The Network and Information Systems (NIS), a European Union (EU) directive, was established in July 2016. This directive was proposed by the European Commission (EU) and aimed to enhance the level of cybersecurity across the member states of the EU. It focused on strengthening the collaboration between the member states and the organizations while aligning with cybersecurity measures. Its scope is comprised of two categories: Operators of Essential Services (OES) and certain Digital Service Providers (DSPs).

However, due to a lack of accountability and dependency on individual member states’ choices, the European Commission announced its plan of action to replace the NIS directive with a more secure framework, along with the incorporation of stronger requirements.

Therefore, on January 16, 2023, the Directive (EU) 2016/1148 (NIS 1) was replaced by the Directive (EU) 2022/2555, known as NIS 2.

Key Changes in the NIS2 Directive    

“NIS2,” the newer version of NIS, establishes stricter cybersecurity requirements for the various organizations in the EU member states, with a deadline of October 17, 2024. Its aim is to strengthen cybersecurity and resilience for critical infrastructure and digital service providers in the EU. 

The major changes introduced in the NIS2 directive to establish a greater level of cybersecurity in the ever-evolving technological space are as follows:  

1. Extension of scope  

The NIS2 expands its scope from seven sectors to eighteen based on the impact they have on the economy and society, along with their interconnectedness and their level of digitalization.   

The scope includes all medium and large-sized organizations in the selected sectors based on organization size in terms of the number of employees and revenue generated.  

2. New categorizations

NIS2 removes the NIS distinction between the Operators of Essential Services (OES) and certain Digital Service Providers (DSPs). Rather, organizations are now classified based on importance and are therefore divided into two categories, namely: ‘essential’ and ‘important.’  

By April 17, 2025, these essential and important entities must be registered. The Member States of the EU must find them and enable them to register themselves. This implies that entities must figure out whether they fall under the scope mentioned in the NIS2 directive.

3. Introduction of accountability management  

NIS2 introduced the concept of accountability and states that the management of the organizations in scope will be responsible for the level of security they possess. This includes the conduction of risk assessments, the establishment of security policies, information system security, incident handling, business continuity, and supply chain security. Therefore, the members of the management team of an organization are responsible for complying with the cybersecurity risk management requirements.

4. Introduction of fines  

The NIS2 directive provides the authorities with the power to enforce fines on organizations that fail to comply with the NIS2 directive. The details of the fines imposed are as follows: 

5. Incident reporting  

NIS2 introduces stricter requirements for the process of incident reporting, including the detailing of the reports. The organization that experiences a cybersecurity incident must not only report it to the local Computer Security Incident Response Team (CSIRT) but also notify the customers if they are impacted by it.   

In case of ‘significant incidents,’ the entity must notify the customers in phases, including an ‘early warning’ within 24 hours of discovering the incident.   

6. The creation of the Computer Security Incident Response Team (CSIRT) platform

This platform was developed to enhance collaboration among the EU Member States when they deal with cybersecurity incidents.   

The European Vulnerability Disclosure Database was created by the European Union Agency for Cybersecurity (ENISA), which acts as a central repository to share information about the identified cybersecurity vulnerabilities, thereby warning the Member States to enhance their security posture accordingly.  

7. Enhancing Cybersecurity in Supply Chains  

This key change impacts many suppliers who are not in the scope of the NIS 2 directive but provide services to an entity that falls under the scope. It states that the entities are solely responsible for the level of cybersecurity in their supply chain, including handling cybersecurity risks.   

NIS1 vs. NIS2: What’s the Difference?  

What are the cryptographic requirements in the NIS 2?  

The NIS 2 directive ensures that the requirements stated by it for the organizations are always fair and there is no irregularity. Therefore, the requirements for larger organizations indicate their role in society, and smaller organizations are not disproportionally affected by it.  

Therefore, NIS2 mandates that the various essential and important entities must meet the minimum number of requirements. Similar to the above-mentioned four focus areas of this directive, the following measures will provide you with an overview of the minimum requirements areas of this directive. These include:  

• Risk assessments and security policies for information systems.

• Policies and procedures for evaluating the effectiveness of security measures.

• Policies and procedures for the use of cryptography and, when relevant, encryption.

• A plan for handling security incidents.

• Security around the procurement development and operation of systems. This means having policies for handling and reporting vulnerabilities.

• Cybersecurity training and practice for basic computer hygiene.

• Security procedures for employees with access to sensitive or important data, including policies for data access. Affected organizations must also have an overview of all relevant assets and ensure that they are properly utilized and handled.

• A plan for managing business operations during and after a security incident. This means that backups must be up to date. There must also be a plan for ensuring access to IT systems and their operating functions during and after a security incident.

• The use of multi-factor authentication, continuous authentication solutions, voice, video, and text encryption, and encrypted internal emergency communication when appropriate.  

• Security around supply chains and the relationship between the company and direct suppliers. Companies must choose security measures that fit the vulnerabilities of each direct supplier. Companies must then assess the overall security level of all suppliers.

Here are the key articles mentioning encryption standards and cybersecurity measures under the NIS2 directive. 

The Key Aspects of NIS2:  Article 20, 21 & 23 

Articles 20, 21 & 23 act as the key pillars of the NIS2 directive, covering areas of Governance, Risk Management, and Incident Reporting, respectively. An organization complying with the requirements stated under these articles has enhanced cybersecurity resilience. Let us explore these articles in detail. 

Article 20

Article 20 of the NIS 2 directive focuses on the Governance aspect of the management bodies of the member states. It aims to ensure that the management of both essential and important entities practice cybersecurity measures. It states that they need to approve and supervise cybersecurity measures so that their organizations achieve the requirements. And, if they fail to do so, they will be held responsible.   

Additionally, the following points must be noted to ensure that your organizations align with the requirements stated in this article.   

• Management teams must undergo cybersecurity training to gain knowledge and understand cyber risks and the best practices they must follow to create a secure infrastructure.

• Employees working in various essential and important entities must also be provided with specialized training to enable them to identify risks and assess cybersecurity risk-management practices.

However, the liability of public officials and government employees will be decided by each country’s national laws rather than this specific regulation. To simplify, management bodies of private essential and important entities will be held accountable for cybersecurity failures, but rules for public institutions such as government agencies differ. 

Article 21

This article focuses on the cybersecurity risk management practices to be followed by both entities, important and essential. It states that organizations must implement strong security measures to protect their infrastructure from cyber threats, ranging from networks to information systems. These measures must be in accordance with the latest technology, relevant standards, and the level of risk faced by that organization. Furthermore, various factors must be considered, such as the organization’s size, exposure to risks, and the impact they may have.   

The article also outlines specific practices to achieve a greater level of security across the organization. These include risk incident policies, backup management, business continuity plans, and cybersecurity training. Also, entities must assess their supply chains to identify vulnerabilities, including the suppliers’ cybersecurity practices and secure development procedures, and ensure they follow strong cybersecurity practices.   

Article 21 has mandated the following measures for the organization to adhere to the NIS 2 directive. These are as follows:  

1. Policies on risk analysis and information system security.

2. Incident handling.

3. Business continuity, such as backup management, disaster recovery, and crisis management.

4. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers.

5. Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure.

6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures.

7. Basic cyber hygiene practices and cybersecurity training.

8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption.

9. Human resources security, access control policies, and asset management.

10. The use of multi-factor or continuous authentication and secured voice, video, text, and emergency communication systems within the entity, as appropriate.

Article 23

Article 23 of the NIS2 directive covers Reporting Obligations in a detailed manner. It states that the Member States are responsible for reporting to the Computer Security Incident Response Teams (CSIRTs) about cybersecurity incidents that may impact the organization’s services or could cause financial or reputational damage.   

To align with the requirements of Article 23, organizations should consider the following key aspects:  

• An early warning must be provided within 24 hours of the incident to spread awareness and notify within 72 hours. Thereafter, a detailed and final report must be submitted within a month, including the description of the incident that took place, its severity, impact, etc.

• In case one single incident affects multiple countries, then the information must be shared across them effectively for improved coordination. 

• Authorities who deal with these reports must also respond quickly and provide the necessary feedback and guidance.

• Every three months, the EU cybersecurity agency ENISA will save and analyze the incident data to improve cybersecurity policies.

The Key Focus Areas of the NIS2 Compliance   

The NIS 2 directive includes the addition of requirements for the four key areas of your organization, namely, management, proper reporting to the authorities, strategies for risk management, and establishing plans for business continuity.  

Let us explore them in detail.  

1. Management

It is the sole responsibility of the members of the organization to be aware of the requirements established by the directive. It states that the management must identify the cyber risks of the organization and address them to comply with the requirements. If they fail to do so, it may result in penalties for the management and even a temporary ban from management roles. 

2. Proper incident reporting

This requirement states that organizations must have established plans to ensure that in case of incidents, they are reported directly to the concerned authorities. 

• An early warning, i.e., “within 24 hours,” a warning must be reported stating a cybersecurity incident has happened.

• An initial assessment must be provided along with all the relevant details of the incident within 72 hours.

• A final report is to be provided to the authorities within one month, which outlines all the details of the incident that took place, its cause, and the actions taken by the organization to mitigate it. This report also includes the severity and the consequences of the incident and the type of threat that led to the incident.

3. Strategies for risk management

This requirement mandates the implementation of technical, operational, and organizational measures to manage risks across the organization’s infrastructure. These include the establishment of risk analysis policies, enhanced network security, incident handling, access controls, improved supply chain security, and policies regarding the use of cryptography. It states that cybersecurity risks should be managed based on the type of risks faced, considering factors such as the entity’s size, exposure to risks, and potential incident severity.  

4. Establishment of plans for business continuity

Organizations must establish strategies to achieve business continuity in the case of cyber incidents. These plans must include the creation of an incident response team, procedures to be followed in case of emergency, and backups for system recovery.   

Steps to achieve NIS2 compliance  

Compliance is not just about meeting the requirements set by the directive but also strengthening your resilience against growing and evolving cybersecurity threats. Therefore, organizations aligning with NIS 2 not only meet the requirements but also enhance their overall security posture.  

To prepare itself to achieve NIS2 compliance, an organization must follow a step-by-step approach. This approach broadly consists of six steps, which are as follows:  

1. Identifying cybersecurity risks

This step refers to the identification of various cybersecurity risks in the critical infrastructure of your organization, generally carried out by the Chief Information Security Officer (CISO). The NIS2 directive mandates the establishment of effective measures to mitigate risks and manage them, as well as the implementation of appropriate procedures, technologies, and systems to identify risks and mitigate them accordingly.  

2. Evaluation of your security posture

Evaluation of security posture refers to the process of reviewing the existing policies and technologies to assess how effective the strategies of your organization are to mitigate risks. It also includes identifying vulnerabilities, followed by an in-depth analysis to understand their impact.  

3. Protect privileged access

The privileged users in your organization are the main targets for unauthorized access to sensitive data, leading to data breaches and even causing service disruptions. To prevent this, NIS2 recommends the minimization of privileged access, implementation of access controls such as continuous authentication, and maintenance of access logs to detect threats and respond to incidents effectively.  

4. Strengthen your ransomware defenses

To strengthen your organization’s ransomware defenses, employees must be educated about phishing attacks, and there must be secure established processes for data backup. This also includes hardening endpoints through access controls and network segmentation to enhance resilience and ensure that the organization is able to recover quickly from various cybersecurity attacks.  

5. Adopt a zero-trust strategy

Traditional security measures are ineffective for cloud services and hybrid models. Therefore, the adoption of a zero-trust strategy is a must, as it assumes that risks can be from any of the users and devices. For this, authentication processes must be implemented for every entity, such as user identity, device type, location, and access frequency. This ensures that the security of all the systems and the sensitive data across the organization is enhanced.  

6. Inspect software supply chain

This step ensures that the entire lifecycle of software development, ranging from code creation to deployment and distribution, is inspected and secured. This includes enforcement of strict identity and access management for secure source code and conducting automated security procedures. 

Impact of NIS2 on Businesses 

The NIS2 directive establishes stricter security requirements that impact businesses and industries across the EU. To comply with the requirements of this directive, organizations must enhance their overall security posture, introduce risk management strategies, and establish smooth incident reporting mechanisms. The following are the risks of non-compliance and the benefits of complying with it.   

Risks of non-compliance

Failure to meet NIS 2 requirements results in ineffective cyber resilience, therefore increasing the possibility of the occurrence of cyber incidents in your organization. Without effective security measures in place, the possibility of breaches, ransomware attacks, and data leaks increases. This would result in organizations facing high recovery costs, regulatory fines, and legal complications.  

Additionally, this handling of financial overhead could lead to a loss in revenue and affect the organization’s reputation. Furthermore, security breaches can result in operational downtimes, causing a reduction in productivity and impacting its long-term success.  

Benefits of compliance

An organization complying with the NIS 2 directive establishes operational stability and ensures the protection of critical data across its infrastructure. By implementing this proactive security measure, you can lower the risks of cyber threats such as data breaches and ransomware attacks.   

Complying with NIS2 allows an organization to be digitally safe, ensuring that its infrastructure, supply chains, and critical data remain protected. Therefore, by aligning its requirements with the NIS 2 directive, an organization not only protects its operations but also enhances customer trust.  

What happens if you don’t comply with NIS2?  

If an organization fails to comply with the NIS2 directive’s requirements, it may face serious consequences. Let us learn more about it.  

1. Financial penalty

Organizations failing to comply with the requirements of the NIS 2 directive will have to face huge penalties according to the category they belong to.   

• Essential companies: Entities belonging to this type fine up to €10 million euro or 2% of their global annual revenue.

• Important companies: Entities belonging to this type of k fines for up to €7 million euro or 1.4% of their global annual revenue.

2. Legal complications

In addition to fines, if an organization fails to comply with the NIS 2 directive, the members of the management team of that organization will be held responsible for not adhering to the requirements and may face legal action against them.  

3. Loss of trust

Non-compliance may also lead to a loss of trust from customers, partners, and even stakeholders, resulting in reputational damage to the organization. 

How can EC help?  

The NIS2 directive was established to enhance cybersecurity practices across the various critical sectors, and the first crucial step to achieve and maintain NIS2 compliance is an in-depth risk assessment and gap analysis. Our encryption advisory services include thorough audits and assessments to identify the gaps in various processes that can expose your organization to compliance risks. Here’s how we can assist you:   

1. In reviewing existing policies of your organization’s infrastructure

This involves identifying your current encryption abilities and understanding whether any limitations exist in your systems or not. We also examine your overall security to ensure that we have a complete image of your infrastructure, considering the various use cases associated with your organization.  

2. To assess gaps and identify vulnerabilities

This includes identifying gaps in your existing policies against the industry standards to ensure adherence to security and compliance requirements. For this, we conduct workshops for discussions about your current applications, encouraging collaboration among team members to gather valuable insights. Additionally, we created an assessment questionnaire to fetch important information about your encryption practices. Therefore, through this evaluation, we identify existing data encryption capabilities and identify specific domains for improvement.  

3. In implementing the roadmap

After the successful completion of the assessment, we will provide you with an in-depth report which consists of summaries of our findings and recommendations for each of them. This report lays out a strategy to implement the necessary capabilities to ensure that you are well-prepared to enhance your encryption practices. Also, our roadmap will aid you in adhering to the industry standards and aligning with the best practices to enhance data protection and help you align according to your compliance requirements. 

