The Linux Foundation Projects
Skip to main content
Blog

DORA and the Future of Financial ICT Security: Why Confidential Computing Is the Answer

By December 23, 2024No Comments4 min read

Author:  Sal Kimmich

The Digital Operational Resilience Act (DORA), a landmark regulation from the European Union, is reshaping the landscape of information and communication technology (ICT) security for financial entities. Designed to strengthen operational resilience, DORA mandates comprehensive measures to protect ICT systems against disruptions and cyber threats, ensuring the continuity of critical financial services.

What Is DORA?

DORA establishes a unified framework for ICT risk management, oversight, and reporting for financial entities operating in the EU. The act applies to banks, insurance companies, investment firms, and other financial organizations, aiming to safeguard the stability of financial systems amid increasing cyber threats.

DORA will come into effect on January 17, 2025, requiring financial entities to meet stringent ICT security and operational resilience standards. The regulation introduces detailed requirements for ICT risk management, third-party ICT service provider oversight, and robust incident reporting mechanisms.

Why Chapter II, Section II, Article 8, Paragraph 2 Matters

One of the most critical aspects of DORA is outlined in Chapter II, Section II, Article 8, Paragraph 2, which states:

Financial entities shall design, procure and implement ICT security strategies, policies, procedures, protocols and tools that aim at, in particular, ensuring the resilience, continuity and availability of ICT systems, and maintaining high standards of security, confidentiality and integrity of data, whether at rest, in use or in transit.

This provision emphasizes a holistic approach to ICT security—ensuring that data remains secure across its entire lifecycle: while being stored, processed, or transmitted. It aligns operational resilience with data confidentiality and integrity, which are foundational for maintaining trust and mitigating systemic risks.

However, the requirement to protect data in use poses a unique challenge. Traditional security measures like encryption effectively safeguard data at rest (storage) and in transit (network transmission), but they falter when data is actively being processed. This is where Confidential Computing steps in as a game-changing solution.

Confidential Computing: The Clear Candidate

Confidential computing enables the protection of data in use by leveraging hardware-based secure enclaves. These enclaves create an isolated environment where sensitive computations can occur, shielding them from unauthorized access—even from the host operating system or cloud provider. By ensuring the confidentiality and integrity of data in use, confidential computing directly addresses one of the most pressing gaps in traditional ICT security strategies.

Key features of confidential computing that align with DORA’s requirements include:

  1. Enhanced Data Security: Protects sensitive computations from being exposed, even in shared cloud environments.
  2. Resilience and Integrity: Ensures that data remains secure and untampered during active processing.
  3. Regulatory Compliance: Provides a robust mechanism to meet DORA’s requirements for high security standards across the data lifecycle.

A Call to Action for Financial Entities

As the 2025 deadline approaches, financial entities must act to design and implement ICT security strategies that align with DORA’s requirements. Confidential computing, with its ability to secure data in use, is a pivotal technology for achieving compliance with Article 8, Paragraph 2.

By integrating confidential computing into their ICT security frameworks, financial institutions can not only meet regulatory mandates but also enhance their overall resilience against evolving cyber threats. Early adoption will provide a competitive edge, enabling organizations to build trust with customers, regulators, and partners in an increasingly digital and interconnected financial ecosystem.

Conclusion

DORA’s focus on ensuring ICT systems’ resilience, continuity, and security presents both a challenge and an opportunity for financial entities. By embracing confidential computing, organizations can address the critical requirements of Chapter II, Section II, Article 8, Paragraph 2, securing their data at every stage of its lifecycle. As the clock ticks toward 2025, the time to act is now.

Resources to Learn More 

DORA Regulation: Article 8

IBM: Navigating the digital wave: Understanding DORA and the role of confidential computing

Edgeless Systems: How to encrypt data in use for DORA compliance

Anjuna: Financial Services Confidential Computing Key Use Cases

Redhat: Confidential Containers for Financial Services on Public Cloud

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.