Understanding DORA regulation: How to secure your sensitive data

What is it?

The Digital Operational Resilience Act (DORA) is an EU regulation that aims to strengthen the IT security of financial entities (banks, insurance companies, and investment firms) and their ICT* Service Providers, and making sure that the financial sector in Europe is able to stay resilient in the event of a severe operational disruption. DORA complements existing regulations such as the GDPR and NIS2 Directive.

DORA is essentially based on best practice in risk management and cyber resilience.

It is nonetheless unique in 4 ways:

#1

Enlarged Scope

Larger scope than other regulations by embarking third-party ICT service providers, including the identification of sector-wide critical service provider to be supervised directly by the authorities.

#2

Authorities reporting

Introduction of various reporting obligations (e.g. major incident, critical third-party providers, ICT risk framework updates).

#3

ICT third-party risk

Reinforced management of ICT third-party risk over time, including exit strategies for critical third-parties.

#4

Advanced TLPT coverage

Mandatory coverage of critical and important functions by Threat-Led Penetration Testing, and involvement of TP within those tests.

What are the requirements?

Who are concerned by this regulation?

$480

in productivity is lost each year per employee due to the time spent resetting passwords.

$4.88 million

is the average cost of a data breach in 2024, representing a 10% increase compared to last year.

Implement MFA to secure data access

Chapter II Article 9 of DORA Multi-Factor Authentication

Requirement:

"Implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, […] based on results of approved data classification and ICT risk assessment processes."

In other words, DORA requires entities to conduct a risk assessment of their ICT assets and processes to determine where Multi Factor Authentication is necessary to mitigrate risk. The MFA, which includes safeguards against phishing, applies to the workforce members (e.g., employees and contractors) of the entities.

Article 21 RTS about ICT Risk Management

Article 21 of the final draft RTS on ICT risk managament framework develops the authentication requirements in more detail. It states:

• the use of authentication methods commensurate to the classification established in according with Article 8 (1) of Regulation (EU) 2022/2554 and to the overall risk profile of ICT assets and considering leading practices.

• the use of strong authentication methods in accordance with leading practices and techniques for remote access to the financial entity's network, for privileged access, for access to ICT assets supporting critical or important functions or ICT assets that are publicly accessible.

The RTS stresses the importance of performing strong authentication of workforce members in case of remote access to the company's network (e.g. via a Virtual Private Network (VPN), and access to ICT assets supporting critical or important functions.

What is Multi Factor Authentication?

DORA mandates multi-factor authentication (MFA), requiring users to verify the identity through an authentication mechanism. This strong authentication is generally composed of at least two authentication factors sourced from three possible categories of authentication. The goal is to establish robust authentication mechanisms that provide comprehensive protection against fraudulent attacks.

At least 2 independant factors among:

Possession

What I own

Knowledge

What I know

Inherence

What I am

Worldline Trusted Authentication, to provide a secure and seamless experience for your employees and customers.

Solution available on all devices: mobile, browser and tablets.
Different delivery methods to adapt to your digital strategies.
Compliant all requirements outlined in PSD2 RTS, eIDAS and GDPR regulation.
Inclusive and accessible solution that complies with WCAG AA accessibility requirements.
This solution fights all know types of fraud attacks to ensure security for your employees.

Protect data at rest and in transit

Chapter II, Article 9

"Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit."

Article 6, RTS on Risk management framework

Financial entities shall design the policy on encryption and cryptographic controls referred to in paragraph 1 on the basics of the results of an approved date classification and ICT assessment.

That policy shall contain rules for all of the following:

• the encryption of data at rest and in transit;
• the encryption of data in use, where necessary;
• the encryption of internal network connections and traffic with external parties;
• the cryptographic key management referred to in Article 7, laying down…

Encryption or tokenization?

Two methods to keep data safe at rest and in transit

Encryption

In encryption, 'plain text' is converted into 'cipher text' using a complex algorithm and encryption key. The cipher text can only be decoded into plain text using a matching decryption key. Although this method has received considerable attention in cryptographic research, the security of encrypted data hinges on robust key management. Any compromise in key security could potentially jeopardize the data.

Tokenization

Tokenization is the increasingly favored data protection method within financial and payment systems, with a projected volume of 1 trillion transactions in 2026 according to Juniper Research. Payment tokenization substitutes sensitive data with non-sensitive 'tokens' that have no intrinsic value. The original sensitive data is securely stored in a separate database, often referred to as a token vault, while the tokens are used throughout different systems and applications.

Both encryption and tokenization are vital tools for protecting sensitive data, but the unique characteristics and strengths of tokenization often make it a more secure and robust choice.

Worldline Sensitive Data Protection :

Power your business with an end-to-end solution designed to secure your most valuable assets.

Would you like to learn more?

Simply fill in a few details and our experts will get in touch.

modern businesswoman looking at the camera while holding a digital tablet

* Mandatory fields

First name *

Last name *

Email *

Company name *

Message *

I would like to receive offers, event information, and other relevant updates from Worldline. I understand that I can change or withdraw my consent at any time.

By submitting this form, I confirm that I have read and understand the terms of use from Worldline, and that Worldline will process my personal data as stated in the privacy policy.