Delivering DORA with Fortanix

The European Parliament and Council of Ministers have agreed on new EU-wide regulations to enhance resilience and cybersecurity measures in financial institutions. This regulation, called the Digital Operational Resilience Act (DORA), will apply to all financial institutions and their ICT suppliers from January 17th, 2025. Financial institutions need to prepare to comply with the new regulations.

What is DORA?

DORA is an initiative that aims to enhance the operational resilience of financial services in the European Union. It applies to various institutions, such as banks, insurance firms, investment companies, payment service providers, and other entities offering financial services. Regardless of the size of a business, if you provide financial services, you need to comply with DORA. You should chat with your corporate lawyers to confirm if DORA applies to your business.

The obligations included in DORA also apply to certain critical ICT service providers, as designated by European Supervisory Authorities. These providers are responsible for delivering ICT services that financial institutions use to provide their services and products. As a result, we can expect financial institutions to include resilience provisions in their contracts with MSPs to comply with DORA requirements.

Furthermore, the competent EU authority in each country will have the power to order a business to terminate or suspend a contract with a critical ICT third-party service provider as a last-resort measure if the ICT provider fails to meet the provisions specified in DORA.

The objective of DORA is to prevent and reduce the impact of cyber threats that could interrupt financial services in the EU. DORA aims to ensure that financial entities can handle all types of disruptions and threats related to information and communication technology. The goal is to achieve high digital operational resilience across all EU member states. To achieve this, DORA requires that financial entities comply with requirements related to the security of networks and information systems that support their business processes.

Financial businesses will be required to comply with regulations related to ICT risk management, incident management, classification, and reporting, and demonstrate digital operational resilience testing. Information and intelligence sharing about cyber threats and vulnerabilities will also be necessary, alongside measures for managing ICT third-party risk. To ensure the efficiency of critical or essential functions, firms must assess the risks associated with everything involved in delivering these functions.

Financial institutions that breach the DORA regulations may end up paying a hefty penalty of up to 2% of their total worldwide annual turnover. In the case of individuals, the maximum fine is €1 million. The exact penalty amount will depend on the seriousness of the violation and the level of cooperation with authorities.

Entities that provide third-party ICT services that get designated as "critical" by the European Supervisory Authorities may be fined €5 million for non-compliance with DORA. Individuals who offer ICT services subject to DORA may face fines of up to €500,000 if they fail to comply. The European Supervisory Authorities in each member state can impose these fines.

What Do Financial Institutions Need to Do?

Financial institutions of all types and sizes must adopt, implement, and maintain operational measures in various risk categories to comply with DORA. Requirements include:

·?Financial institutions must establish internal governance and control frameworks to effectively manage all ICT risks and ensure a high level of operational resilience.

·?Financial entities are required to have a process in place for incident management, classification, and reporting as per the DORA regulations. This process involves notifying regulators of any ICT-related incidents detected within a few hours based on specific criteria such as the number of affected users, the criticality and impact on systems, and the actual costs and losses incurred due to the incident.

·?DORA introduces a comprehensive digital operational resilience testing requirement that assesses and identifies weaknesses, deficiencies, or gaps in digital operational resilience. Financial businesses must engage independent evaluators to conduct these tests at least once every three years.

·?Financial institutions must manage third-party cyber risks according to DORA, which defines key principles for sound management and robust contractual relationships with third-party ICT service providers.

·??DORA promotes sharing cyber threat intelligence and alerts between financial entities to raise awareness of indicators of compromise and tactics in use by cybercriminals.

How Fortanix Can Help Financial Organisations Implement DORA

Fortanix offers a comprehensive suite of cybersecurity solutions to help financial organisations achieve DORA compliance. These solutions provide advanced protection for sensitive data, enable robust incident response capabilities, and ensure the resilience of critical IT systems.

The table below maps specific Articles within DORA requirements with Fortanix functionality that deliver security protections.

Key Requirements of the Act?

How Fortanix Helps??

Article 9.2 Maintain high standards of availability, authenticity, integrity, and confidentiality of data, whether at rest, in use or in transit.?

Data protection, whether it is located on-prem/cloud and in whatever state.?

