The Digital Operational Resilience Act (DORA) is the next major EU regulation to come into force. The aim of the EU regulation is to strengthen the IT security of European financial organisations. Hardware authentication via FIDO Security Key can help effectively, as I show in my new blog post.
How did the Digital Operational Resilience Act (DORA) come about?
IT security in the European financial sector has been an important topic for a long time. Almost exactly two years ago, the European Parliament and the European Council adopted the Regulation on Digital Operational Resilience in the Financial Sector (DORA). It was approved in January 2023 and enforcement will begin January 17, 2025; DORA will apply in all member states of the European Union (EU).
What is DORA?
The objective of DORA is to enforce stricter data security policies for financial companies in the EU, including banks, insurance companies and investment firms. This affects around 20 different types of financial companies and third-party providers of Information and Communication Technology (ICT) services. DORA is a financial sector-wide regulation for cybersecurity, ICT risks and digital operational resilience.
At the same time, DORA obliges financial companies to follow a standard set of guidelines to protect against ICT-related incidents. This includes measures for protection, detection, containment, recovery and repair. DORA explicitly targets ICT risks and introduces clear rules for ICT risk management, incident reporting, operational resilience testing and monitoring of third-party ICT risks.
This initiative aims to ensure that the financial sector in Europe remains resilient in the event of a significant disruption.
Who is DORA intended for?
According to the German Federal Financial Supervisory Authority (BaFin), “almost all supervised institutions and companies in the European financial sector are subject to DORA. DORA also brings together various requirements for institutions and companies in terms of cyber security, ICT risks and digital operational resilience.”
Is there a link between DORA and the NIS2 Directive?
DORA is a sector-specific legal act of the Union within the meaning of Art. 4 of the NIS 2 Directive in accordance with Art. 1 (2) with regard to financial undertakings. This means that the provisions of DORA take precedence over the NIS 2 provisions on cybersecurity risk management and notification of significant security incidents and supersede them in this respect. As the NIS-2 Directive is a European directive, it must be transposed into national law.
Learn more about the significance of NIS-2 in our blog post EU Regulation NIS2: Don’t Get Caught Off Guard! by Alexander Summerer.
What does DORA have to do with hardware authentication?
DORA aims to strengthen the financial sector in terms of cybersecurity. To this end, the use of modern, innovative technologies is crucial in order to promote resilience. Hardware authentication via security keys is a crucial part of multi-factor authentication (MFA). MFA uses various factors. In most cases, a password must be entered first. This is followed by a second authentication step to prevent unauthorized access.
Read more about this in our article Authentication 101: What makes hardware authentication so attractive to companies? by Alexander Summerer.
This is exactly where security keys such as the iShield Key come into play and protect employees and companies from phishing which remains one of the biggest cyber risks for companies. Security keys that support FIDO2 provide a passwordless authenticator that protects from unauthorized accesses by removing the vulnerabilities associated with shared secrets.
Access to internal company information and network infrastructures in particular must be protected, which is why employees need to be empowered to contribute to this protection. This is where FIDO2 security keys such as the iShield Key become significantly relevant.
Companies in the financial sector that use security keys for MFA and passwordless authentication not only strengthen the security of their IT infrastructure in the long term, but also invest in their employees and make their credentials resistant to phishing.
How can Swissbit help companies comply with DORA regulations?
Financial companies that do not comply with DORA can face fines from the competent authorities in the member states. To avoid this, the requirements, which focus on modernizing and strengthening the IT infrastructure, must be met.
Swissbit iShield Keys provide multi-factor authentication via FIDO U2F, FID2 passwordless, TOTP, HOTP and PIV (smart card) authenticators in a single device. By providing several options, financial companies may select one or more authentication technologies without concern of supporting multiple use-cases for varying systems, as well as minimizing the financial investment required to support all use-cases.
The continuous development of the IShield Key series clearly demonstrates Swissbit’s innovative potential in the field of FIDO security keys. By far the most innovative and technologically advanced security key is the iShield Key Pro MIFARE.
The hybrid functionality of the iShield Key Pro MIFARE is impressive, supporting not only passkeys but also conventional one-time passwords (OTP) and personal identity verification (PIV) as well as MIFARE for contactless physical access to company buildings, parking garages, use of the wallbox or payments in the cafeteria.
Last but not least, Swissbit produces its products, including the iShield Key series, in its own factory in Berlin. Swissbit therefore has a secure supply chain and can respond quickly and individually to customer requests from financial companies.
Does that sound interesting to you? Convince yourself of our expertise and contact us.
Disclaimer: This article is sourced from the official Swissbit website. As official partners of Swissbit, we have obtained permission to utilize both articles & resources for further updates with regards to Swissbit’s products.
