Achieving DORA Compliance: How Fortanix Strengthens Your Digital Operational Resilience

Nishank
Nishank Vaish
Updated:May 13, 2025
Reading Time:5mins
Copy-article Cite this article
achieving dora compliance

The Digital Operational Resilience Act (DORA) sets strict obligations on financial institutions and their material ICT suppliers throughout the European Union. DORA compliance requirements aim to converge and strengthen digital operational resilience so that the financial system is able to withstand, respond to, and recover from ICT disruptions and cyber threats.

Much of DORA, most notably the Regulatory Technical Standards (RTS) regarding ICT risk management, addresses strong security practices, particularly data protection and cryptography.

Financial institutions require solutions that have advanced security features and allow centralized management, visibility, and automation to verify continuous compliance. Fortanix offers these features.

Our data security solutions are uniquely positioned and aligned with the DORA compliance framework. We help financial institutions meet the growing demands of data security compliance for the EU without added complexity.

Let’s take a closer look at how Fortanix supports the encryption and cryptographic requirements laid out in the DORA Regulatory Technical Standards (RTS).

Section 4: Encryption and Cryptography (Articles 6 & 7)

DORA enforces the use of encryption and key management practices.

  • Policy and Control Implementation (Art. 6(1)): Organizations must have a documented policy for encryption and cryptographic controls.
  • Fortanix Solution: Fortanix Data Security Manager (DSM) centralizes secrets and encryption key management, ensuring policies are applied consistently. Fortanix Key Insight adds visibility by identifying cryptographic assets, highlighting gaps, and validating whether controls match the defined data security compliance policies.
  • Data Encryption (Art. 6(2)(a), 6(2)(c)): Encrypting data at rest, in transit, and securing network connections is crucial.
  • Fortanix Solution: DSM provides FIPS 140-3 level 3 validated encryption (AES-256) for data at rest and enforces TLS 1.3 for data in transit, including internal/external network connections and API communications. It supports Bring Your Own Key (BYOK) and Hold Your Own Key (HYOK) for consistent encryption standards across cloud workloads.
  • Data-in-Use Protection (Art. 6(2)(b)): Protecting data while it's being processed is a unique challenge.
  • Fortanix Solution: Fortanix leverages Confidential Computing (powered by Intel SGX) through its Data Security Manager and Confidential Computing Manager. This technology protects data even while in use by isolating critical applications and data within secure enclaves.
  • Cryptographic Techniques & Updates (Art. 6(3), 6(4)): Use of leading standards and timely updates are mandated.
  • Fortanix Solution: Fortanix DSM uses encryption algorithms approved by NIST, including ones designed to withstand quantum threats—such as AES-256, RSA-4096, and ML-KEM. Its Key Insight tool identifies weak or outdated algorithms (like SHA-1) and expired certificates, then suggests what needs to be updated. Fortanix also regularly updates its cryptographic libraries, essential for DORA compliance program.
  • Key Management Lifecycle & Protection (Art. 6(2)(d), 7(1), 7(2), 7(3)): Full lifecycle management and robust protection of keys are required.
  • Fortanix Solution: DSM manages the entire key lifecycle (generation, rotation, backup, revocation, destruction) with automation and role-based access control (RBAC) from a single interface for hybrid multicloud environments. Keys are stored securely in FIPS-validated HSMs (available on-premises or as SaaS) to protect against loss, unauthorized access, or modification. Automated workflows facilitate key replacement if keys are compromised.
  • Certificate Management (Art. 7(4), 7(5)): Maintaining registers and ensuring timely renewal of certificates is necessary.
  • Fortanix Solution: While Fortanix DSM protects the private keys associated with certificates, it integrates with various Certificate Lifecycle Management (CLM) partners such as Keyfactor, Venafi and AppviewX who maintain certificate registries and manage the discovery and renewal process.
  • Auditing and Mitigation Records (Art. 6(5)): Recording measures taken is essential.
  • Fortanix Solution: Every cryptographic action in DSM is recorded in a tamper-proof audit log. Key Insight adds visibility with clear compliance dashboards and reports, making it easier for teams to show proof of policy enforcement and track any remediation steps they've taken, critical for ongoing compliance with DORA.

Section 5: ICT Operations Security (Article 11)

Secure ICT operations are fundamental to resilience.

