The Digital Operational Resilience Act (DORA) marks a significant milestone in the European Union’s (EU) efforts to bolster the operational resilience of the financial sector in the digital age. Envisioned to comprehensively address information and communications technology (ICT) risk management in financial services, DORA aims to harmonize existing regulations across EU member states. It mandates that all financial institutions within its scope build the necessary digital operational resilience, emphasizing a tailored approach for each organization.

Focusing on foundational capabilities

To address DORA effectively, financial institutions are advised to concentrate on mastering foundational capabilities in four key domains: Data, Operations, Risk Management, and Automation and AI. By strategically combining technology in these areas, organizations can enhance their ability to embed security, drive risk mitigation, enable continuous monitoring, ensure adaptive business continuity, foster interoperability, and streamline governance.

Strategic investments in digital operational resilience

While the economic landscape for financial institutions is challenging, compliance with DORA is not just another costly obligation. Instead, it presents an opportunity to transform compliance expenses into strategic investments that are aimed at delivering higher business performance. Embracing this mindset allows institutions to seek both compliance and long-term digital business value from their investments in digital operational resilience.

The role of confidential computing and data encryption

Confidential computing and data encryption have an important role in achieving total data privacy assurance, protecting data when in use, in memory, extending such protection also regarding systems and cloud administrators, who will continue to manage the infrastructure, without having access to the data.

We can see this emphasized also within DORA, in the RTS (Regulatory Technical Standards), outlined for the public consultation (1), under Article 6, focusing on encryption and cryptographic controls, and Article 7, which addresses cryptographic key management.

According to Article 6 of the RTS, data encryption is deemed essential throughout the entire data lifecycle, covering data at rest, in transit, and in use. This aligns seamlessly with the notion that achieving total data privacy, as mandated by DORA, requires a comprehensive approach to encryption, ensuring that sensitive information is protected at every stage of its existence.

Furthermore, the RTS Article 6 highlights the necessity for all networked traffic, both internal and external, to be encrypted. This requirement reinforces the idea that a secure and encrypted communication channel is paramount, resonating with the need for a robust and interlinked chain of trust from hardware to solution, as mentioned in the original text.

Article 7 of the RTS delves into cryptographic key management, emphasizing the importance of lifecycle management for cryptographic keys. This aligns with the concept that the technology components enabling confidential computing must form an interlinking chain of trust. By ensuring the immutability and authentication of the trusted execution environment, financial institutions can answer to DORA regulatory expectations outlined in Article 7.

In conclusion, the principles of confidential computing and cryptography, as articulated in the original text, find resonance in the specific requirements that are laid out in the RTS. Adhering to these regulatory standards not only ensures compliance with DORA but also establishes a robust framework for safeguarding sensitive financial data through encryption and effective key management practices.

Ensuring end-to-end Protection

To achieve total data privacy assurance, a key component is confidential computing and cryptography. The technology components enabling confidential computing must form an interlinking chain of trust from hardware to solution, delivering a Confidential computing as a Solution with an immutable and authenticated trusted execution environment.

Total data security leading to data privacy, sovereignty and digital resilience requires end-to-end protection throughout the complete data lifecycle and stack. Confidential computing ensures that cloud providers do not access data based on trust, visibility, and control but rather on technical proof, data encryption, and runtime isolation.

Technical assurance for data security

Technical assurance is crucial to prevent unauthorized access to data, this implies that cloud administrators, vendors, software providers, and site reliability engineers cannot access data while in use. Technical assurance ensures that the cloud service provider (CSP) cannot release any data in the event of legal requests, preventing data protection breaches regardless of legislation and law enforcement.

Fostering data sovereignty and digital resilience

Protection of data with technical assurance fosters data sovereignty and digital resilience. This means that complete control over the actual data lies with the cloud user, not the cloud provider. By leveraging confidential computing and cryptography, financial institutions can answer to the stringent requirements of DORA, ensuring the highest level of technical assurance and safeguarding their digital operations in an evolving landscape.

In conclusion, DORA is not merely a compliance task but an opportunity for financial institutions to invest strategically in digital operational resilience. By incorporating confidential computing and cryptography into their strategy, organizations can navigate the digital wave with confidence, ensuring data privacy, security, and control in an ever-evolving digital landscape.

Take the first step towards enhancing data security and achieving compliance and learn more about  IBM® Confidential computing Solutions, for example how Hyper Protect Virtual Server can help to protect financial transactions and how IBM is addressing application level security.