Financial Institutions and Encryption Key Management: Crucial Information for Financial Firms Concerning Cryptography and Identity Verification
In a significant move towards enhancing digital security, the European Supervisory Authorities (ESA) published the first DORA Oversight Guide on July 15, 2025. This comprehensive guide outlines the future monitoring of critical ICT third-party service providers, with a focus on establishing Joint Examination Teams (JETs) for pan-European control of cloud providers, software suppliers, and other key third-parties.
The guide emphasises the need for ICT third-party service providers to uphold the highest standards of cryptographic security and key ownership control. This is in response to the DORA Oversight Guide's demand for financial institutions to adopt encryption solutions that retain key ownership, as part of a new level of transparency and control.
Strong cryptographic key management is mandated, requiring providers to store, renew, and back up private cryptographic keys securely to prevent any loss or compromise of these sensitive assets. Providers must also maintain detailed key registers, implement structured protocols for the replacement of compromised or expired keys, and enforce policies that cover encryption of communications and data protection.
Security controls must include strict physical and logical access restrictions to cryptographic keys and related systems. This typically involves multi-factor authentication (MFA), role-based access control (RBAC), and regular security audits.
Importantly, ownership and control of cryptographic keys must remain clearly defined and securely held by the ICT service providers. Customers and supervising entities should ensure that third-party providers cannot access or misuse the keys beyond authorized purposes, preserving the end-customer’s operational resilience and data confidentiality.
Oversight authorities expect continuous monitoring and governance of cryptographic security measures as part of the broader third-party ICT risk management framework. This includes contractual clauses obligating providers to meet strict security standards, cooperate on audits, and promptly notify on security incidents.
Adhering to these guidelines will help financial institutions demonstrate compliance with Article 5.4.1 of the DORA Oversight Guide. For instance, financial institutions using cloud services from Microsoft, AWS, or Google must be able to prove control over encryption keys at all times, even in redundant or outsourced systems.
An encryption solution tailored to DORA requirements encrypts data before it reaches the cloud, ensuring client-side and format-preserving encryption. This approach ensures that the company retains full control of the keys, neither cloud providers nor third parties have access. Furthermore, the encryption solution should be compatible with popular web applications like Microsoft 365 and Salesforce.
One such solution is eperi sEcure, which allows financial institutions to maintain full control over cryptographic security measures, both technically, legally, and organizationally, creating the prerequisites for a future-proof, resilient IT strategy in the financial sector.
In conclusion, the DORA Oversight Guide underscores the importance of robust cryptographic key management and clear control over the keys for ICT third-party service providers. Compliance with these guidelines will not only reinforce trust and resilience in critical digital infrastructures but also ensure that providers of critical infrastructure do not jeopardize the risk and resilience profile of the financial sector.
Other business sectors might also benefit from adopting the rigorous cryptographic key management practices outlined in the DORA Oversight Guide, enhancing technology-related security across various industries. As pan-European control expands to include more service providers, the need for clear ownership and control of cryptographic keys becomes increasingly crucial, ensuring transparency and data protection for all parties involved.
