How to address the “encryption in use” for DORA with confidential computing

Learn about the Digital Operational Resilience Act (DORA) and how confidential computing helps with compliance.

What is DORA?

EU Regulation 2022/2254, also known as the "Digital Operational Resilience Act" or DORA, serves as a binding directive for risk management in the financial sector. It aims to enhance digital operational resilience, extending its coverage to third-party Information and Communication Technology (ICT) service providers. DORA's main objective is to mitigate vulnerability to ICT disruptions and cyber threats across the entire financial ecosystem. In fact, DORA applies to all financial industry players, including banks, insurers, ICTs and even cryptocurrency service providers. Dora will be enforced from January 17, 2025. Non-compliance will be fined by the corresponding authorities.

The 5 cornerstones of DORA requirements

  • ICT risk management requirements
  • ICT incident classification and reporting
  • Digital operational resilience testing
  • Management of ICT 3rd party risks
  • Threat intelligence sharing

DORA mandates data to be encrypted in use

Grasping DORA and its intricacies can be challenging. Specifically, Article 9, paragraph 2, in the first cornerstone of DORA, mandates financial institutions to monitor and control all ICT systems for resilience, continuity, integrity, and confidentiality during the processing chain. To this end, the article specifically mandates data encryption at rest, in transit, and in use. Encryption of data in use isn't typically done today and can be difficult to achieve in practice.

Mainly, two technologies allow for data encryption in use. These are homomorphic encryption and confidential computing. Generally, homomorphic encryption is unpractically compute intensive and doesn't scale to real-world workloads. In contrast, confidential computing is highly practical and only incurs low overheads. It can be used to protect virtually any type of workload and scales just like normal IT. Confidential computing features are already available in most server CPUs from Intel and AMD -- all that is required, is the right software underpinning to leverage these. For more on confidential computing, read our whitepaper.

Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.

DORA, Art. 9.2, "Protection and prevention"

Leverage confidential computing to comply with Article 9 of DORA

Delving deeper into this technology, we must distinguish that not all confidential computing solutions are created equal. The data protection levels can vary vastly between solutions. Some solutions only shield parts of your applications, while others make all of your data completely invisible to the infrastructure underneath. Constellation, the world's first always encrypted Kubernetes, works by encrypting the entire Kubernetes cluster, ensuring that no one, not even your cloud admin, can access the sensitive data of your customers.

Schedule a call with our experts

Learn how Edgeless Systems solutions can elevate your security to unprecedented levels and help mitigate compliance risks.