GENNAIO 2025
DORA and the role of cryptography in financial operational resilience
The Digital Operational Resilience Act (DORA), introduced under EU Regulation 2022/2554, is a major step toward strengthening the digital resilience of financial entities across the European Union. Designed to protect the EU’s financial system from disruptions and emerging cyber risks, DORA establishes a comprehensive framework that spans ICT risk management, incident reporting, third-party vendor oversight, security testing and governance. In a financial landscape defined by constant digital transformation, DORA sets out strict requirements to ensure that institutions can maintain stability and operational continuity, even in the face of digital threats.
Why cryptography is essential under DORA
DORA explicitly highlights the need to “protect and preserve the integrity and confidentiality of data”, making encryption a critical technical safeguard. As one of the primary tools for ensuring business continuity, cyber resilience and data authenticity, encryption plays a central role in meeting DORA’s requirements. By encrypting sensitive data, financial institutions can protect against unauthorised access, reduce the risk of operational disruptions, and maintain the trust of clients and stakeholders. In an increasingly digital and interconnected financial ecosystem, strong cryptographic controls are not just recommended – they’re essential for regulatory compliance and operational integrity.
How digital certificates support DORA compliance
Digital certificates are a foundational element of public key infrastructure (PKI) and play a crucial role in meeting DORA’s cybersecurity and operational resilience requirements.
SSL/TLS certificates secure web-based communications, protecting everything from banking APIs to customer portals by ensuring that data in transit remains encrypted and tamper-proof. S/MIME certificates strengthen both internal and external email communications by enabling encryption and digital signatures, helping verify message authenticity. Code signing and timestamping certificates ensure the integrity of software and updates, which is essential for securing the software supply chain and enabling trusted automation of system controls. Additionally, qualified certificates for electronic signatures provide the legal assurance needed for regulated digital transactions.
Operational best practices for financial institutions
For financial institutions, adopting cryptographic best practices is essential to achieving DORA compliance. One of the most important steps is the automation of certificate lifecycle management, which reduces the risk of human error and ensures that certificates remain valid and up to date. Centralised oversight – through dedicated CLM or cloud-based PKI solutions – enables streamlined, integrated certificate management across complex environments. Maintaining comprehensive audit trails, logs, and reports of cryptographic operations supports transparency and traceability, making regulatory inspections more efficient and strengthening security governance. Partnering with EU-recognised, qualified trust service providers such as Actalis ensures that all deployed solutions meet the highest standards of quality and compliance.
Cryptography is a strategic asset for operational resilience and business continuity. Actalis supports financial institutions with expert PKI consultancy and a suite of DORA-aligned solutions, helping them build strong, sustainable security strategies. To learn how an integrated approach to cryptographic management can enhance both security and efficiency, we invite you to contact Actalis.