Conclusion

The NIS2 Directive is a key element in the European Union’s action to strengthen cybersecurity and protect its essential services. It lays down a clear guideline for member states, builds collaboration, and focuses on securing the supply chain within the region.

For organizations, NIS2 is more than just a regulation. Rather, it is an opportunity for organizations to improve how they manage cyber risks. Adopt strong risk management practices, prepare for incident response, and build solid governance frameworks. Businesses will not only protect their systems but also establish customer trust and contribute to a safer digital environment.

It may be overwhelming to learn about and comply with these new requirements, but the good news is that you won’t have to do it alone. Contact our team to get started today.

Introduction to DORA

Cybercriminals are hitting financial institutions harder than ever, with cyber threats increasing at an alarming rate. According to IBM, in 2023, the average cost of a data breach in the financial industry was reported to be $5.90 million, and it surged to $6.90 million in 2024. On top of that, a report published by Trend Micro revealed that the banking sector ranked as the No. 1 industry for detected ransomware attacks in 2023. As financial institutions become more interconnected and reliant on digital infrastructure, the risks continue to grow. This evolving threat landscape made it clear that a stronger, standardized approach to cybersecurity and operational resilience is essential. That’s why DORA was introduced. 

The Digital Operational Resilience Act (DORA) is a European Union regulation that is designed to strengthen both the operational resilience and regulatory compliance of financial institutions against Information and Communication Technology (ICT) risks. Financial institutions rely heavily on ICT systems for their digital infrastructure, networks, and data management. However, if these systems are not managed effectively, they can become vulnerable entry points for cyber threats, operational failures, and third-party risks. A security breach or operational disruption could expose sensitive data, interrupt critical services, and ultimately jeopardize financial stability. 

To avoid this, DORA establishes a comprehensive framework for managing, mitigating, and reporting ICT-related incidents. This framework ensures that financial institutions not only meet regulatory requirements but are also well-equipped to withstand, respond to, and recover from cyber threats and operational disruptions. 

DORA provides clear and consistent rules for operational resilience across the EU, primarily focusing on: 

• Mitigating the risks posed by increasing vulnerabilities due to the growing interconnectivity within the financial sector. 
• Ensuring that dependencies on third-party service providers are effectively managed, safeguarding the stability and security of financial operations.
• Addressing the new risks that arise from the growing use of digital financial services. 
• Establishing a unified supervisory framework across the EU to ensure consistent oversight and resilience within the financial sector. 

Who Must Comply with DORA?

DORA applies to a broad range of financial entities, including banks, insurance companies, investment firms, payment service providers, crypto-asset service providers, and ICT service providers that support these financial institutions.  

As of January 2025, Article 2 of the DORA regulation specifies the following 21 categories of in-scope entities:   

1. Credit institutions 
2. Payment institutions, including those exempted under the Directive (EU) 2015/2366
3. Account information service providers  
4. All electronic money institutions  
5. Investment firms  
6. Crypto asset service providers  
7. Central securities depositories  
8. Central counterparties  
9. Trading venues  
10. Trade repositories  
11. Alternative investment fund managers  
12. Management companies  
13. Data reporting service providers  
14. Insurance and reinsurance undertakings  
15. Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries  
16. Institutions for Occupational Retirement Provision  
17. Credit rating agencies  
18. Administrators of critical benchmarks
19. Crowdfunding service providers  
20. Securitization repositories  
21. ICT third-party service providers 

Notably, DORA’s scope extends beyond traditional financial entities to include Information and Communication Technology (ICT) third-party service providers. These are firms that offer digital services to financial institutions, such as cloud service providers, software vendors, data analytics companies, and managed service providers. The inclusion of these service providers highlights the critical role they play in the infrastructure of the financial sector and the risks that come with dependency on them. 

Under DORA, ICT third-party service providers must:  

• Cooperate with financial entities for regular resilience testing.
• Notify the financial entities about any ICT-related incidents or disruptions.
• Maintain business continuity plans to ensure service delivery during unforeseen events.
• Comply with EU privacy and confidentiality requirements to protect sensitive data.

By encompassing both financial institutions and their critical ICT service providers, DORA aims to create a strong and unified approach to operational resilience across the EU’s financial sector.  

DORA Timeline

DORA was first proposed on September 24, 2020, and later approved by the European Parliament and Council on November 24, 2022. It was officially published in the EU Journal on December 27, 2022, and came into effect on January 16, 2023. Financial entities and third-party service providers were given two years to familiarize themselves with DORA’s requirements and achieve compliance before full enforcement began on January 17, 2025. 

Now that the deadline has passed, organizations must ensure that they are fully compliant with DORA’s requirements, conduct regular resilience testing, and continuously monitor their ICT risk management frameworks to avoid penalties and operational disruptions.  

Core Pillars of DORA

DORA is built on five key pillars that strengthen the digital resilience of financial institutions, and they are: 

1. ICT Risk Management

   As outlined in Chapter II, ICT Risk Management is a fundamental pillar of DORA. It ensures that financial entities take a structured and proactive approach to identify, assess, and mitigate technology-related risks. By enforcing continuous monitoring, timely risk assessments, and adaptive response strategies, DORA enhances resilience against cyber threats and operational disruptions.

   Financial institutions must implement the following measures to enhance ICT risk management:

   • Set up a dedicated ICT risk management team to oversee risks, monitor service providers, document risk exposure, and regularly assess ICT-related dependencies.
   • Implement real-time threat detection, continuity planning, and recovery measures to ensure swift incident response.
   • Strengthen digital resilience by identifying vulnerabilities and cyber threats, reviewing past incidents to determine root causes, and implementing necessary improvements.
   • Have a structured crisis communication plan to ensure clear internal coordination and timely external notifications in case of disruptions.

2. ICT-Related Incident Reporting

   Chapter III, ICT-related incident management, classification, and reporting, lays out a standardized approach for detecting, classifying, and reporting ICT incidents, ensuring financial institutions stay ahead of potential threats.

   Under DORA, financial entities need structured processes to track incidents, assess their impact, and notify the right people—both internally and externally. Internally, that means quickly identifying issues and keeping all relevant teams updated. Externally, it involves timely reporting to regulators and, in cases like data breaches, notifying affected customers.

   To comply with DORA, financial institutions must adhere to the following guidelines:

   • Establish a structured process for detecting, managing, and reporting ICT incidents, including logging all ICT incidents and major cyber threats for tracking and future analysis.
   • Investigate and classify incidents based on severity, considering affected customers, service disruptions, data loss, downtime, and financial impact. Document root causes, take corrective actions to prevent recurrence, and maintain early warning systems and response plans to limit damage and ensure quick recovery.
   • Report serious ICT incidents to regulatory authorities when they disrupt critical operations or pose security risks.

3. Digital Operational Resilience Testing

   DORA mandates that financial institutions regularly test their ICT risk management frameworks to assess their ability to withstand cyber threats and operational disruptions. According to Chapter IV – Digital Operational Resilience Testing, financial entities must perform regular risk-based testing, including vulnerability assessments and scenario-based testing, to identify weaknesses and implement corrective measures. These tests must be conducted by independent internal or external parties.

   To strengthen digital resilience, financial institutions must take the following actions:

   • Have a structured, risk-based resilience testing program as part of their ICT risk management framework to assess readiness for ICT incidents, identify weaknesses, and ensure timely corrective actions.
   • Establish clear procedures for prioritizing and addressing issues, with internal validation to track remediation efforts.
   • Conduct resilience testing for critical ICT systems annually, and for high-risk organizations, perform advanced threat-led penetration testing (TLPT) at least every three years as required by regulators.

4. Management of ICT Third-Party Risk

   DORA imposes strict requirements on financial institutions to manage risks associated with ICT service providers, with Chapter V specifically focusing on ICT third-party risk management. It ensures that financial entities thoroughly assess third-party providers before entering agreements, ensuring they meet security and regulatory compliance. Contracts must clearly define service scope, quality expectations, monitoring requirements, and termination clauses.

