Implementing DORA requirements in practice
Cyber risks are rising – DORA defines clear requirements
Cyber attacks affect the banking and insurance sector with particular frequency and impact. High asset values, strict availability requirements and complex IT ecosystems make banks and insurers attractive targets – from ransomware and data theft to attacks via external service providers.
At the same time, the EU Regulation DORA (Digital Operational Resilience Act) raises the requirements for digital resilience significantly. Security measures must not only be implemented, but also controllable, verifiable and sustainably manageable – embedded within a structured ICT risk management framework.
Nearly one fifth of all global cyber incidents over the past two decades affected organisations in the financial sector. According to the IMF, the cumulative damage since 2004 amounts to almost USD 12 billion.
(Source: BaFin, Focus Risks 2025)
A growing attack surface driven by digitalisation
The digitalisation of financial services and the continued growth of e-commerce enable cybercriminals to target a far larger number of users, accounts and digital processes – most notably through social engineering. The threat is no longer limited to payment systems alone: corporate IT environments at banks and insurers are increasingly in focus.
The most severe financial risks arise primarily from ransomware and data exfiltration. It is therefore essential to consistently control and secure access to systems and data. Digital identities and strong authentication – for example as part of a Zero Trust approach – ensure that only authorised users and systems gain access. In addition, encryption concepts must be designed and implemented in line with protection requirements and operate reliably in day-to-day operations.
Another increasingly critical attack vector is supply chain attacks. The outsourcing of services to external IT providers – such as cloud platforms or AI-based technologies – significantly expands the financial sector’s attack surface. Organisations therefore need partners who go beyond integration and can demonstrate security, resilience and compliance in practice.
Resilience as a regulatory obligation
DORA establishes a binding EU-wide framework requiring financial entities to systematically strengthen their digital operational resilience. The focus lies in particular on:
- ICT risk management and governance
- Protective measures (security by design)
- Detection, response and recovery
- Documentation and verifiability
- Oversight of ICT third-party providers
Cybersecurity therefore becomes an integral element of corporate governance.
DORA requirements in practice
In particular, the provisions relating to ICT risk management (including Articles 5–9) and preventive controls make it clear that isolated security measures are insufficient.
Instead, organisations are required to implement:
- Clearly defined responsibilities
- Documented policies and processes
- Controlled technical measures (e.g. access control, encryption, key management)
- Robust evidence and auditability
- Secure integration of external service providers
DORA requires security architecture that can be operated in a transparent, scalable and auditable manner.
Securing access and protecting data
Many core DORA requirements can only be fulfilled if security architectures are implemented in a way that allows for sustained operational control. In the financial sector, two areas are particularly critical: access security and cryptography.
Secure authentication through digital identities (Zero Trust)
Digital identities and Zero Trust principles ensure that only authorised users, systems and services are granted access – regardless of whether they operate within internal IT environments, cloud platforms or outsourced services.
Identity therefore becomes a central security and governance component, embedded in policies, role models and technical controls.
Encryption with controlled key and certificate management
Encryption protects data against theft and manipulation – but only if certificates and cryptographic keys are managed reliably.
In practice, this is where risks frequently arise – many of which are highly relevant in the context of DORA:
Control over certificates and cryptographic keys
Operating digital identities, encryption and secure communications reliably requires structured technical building blocks. These help reduce operational risk and enable security controls to be implemented in a consistent and traceable manner.
- A Public Key Infrastructure (PKI) provides the foundation for certificates and trust chains, enabling key security mechanisms in banking and insurance environments.
- Certificate Lifecycle Management (CLM) automates the full lifecycle of certificates – from issuance and renewal to replacement. This reduces outages, minimises manual errors and ensures certificates remain manageable in operation.
- A Credential Management System (CMS) provides centralised control over digital credentials such as tokens or smart cards. It supports governance, policy enforcement and evidentiary requirements, particularly for systems supporting critical or important functions.
- Hardware Security Modules (HSMs) and Key Management Systems (KMS) ensure that cryptographic keys are generated, stored and used securely – forming the basis for robust, trustworthy cryptography in production environments.
Security for high-availability transaction environments
Digital payment services are typically classified as critical or important functions under DORA. Debit and credit cards, mobile payments, instant payments and e-wallet solutions require highly available and securely operated systems.
High transaction volumes and dependencies on external payment networks increase both operational and regulatory risk. Robust cryptography, controlled certificate and key management, and auditable processes are therefore essential to ensure stable and compliant payment operations.
This applies in particular to card-based systems such as SECCOS®, which is widely used in the German market and subject to complex approval and audit procedures.
From design to secure operation
achelos supports banks and insurers holistically – from advisory services delivered by experienced security experts through to implementation, integration and ongoing operational support, including audits and regular health checks.
As an ISO 27001 and Common Criteria certified organisation, achelos provides proven processes and frameworks for working in highly regulated and critical environments. We rely on established, certified products from a strong partner ecosystem.
Would you like to modernise your cryptographic infrastructure, professionalise certificate and key management, or establish a robust technical foundation for DORA compliance? Talk to our experts!
Our solutions for certified cybersecurity in the finance sector
Any questions? Your contact person for queries in this field is:
