Skip to content
Close
SEARCH
LANGUAGE – en
de
en
de
CORPORATE TRUST SERVICES

Cryptography-based trust services to protect your digital identities, data and business secrets.

READ MORE
QUALIFIED TRUST SERVICES

Legally compliant digital signatures (eIDAS) to drive forward the digitalization of your business processes.

READ MORE
TRUST COMPONENTS

Everything to do with smartcards, tokens, readers, certificates and signatures.

ONLINE SHOP

INNOVATIVE AND SECURE PERSPECTIVES FOR A DIGITAL WORLD.

PKI & CRYPTOGRAPHY SOLUTIONS

STRONG AUTHENTICATION
Phishing-resistant with certificates or FIDO

ENTERPRISE PKI
for Zero-Trust & IoT

CERTIFICATES LIFE CYCLE MANAGEMENT

ENCRYPTION & KEY MANAGEMENT
for on-premise & Cloud

ENTERPRISE PORTAL FOR PUBLIC CERTIFICATES
s/MIME & SSL

HSM, HARDWARE SECURITY MODULES

POST QUANTUM MIGRATION

PKI & CRYPTOGRAPHY PRODUCTS

egofy CARD
Smart Cards & Token

primeID VSC
Virtual Smard Card

primeID ONDEMAND
Remote VSC platform

primeID SELF SERVICE
Self Service for Smart Cards

primeID DISCOVER
Monitor certificates

primeID VALIDATE
Enterprise OCSP

TECHNOLOGY PARTNER

eIDAS / QUALIFIED SIGNATURES & SEALS

Integrate signatures into your application
for OEM via API

Signatures & seals for your employees
with primesign as an enterprise solution

Sign a document online & instantly
for individuals and as an entry point for companies

primesign Products & Services

SUPPORT

Simply integrate our experts into your ITSM structure / remote support up to 24/7

MORE
MANAGED SERVICES

We take care of the complete operation of your trust services in our data centers, you take care of your business.

MORE

THE USABILITY OF OUR SOLUTIONS ENSURES HIGH ACCEPTANCE.

ONLINE SHOP
Everything to do with smartcards, tokens, readers, certificates and signatures.
GENERAL

We are happy
to help.
T +43 1 35553 - 0

CONTACT
SALES

We are happy to support you.
T +43 1 35553 - 200

CONTACT
SHOP

You are a store customer and have a question or need support.
T +43 1 35553 - 300

SALES
SHOP SUPPORT
STANDARD SUPPORT

You have a standard support contract and need assistance.
T +43 1 35553 - 800

CONTACT
SUPPORT PORTAL PREMIUM

You have a Premium Support contract and need assistance.

PORTAL
LOCATIONS
OUR LOCATIONS
BG_ICON_COURT_1

DORA - Digital Operational Resilience Act

How CRYPTAS can help you to
comply with regulation (EU) 2022/2554.

CONTACT US
BANK_01_SQ

What is DORA?
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, addresses ICT risk and sets rules on ICT risk-management, incident reporting, operational resilience testing and ICT third-party risk monitoring. This Regulation acknowledges that ICT incidents and a lack of operational resilience have the possibility to jeopardise the soundness of the entire financial system.

Who is affected?
DORA covers a wide array of financial service providers such as banks, credit institutions, payment institutions, e-money institutions, insurance companies, investment firms, and crypto-asset service providers, among others. Significantly, DORA delineates crucial ICT services offered to financial institutions. Should an entity provide critical ICT services to a financial institution, it will fall under direct regulatory supervision as outlined in the DORA framework. This encompasses services like cloud platforms and data analytics.

Entities found to be in violation of the Act's requirements could be subjected to fines up to 2% of their total annual worldwide revenue or, for individuals, a maximum fine of EUR 1,000,000.

How to approach the challenge?
Financial institutions are faced with a host of rules to comply with DORA. Although data security and cryptography related topics are only a small portion of the overall DORA requirements, they are still affecting all processes throughout the entire business.  
A holistic approach is advisable, by providing corporate trust services centrally to all organization units and to all business processes.

CRYPTAS provides assistance in designing, implementing and operating such corporate trust services.

Structure of the regulation
As a “Regulation” it is immediately effective to all financial entities with the EU, without the need for an implementing act by the individual member states. On 17 January 2025, DORA will become effective. While the Regulation itself is stating the objectives and requirements on a rather abstract level, certain aspects have been further detailed in a Regulatory Technical Standards (RTS), which is available in its final draft from January 2024.

DORA / How CRYPTAS can help you in detail

DORA / Article 9 "Protection and Prevention"

DORA


Art 9.4 (a)

DORA Requirement
Develop and document an information security policy defining rules to protect the availability, authenticity, integrity and confidentiality of data, information assets and ICT assets, including those of their customers, where applicable.

CRYPTAS contribution
Consulting and assistance in developing and documenting such policies and rules.


Art 9.4 (c)

DORA Requirement
Implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only, and establish to that end a set of policies, procedures and controls that address access rights and ensure a sound administration thereof.

CRYPTAS contribution
Egofy converged Smartcard solution, with Legic and Mifare Desfire for physical access, combined with X.509 certificates, FIDO-2 and OTP for logical Multi-factor authentication. Credential Management for administration of policies and access rights.


Art 9.4 (d)

DORA Requirement
Implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated
control systems, and protection measures of cryptographic keys.

CRYPTAS contribution
Authentication solution, including PKI and Credential Management systems.

 


Art 15

DORA Requirement
Further harmonization of ICT risk management tools, methods, processes and policies.

CRYPTAS contribution
See contributions relating to Draft RTS 2024-01/JC 2023 86.
RTS / Article 7 "Cryptographic Key Management"

Draft RTS 2024-01/JC 2023 86


Art 7.2 and Art 7.3

DORA Requirement
Financial entities shall identify and implement controls to protect cryptographic keys through their whole lifecycle against loss, unauthorized access, disclosure and modification. The controls shall be designed taking into account the results of the approved data classification and the ICT risk assessment processes. Financial entities shall develop and implement methods to replace the cryptographic keys in the case of lost, compromised or damaged keys.

CRYPTAS contribution
Documented key management policies, to be implemented in each of the key-consuming ICT systems, and with the help of an Enterprise Key Management solution. An HSM solution is needed to secure the keys.


Art 7.4 and Art 7.5

DORA Requirement
Financial entities shall create and maintain a register for all certificates and certificate-storing devices for at least ICT assets supporting critical or important functions. The register shall be kept up-to-date. Financial entities shall ensure the prompt renewal of certificates in advance of their expiration.

CRYPTAS contribution
Certificate discovery.
Certificate lifecycle management solution.
RTS / Article 6 "Encryption and Cryptographic Controls"

Draft RTS 2024-01/JC 2023 86


Art 6.1

DORA Requirement
Financial entities shall develop, document and implement a policy on encryption and cryptographic controls, with a view to preserve the availability, authenticity, integrity and confidentiality of data.

CRYPTAS contribution
Consulting on best practices, proportionate policies and implementation architecture. CRYPTAS also supports documenting and implementation of such policies.


Art 6.2 (a)

DORA Requirement
Rules for the encryption of data at rest and in transit.

CRYPTAS contribution
360° encryption solution (file & folder, volume encryption, transparent database encryption, cloud data encryption)
SMIME email encryption and related certificate provisioning.


Art 6.2 (c)

DORA Requirement
Rules for the encryption of internal network connections and traffic with external parties.

CRYPTAS contribution
Solutions using SSL/TLS certificates. Internal connections and traffic protected through Enterprise PKI. An enterprise PKI always relies on an HSM solution to protect the keys. External traffic is protected with public trust certificates. Certificate Lifecycle Management becomes an important tool to manage this requirement.

 


Art 6.2 (d) and Art 7.1

DORA Requirement
Provisions for cryptographic key management ... managing cryptographic keys through their whole lifecycle, including generating, renewing, storing, backing up, archiving, retrieving, transmitting, retiring, revoking and destroying keys.

CRYPTAS contribution
Enterprise Key Management solution. PKI and CLM for managing the lifecycle of certificates and related keys. An HSM solution is needed to secure the keys.
RTS / Article 8 "Policies and procedures for ICT operations"

Draft RTS 2024-01/JC 2023 86


Art 8

DORA Requirement
Policies and Procedures for ICT Operations, including:

  • Secure installation, maintenance
  • Backup-Restore
  • Audit trail , system log
  • Separation of production from dev + test
  • Support and escalation contacts
  • System restart, roll-back, recovery


CRYPTAS contribution
CRYPTAS supplied solutions and CRYPTAS managed services have been built, operated, and documented to the principles of Art 8 already before DORA was put in place.

DATASHEET
DOWNLOAD

Do you have any questions or need more information?
CONTACT US