   To comply with DORA, financial institutions must implement the following measures:

   • Develop a clear vendor risk management strategy and maintain a register of all ICT providers, documenting their roles in critical or important functions for regulatory review.
   • Report new ICT service agreements to regulators annually and provide advance notice for contracts involving critical services.
   • Adopt a risk-based approach for audits, inspections, and monitoring of ICT providers.
   • Evaluate the difficulty of replacing ICT providers, explore other alternatives before entering contracts, and assess risks related to vendor insolvency or data protection regulations.

5. Information and Intelligence Sharing

   Chapter VI promotes the sharing of information and threat intelligence amongst the EU financial community. By fostering collaboration, financial institutions can enhance awareness, strengthen threat detection, and build more effective defense strategies against cyber risks.

   To ensure secure and effective information sharing, financial institutions must adhere to the following guidelines: 

   • Facilitate threat intelligence sharing to enhance awareness, limit cyber threats, and improve detection and response strategies.
   • Participate in secure and trusted communities of financial institutions for cyber intelligence exchange.
   • All exchanges must follow strict confidentiality, data protection, and competition rules to safeguard sensitive business information.
   • Establish formal agreements outlining participation terms, including the involvement of authorities and third-party ICT providers.
   • Notify regulators about their participation in such arrangements.

Together, these five pillars create a strong foundation for financial institutions to navigate ICT risks, ensuring resilience against cyber threats and operational disruptions. By emphasizing proactive risk management, continuous testing, and secure collaboration, DORA enhances the financial sector’s ability to safeguard critical operations and maintain regulatory compliance. 

Role of Cryptography in DORA

Cryptography plays a fundamental role in the Digital Operational Resilience Act (DORA) by protecting the digital infrastructure, data, and communication systems of financial institutions. As the financial sector becomes more dependent on Information and Communication Technology (ICT), the importance of cryptographic measures in ensuring the confidentiality, integrity, and availability of critical data cannot be overstated. DORA outlines specific obligations related to cryptographic controls to mitigate risks associated with cybersecurity threats and operational disruptions. 

1. Article 6 – Encryption and Cryptographic Controls

   DORA mandates that financial institutions establish a formal policy for encryption and cryptographic controls to protect financial and customer data. This includes:

   • Article 6.2(a) – Encryption of data at rest and in transit to prevent unauthorized access.
   • Article 6.2(b) – Rules for the encryption of data in use, where necessary. If not possible, data in use shall be processed in a separate and protected environment or with equivalent measures to ensure confidentiality, integrity, authenticity, and availability.
   • Article 6.2(c) – Encryption of internal network connections and external communications to secure sensitive data exchanges.
   • Article 6.2(d) – Strong cryptographic key management to regulate the use, storage, and lifecycle of cryptographic keys (referring to Article 7).
   • Article 6.4 – Periodic updates to cryptographic technology to ensure resilience against evolving cyber threats.

2. Article 7 – Cryptographic Key Management

   Proper management of cryptographic keys is critical for preventing unauthorized access, data breaches, and operational risks. DORA requires financial institutions to:

   • Article 7.1 – Manage cryptographic keys throughout their entire lifecycle, including generation, renewal, storage, backup, transmission, and destruction.
   • Article 7.2 – Implement strict access controls to protect cryptographic keys from unauthorized access, modification, or loss throughout their lifecycle.
   • Article 7.3 – Develop key replacement mechanisms in case of compromise or damage.
   • Article 7.4 – Maintain a register of all cryptographic certificates and certificate-storing devices for critical ICT assets.
   • Article 7.5 – Ensure timely renewal of cryptographic certificates to maintain security.