  • Data and System Security Procedures (Art. 11(1)): Documented procedures for data and system security are needed.
  • Fortanix Solution: DSM enables centralization of encryption, access controls, and secure data workflows as part of these procedures. Key Insight helps align these procedures with the actual cryptographic assets in place.
  • Access Control & Secure Baselines (Art. 11(2)(a), 11(2)(b), 11(3)): Enforcing access restrictions and secure configurations is key.
  • Fortanix Solution: DSM integrates with identity providers (SAML, LDAP, OAuth) for RBAC and enforces Multi-Factor Authentication (MFA). Key Insight scans for misconfigurations (e.g., weak TLS) and audits against standards like NIST, while DSM enforces encryption policies aligned with leading practices.
  • Software & Malicious Code Protection (Art. 11(2)(c), 11(2)(d)): Ensuring only authorized software runs and protecting against malware.
  • Fortanix Solution: DSM protects the secrets and keys used by authorized software, and can also sign code to confirm it hasn’t been tampered with. While it’s not built to detect malware, locking down cryptographic assets helps contain the damage if a breach occurs.
  • Data Storage Security & Disposal (Art. 11(2)(e), 11(2)(g), 11(2)(h)): Protecting data on authorized media and ensuring secure deletion/disposal.
  • Fortanix Solution: DSM encrypts or tokenizes data, rendering it secure even if moved to unauthorized media. It enables cryptographic erasure (shredding keys) for secure data deletion and device disposal, providing audit logs for verification.
  • Endpoint & Removable Media Security (Art. 11(2)(f), 11(2)(f)(iii)): Securing endpoint devices and controlling removable storage.
  • Fortanix Solution: DSM manages keys/secrets on endpoints; revoking key access renders data inaccessible if a device is lost. It can encrypt data on removable devices, with access controlled via RBAC. Use of secure enclaves provides tamper-proof mechanisms.
  • Data Loss Prevention & Secure Teleworking (Art. 11(2)(i), 11(2)(j)): Preventing leaks and securing remote work.
  • Fortanix Solution: Encryption/tokenization protects data at rest, transit, and use. Confidential Computing secures remote processing in enclaves, while RBAC/MFA restricts access to keys/secrets.
  • Third-Party Provider Oversight (Art. 11(2)(k), 11(4)): Ensuring resilience extends to third parties.
  • Fortanix Solution: DSM secures integrations via BYOK/HYOK and encrypted APIs, ensuring the financial entity retains control over its keys. Key Insight can monitor third-party cryptographic assets for compliance. DSM provides logs to verify third-party adherence to security roles.

Section 6: Network Security (Articles 13 & 14)

DORA requires robust network security management and protection for data in transit.

  • Network Policies, Segmentation & Documentation (Art. 13(1), 13(a), 13(b)): Implementing policies, segmenting networks, and documenting connections.
  • Fortanix Solution: DSM enforces encryption (TLS 1.3) and access controls for network traffic, supporting segmentation by restricting key access based on policies.
  • Secure Network Connections & Devices (Art. 13(c), 13(d), 13(e), 13(g)): Securing administrative access, preventing unauthorized connections, and encrypting traffic.
  • Fortanix Solution: DSM secures administrative access via RBAC/MFA and encrypts traffic between segments. It enables certificate-based authentication (mTLS) to restrict device connections and enforces TLS 1.3 for all types of network traffic, including external API connections.
  • Network Design, Hardening & Session Management (Art. 13(f), 13(j), 13(k), 13(l)): Ensuring resilient design, secure baselines, and terminating inactive sessions.
  • Fortanix Solution: DSM secures traffic with encryption and integrity checks (HMAC), protecting keys in HSMs. It supports isolating components via unique keys and enforces session timeouts for cryptographic access. Key Insight validates network device configurations against cryptographic standards.
  • Data-in-Transit Security (Art. 14(1a), 14(1b)): Ensuring availability, authenticity, integrity, confidentiality, and preventing leaks.
  • Fortanix Solution: DSM secures data in transit with FIPS-validated encryption like TLS 1.3 and AES-256, along with integrity checks (HMAC) and mutual TLS for authentication. Key Insight reviews whether encryption practices meet required standards. Together with role-based access controls, DSM’s encryption and tokenization tools help protect data during transfers and reduce the risk of leaks.
  • Confidentiality Agreements & Policy Alignment (Art. 14(1c), 14(2)): Documenting agreements and aligning policies with data classification.
  • Fortanix Solution: DSM applies strict access controls and records all access attempts, helping maintain data confidentiality. Key Insight keeps an eye on policy compliance. Encryption and tokenization rules in DSM can be tailored to match your data classification levels and the risk assessments surfaced by Key Insight.
Conclusion

DORA compliance is a comprehensive approach to digital operational resilience, built on a solid foundation of data security and cryptography. Fortanix Data Security Manager, complemented by Key Insight and Confidential Computing capabilities, provides a comprehensive platform to address many of the critical technical requirements outlined in the DORA RTS.

By centralizing control, automating processes, ensuring strong encryption across the data lifecycle (rest, transit, and use), and providing deep visibility into cryptographic posture, Fortanix empowers financial entities to meet DORA compliance mandates and build a truly resilient and secure digital infrastructure.

DORA
Share this post:

Platform

Fortanix Armor

Armet AI

NEW

Key Insight

Data Security Manager

Confidential Computing Manager

Open Source Platform

Enclave Development Platform®

Solutions

Use Cases

Legacy to Cloud Infrastructure Migration

Regulatory Compliance

Post-Quantum Readiness

Secure, Data-Driven Innovation

Company

About Us

Partners

Careers

Confidential Computing

University

Blog

FAQ

Contact Us

Awards

Events

Press

News

Services

Media Kit

Newsletters

Customers

Resources

Support

Fortanix-logo

4.6

star-ratingsgartner-logo

As of August 2025

SOC-2 Type-2ISO 27001FIPSGartner LogoPCI DSS Compliant

US

Europe

India

Singapore

3910 Freedom Circle, Suite 104,
Santa Clara CA 95054

+1 408-214 - 4760|info@fortanix.com

High Tech Campus 5,
5656 AE Eindhoven, The Netherlands

+31850608282

UrbanVault 460,First Floor,C S TOWERS,17th Cross Rd, 4th Sector,HSR Layout, Bengaluru,Karnataka 560102

+91 080-41749241

T30 Cecil St. #19-08 Prudential Tower,Singapore 049712