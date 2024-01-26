DORA lays out a set of requirements across ICT risk management, incident reporting, operational resilience testing, cyber threat and vulnerability information sharing, and third-party risk management. As part of those requirements and in the context of data protection and cryptography, it lays out in Article 9 (“Protection and prevention”) that financial entities “shall use ICT solutions and processes” that “(a) ensure the security of the means of transfer of data” or “(c) prevent […] the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data.”

Further elements to consider in the context of Article 9 are referred to in Article 15 and laid out in the related (draft) regulatory technical standards, which the ESA published on January 17, 2024. Particularly, JC 2023 86 provides detailed requirements on cryptographic guidance. In addition, in its preambles, the following is stated:

“Given the rapid technological developments in the field of cryptographic techniques, financial entities […] should remain abreast of relevant developments in cryptanalysis and consider leading practices and standards and should hence follow a flexible approach based on mitigation and monitoring to deal with the dynamic landscape of cryptographic threats, including those from quantum advancements.”

Below, we will further elaborate on the referred ‘cryptographic threats’ and the implications they could have on financial institutions in the context of quantum computing.