3. Article 9 – Secure Authentication and Access Controls

   DORA reinforces the need for secure authentication methods and controlled access to ICT assets using cryptographic security measures. Financial institutions must:

   • Article 9.4(a) – Develop an information security policy to safeguard data authenticity, integrity, and confidentiality.
   • Article 9.4(c) – Enforce strict access controls, limiting physical and logical access to information assets and ICT assets to only authorized users.
   • Article 9.4(d) – Implement strong authentication mechanisms based on recognized standards, including cryptographic key protection.

The Cost of Non-Compliance

Failing to comply with DORA isn’t just a regulatory issue—it comes with serious financial and reputational risks. Financial institutions and third-party service providers (TPSPs) that don’t meet DORA’s requirements can face hefty fines and other penalties.  

Here’s what non-compliance could mean:  

For Financial Entities:  

• Fines of up to two percent of total annual worldwide turnover or average daily worldwide turnover. 
• Individuals could be fined up to €1,000,000 for failing to comply. 

For Third-Party Service Providers (TPSPs):  

• Critical TPSPs can face fines of up to €5,000,000.
• Individuals within these providers may be fined up to €500,000. 
• If a financial entity fails to report a major ICT-related incident or threat, the ESAs can also impose a fine. 

Organizations that fail to meet the requirements of DORA not only face significant penalties but also risk damaging their reputation and losing customer trust.  

Who Will Oversee DORA Compliance?

DORA will be enforced by various EU regulatory bodies. National Competent Authorities (NCAs) in each EU member state will play a key role in overseeing compliance at a local level.  

At the European level, three major regulatory agencies will be involved: 

• European Banking Authority (EBA)
• European Securities and Markets Authority (ESMA) 
• European Insurance and Occupational Pensions Authority (EIOPA) 

These regulators will have the authority to oversee and enforce compliance with DORA, ensuring that financial entities meet the required resilience obligations. They can conduct audits and inspections to assess adherence, impose fines and penalties on organizations that fail to comply, and directly monitor ICT third-party service providers to ensure they implement the necessary risk management, security, and operational resilience measures as required by DORA.  

How can EC help?

At Encryption Consulting (EC), we specialize in providing tailored encryption assessments to help organizations achieve compliance with regulatory requirements such as DORA, HIPAA, and GDPR, as well as industry standards like NIST and PCI-DSS. Our process begins with evaluating your current infrastructure against established standards, allowing us to identify any gaps in your security measures. From there, we provide a roadmap that outlines the steps needed to achieve compliance effectively. Here’s how we can assist you:    

We start with a review of your existing policies. This involves identifying your current encryption capabilities and understanding any limitations in your systems. We also examine your overall security setup to ensure we have a complete picture of your environment, taking into account various use cases relevant to your organization. 

Next, we assess the gaps in your current policies. This includes identifying gaps in your existing policies against industry standards to ensure adherence to security and compliance requirements. We also conduct workshops to facilitate discussions about your current applications, encouraging collaboration among team members to gather valuable insights. Additionally, we create an assessment questionnaire designed to capture important information about your encryption practices. Through this evaluation, we identify existing data encryption capabilities and pinpoint specific areas for improvement. 

Once the assessment is complete, we transition into the implementation phase with a detailed roadmap. We provide a comprehensive report summarizing our findings and recommendations for each finding. This report serves as a foundational guide for implementing necessary encryption enhancements. Our roadmap aligns your processes with industry standards, strengthens data security, and ensures compliance. 

By choosing our encryption assessment services, you take a proactive step towards strengthening your organization’s compliance with relevant standards. We guide you through the process, ensuring your strategies are both effective and aligned with your business goals. 

Conclusion

Digital operational resilience is no longer an option; it has become a necessity, and that is why DORA was introduced. It outlines a clear framework for managing ICT risks, enhancing incident response, and securing third-party dependencies. Effective ICT risk management, proactive incident response, and rigorous resilience testing are not just about regulatory compliance—they are essential for maintaining stability in an increasingly digital world. By integrating DORA’s principles into daily operations, firms can strengthen their defenses, protect customer trust, and stay ahead of evolving threats.