February 5, 2024 By Louisa Muschal
Andrea Corbelli
3 min read

The Digital Operational Resilience Act (DORA) marks a significant milestone in the European Union’s (EU) efforts to bolster the operational resilience of the financial sector in the digital age. Envisioned to comprehensively address information and communications technology (ICT) risk management in financial services, DORA aims to harmonize existing regulations across EU member states. It mandates that all financial institutions within its scope build the necessary digital operational resilience, emphasizing a tailored approach for each organization.

Focusing on foundational capabilities

To address DORA effectively, financial institutions are advised to concentrate on mastering foundational capabilities in four key domains: Data, Operations, Risk Management, and Automation and AI. By strategically combining technology in these areas, organizations can enhance their ability to embed security, drive risk mitigation, enable continuous monitoring, ensure adaptive business continuity, foster interoperability, and streamline governance.

Strategic investments in digital operational resilience

While the economic landscape for financial institutions is challenging, compliance with DORA is not just another costly obligation. Instead, it presents an opportunity to transform compliance expenses into strategic investments that are aimed at delivering higher business performance. Embracing this mindset allows institutions to seek both compliance and long-term digital business value from their investments in digital operational resilience.

The role of confidential computing and data encryption

Confidential computing and data encryption have an important role in achieving total data privacy assurance, protecting data when in use, in memory, extending such protection also regarding systems and cloud administrators, who will continue to manage the infrastructure, without having access to the data.

We can see this emphasized also within DORA, in the RTS (Regulatory Technical Standards), outlined for the public consultation (1), under Article 6, focusing on encryption and cryptographic controls, and Article 7, which addresses cryptographic key management.

According to Article 6 of the RTS, data encryption is deemed essential throughout the entire data lifecycle, covering data at rest, in transit, and in use. This aligns seamlessly with the notion that achieving total data privacy, as mandated by DORA, requires a comprehensive approach to encryption, ensuring that sensitive information is protected at every stage of its existence.

Furthermore, the RTS Article 6 highlights the necessity for all networked traffic, both internal and external, to be encrypted. This requirement reinforces the idea that a secure and encrypted communication channel is paramount, resonating with the need for a robust and interlinked chain of trust from hardware to solution, as mentioned in the original text.

Article 7 of the RTS delves into cryptographic key management, emphasizing the importance of lifecycle management for cryptographic keys. This aligns with the concept that the technology components enabling confidential computing must form an interlinking chain of trust. By ensuring the immutability and authentication of the trusted execution environment, financial institutions can answer to DORA regulatory expectations outlined in Article 7.

In conclusion, the principles of confidential computing and cryptography, as articulated in the original text, find resonance in the specific requirements that are laid out in the RTS. Adhering to these regulatory standards not only ensures compliance with DORA but also establishes a robust framework for safeguarding sensitive financial data through encryption and effective key management practices.

Ensuring end-to-end Protection

To achieve total data privacy assurance, a key component is confidential computing and cryptography. The technology components enabling confidential computing must form an interlinking chain of trust from hardware to solution, delivering a Confidential computing as a Solution with an immutable and authenticated trusted execution environment.

Total data security leading to data privacy, sovereignty and digital resilience requires end-to-end protection throughout the complete data lifecycle and stack. Confidential computing ensures that cloud providers do not access data based on trust, visibility, and control but rather on technical proof, data encryption, and runtime isolation.

Technical assurance for data security

Technical assurance is crucial to prevent unauthorized access to data, this implies that cloud administrators, vendors, software providers, and site reliability engineers cannot access data while in use. Technical assurance ensures that the cloud service provider (CSP) cannot release any data in the event of legal requests, preventing data protection breaches regardless of legislation and law enforcement.

Fostering data sovereignty and digital resilience

Protection of data with technical assurance fosters data sovereignty and digital resilience. This means that complete control over the actual data lies with the cloud user, not the cloud provider. By leveraging confidential computing and cryptography, financial institutions can answer to the stringent requirements of DORA, ensuring the highest level of technical assurance and safeguarding their digital operations in an evolving landscape.

In conclusion, DORA is not merely a compliance task but an opportunity for financial institutions to invest strategically in digital operational resilience. By incorporating confidential computing and cryptography into their strategy, organizations can navigate the digital wave with confidence, ensuring data privacy, security, and control in an ever-evolving digital landscape.

Take the first step towards enhancing data security and achieving compliance and learn more about  IBM® Confidential computing Solutions, for example how Hyper Protect Virtual Server can help to protect financial transactions and how IBM is addressing application level security.

Explore Confidential computing on IBM Cloud
Was this article helpful?

More from Security

Enhance your data security posture with a no-code approach to application-level encryption

4 min read - Data is the lifeblood of every organization. As your organization’s data footprint expands across the clouds and between your own business lines to drive value, it is essential to secure data at all stages of the cloud adoption and throughout the data lifecycle. While there are different mechanisms available to encrypt data throughout its lifecycle (in transit, at rest and in use), application-level encryption (ALE) provides an additional layer of protection by encrypting data at its source. ALE can enhance…

Enhancing data security and compliance in the XaaS Era 

2 min read - Recent research from IDC found that 85% of CEOs who were surveyed cited digital capabilities as strategic differentiators that are crucial to accelerating revenue growth. However, IT decision makers remain concerned about the risks associated with their digital infrastructure and the impact they might have on business outcomes, with data breaches and security concerns being the biggest threats.   With the rapid growth of XaaS consumption models and the integration of AI and data at the forefront of every business plan,…

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters