneWelcome identity & access management products and solutions limit the access of internal and external users based on their roles and context. Backed by strong authentication (MFA), granular access policies and fine-grained authorization policies help ensuring that the right user is granted access to the right resource at the right time; whereby minimizing the risk of unauthorized access.
Article 9.4, c:
“…implement policies that limit the physical and virtual access to ICT system resources and data to what is required only for legitimate and approved functions and activities, and…”
Thales OneWelcome Identity Platform allows organizations to virtually (or logically) limit the access to confidential resources through use of MFA (including phishing-resistant authentication) and granular access policies. SafeNet IDPrime smart cards can be leveraged for implementing physical access to sensitive facilities.
Thales OneWelcome Consent & Preference Management module enables organizations to gather consent of end consumers such that financial institutions may have clear visibility of consented data, thereby allowing them to manage access to data that they are allowed to utilize
Article 9.4, d:
”…strong authentication mechanisms…”
"…protection measures of cryptographic keys whereby data is encrypted.”
SafeNet Trusted Access is a cloud-based access management solution that makes it easy to manage access to both cloud services and enterprise applications with an integrated platform combining single sign-on, multi-factor authentication (MFA) and scenario-based access policies.
Thales Key Management offerings streamline and strengthen key management in cloud and enterprise environments over a diverse set of use cases.
Hardware Security Modules (HSMs) protect cryptographic keys and provide a FIPS 140-2 Level 3 hardened, tamper-resistant environment for secure cryptographic processing, key generation and protection, encryption, and more.
Article 10.1:
“…detect anomalous activities… monitor user activity…”
CipherTrust Transparent Encryption security intelligence logs and reports streamline compliance reporting and speed up threat detection using leading security information and external SIEM systems.
CipherTrust Transparent Encryption Ransomware Protection extension detects ransomware identifying activities (excessive data access, exfiltration, unauthorized encryption, or impersonation with malicious actions).
SafeNet Trusted Access allows organizations to respond and mitigate the risk of data breach by providing an immediate, up to date audit trail of all access events to all systems.
DORA emphasizes the need for managing ICT third-party service providers risk and the need for financial entities to have “Exit strategies.”
Thales helps organizations reduce third party risks by leveraging key management and encryption to enforce strict separation of duties between financial institutions and 3rd party providers and maintain portability of workloads to other providers when necessary.
Article 28.8:
“For ICT [3rd party] services supporting critical or important functions, financial entities shall put in place exit strategies.”
"…protection measures of cryptographic keys whereby data is encrypted.”
CipherTrust Cloud Key Manager can reduce third party risks by maintaining on-premises under the full control of the financial institution the keys that protect sensitive data hosted by third party cloud providers under “bring your own keys” (BYOK) systems.
CipherTrust Transparent Encryption provides complete separation of administrative roles where only authorized users and processes can view unencrypted data.
Thales Data Security solutions offer the most comprehensive range of data protection, such as Thales Data Protection on Demand (DPoD) that provides built in high availability and backup to its cloud-based Luna Cloud HSM and CipherTrust Key Management services, to the HSE network encryption appliances that provides options to zeroize.
Thales helps organizations comply with DORA by addressing essential requirements for risk management and managing third party risk. Thales helps organizations by: Identifying and classifying sensitive data for risk assessment Protecting data at rest, in use, and in motion ...
This ebook shows how Thales data security solutions enable you to meet global compliance and data privacy requirements including - GDPR, Schrems II, PCI-DSS and data breach notification laws.
Perhaps the most comprehensive data privacy standard to date, GDPR affects any organization that processes the personal data of EU citizens - regardless of where the organization is headquartered.
Any organization that plays a role in processing credit and debit card payments must comply with the strict PCI DSS compliance requirements for the processing, storage and transmission of account data.
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
