Compliance
Learn about the Digital Operational Resilience Act (DORA) and how confidential computing helps with compliance.
EU Regulation 2022/2254, also known as the "Digital Operational Resilience Act" or DORA, serves as a binding directive for risk management in the financial sector. It aims to enhance digital operational resilience, extending its coverage to third-party Information and Communication Technology (ICT) service providers. DORA's main objective is to mitigate vulnerability to ICT disruptions and cyber threats across the entire financial ecosystem. In fact, DORA applies to all financial industry players, including banks, insurers, ICTs and even cryptocurrency service providers. Dora will be enforced from January 17, 2025. Non-compliance will be fined by the corresponding authorities.
01.
02.
03.
04.
05.
Grasping DORA and its intricacies can be challenging. Specifically, Article 9, paragraph 2, in the first cornerstone of DORA, mandates financial institutions to monitor and control all ICT systems for resilience, continuity, integrity, and confidentiality during the processing chain. To this end, the article specifically mandates data encryption at rest, in transit, and in use. Encryption of data in use isn't typically done today and can be difficult to achieve in practice. How to address this?
Mainly, two technologies allow for data encryption in use. These are homomorphic encryption and confidential computing. Generally, homomorphic encryption is unpractically compute intensive and doesn't scale to real-world workloads. In contrast, confidential computing is highly practical and only incurs low overheads. It can be used to protect virtually any type of workload and scales just like normal IT. Confidential computing features are already available in most server CPUs from Intel and AMD -- all that is required, is the right software underpinning to leverage these. For more on confidential computing, read our whitepaper.
“
Financial entities shall design, procure and implement ICT security policies, procedures, protocols and tools that aim to ensure the resilience, continuity and availability of ICT systems, in particular for those supporting critical or important functions, and to maintain high standards of availability, authenticity, integrity and confidentiality of data, whether at rest, in use or in transit.
”
DORA, Art. 9.2, "Protection and prevention"
Delving deeper into this technology, we must distinguish that not all confidential computing solutions are created equal. The data protection levels can vary vastly between solutions. Some solutions only shield parts of your applications, while others make all of your data completely invisible to the infrastructure underneath. Constellation, the world's first always encrypted Kubernetes, works by encrypting the entire Kubernetes cluster, ensuring that no one, not even your cloud admin, can access the sensitive data of your customers.
Constellation is a Kubernetes engine that leverages confidential virtual machines to shield your deployments from the infrastructure on all major cloud platforms without requiring changes to your existing containerized applications.
This approach helps companies secure workloads, utilize the public cloud's scalability, and reduce compliance and security risks.
Confidential computing and Constellation ensure data security during processing, explicitly addressing the protection and prevention aspects detailed in Article 9 of DORA.
Learn how Edgeless Systems solutions can elevate your security to unprecedented levels and help mitigate compliance risks.