?? Confidential Computing technology powered on Trusted execution environments secure data at rest, in motion, and in use.?

?? Transparent Data Encryption (TDE) to protect data at rest held in various databases.?

?? Tokenization/Format-Preserving Encryption to mask sensitive data such as SSNs, Credit Card numbers etc. and to control which users or apps are allowed to access the data.?

?? SSL-TLS Encryption and key management to secure data in motion.

Article 9.3b ICT solutions and processes shall: (a) ensure the security of the means of transfer of data; (b) minimise the risk of corruption or loss of data, unauthorised access and technical flaws that may hinder business activity; (c) prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data; (d) ensure that data is protected from risks arising from data management, including poor administration, processing related risks and human error.?

.?

Centralized, customizable and granular policy management.?

?? Cryptographic policies: Granular cryptographic policies to comply with regulations, for example to ensure strong enough algorithms and key lengths are used.

?? Quorum approval policies: Administrative guardrail policies enforce multiple approvals for high-impact actions such as deleting keys, to prevent accidental key deletion or insider threats.

?? Custom Plugins: User-defined scripts (“secure plugins”) to implement bespoke business logic and controls.

?? High Availability: Fortanix is setup in an active/active cluster and available as a SaaS solution that’s geo redundant.

?? Role based access controls: With RBAC and custom roles, the solution helps comply with principles of least privileges.

Article 9.4c Implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof.?

Fine grained access control for users and data?

?? User-defined access: Customizable policies based on an identity’s account or role to control key access.?

?? 2FA/SSO Integration: Identity authentication with 2FA and integration with enterprise SSO tools such as SAML, OAuth, and LDAP.

?? Role based access control/RBAC: Identity authorization by means of role-based access control, with fine-grained custom roles supported for least privilege management.?

Article 9.4d Implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes.?

Full key lifecycle management with KMS and secure key storage with FIPS Certified HSMs?

?? Key Management Service (KMS): full key lifecycle management for on-prem and cloud; generate, activate, rotate, deactivate, and destroy cryptographic keys. Support for Bring Your Own Key or Hold Your Own Key when used with SaaS and public clouds.?

?? Hardware Security Module (HSM): secure generation and storage of cryptographic keys used for the encryption or tokenization of data. Hardware appliance is FIPS 140-2 level 3 compliant.?

?? 2FA and existing LDAP support: Solution supports 2FA and can utilize existing IdPs through SAML, LDAP or OAUTH.

.?

Article 10.1 Place mechanisms to promptly detect anomalous activities.?

Centralized auditing, policy management and risk assessment????????

?? Integration with SIEM tools like Splunk?

?????????? Auditing integration with SIEM tools

????????? (like Syslog, Splunk, CSP logging)????

?? Cloud key discovery and risk assessment?

??????????? Centralized insight into the security

??????????? posture of your critical data across a??? hybrid/ multicloud environment.

?? Centralized management of data security?

???????????? Single, unified interface to manage data security across multiple cloud platforms.

Summary of Key Fortanix Functionality for DORA Compliance

·??Centralised key management - With discovery, visibility, command control, policy enforcement, and reporting.

·? Data protection, whatever its state - Trusted execution environments secure data at rest, in motion, and in use.

·??Zero trust for your data - Policy-driven RBAC, quorum controls, and least-privileged access.

·??Post-quantum ready - Algorithms ready for the post-quantum computing world with the ability to rapidly deploy updates.

·??Privacy by design - Built-in privacy capabilities (Confidential Computing, Tokenisation, Data Masking, etc.) to significantly reduce risk and improve compliance.

Find Out More

Organisations delivering financial services in the EU must comply with DORA, including many ICT service providers who support the delivery of financial services. Again, check with your legal team to determine your DORA obligations.?

If you are required to comply with DORA, then adopting Fortanix solutions will help deliver what you need to do. Read more on the Fortanix website at?https://www.fortanix.com/solutions/compliance/digital-operational-resilience-act-dora, where you can also download a solution brief and other resources.?

Renaissance partners with Fortanix to make their solutions available to MSPs in the Irish market. If you have any questions or want to chat about using Fortanix to deliver DORA compliance for your clients,?get in touch.?