The Digital Operational Resilience Act (DORA), effective from 17th January 2025, addresses the resilience of financial entities' ICT systems. It emphasizes strong cybersecurity practices, crucial for ensuring secure exchanges of information, whether directly or indirectly via email. For any organization relying on email communication, understanding the detail around DORA requirements is vital. This article will explore relevant DORA provisions, focusing on data classification, encryption, recipient authentication, proof of delivery, and preventing data loss, including from human error.
Email remains the most important and most used communication tool for financial institutions, especially when interacting with external clients and partners. Besides being the primary channel for direct communication, email also underpins many services, such as file transfers, which rely on email for verification and notifications. However, email is inherently insecure—akin to sending information on a postcard. While encryption standards exist to protect email contents, these technologies are often either misunderstood (TLS is not secure enough) or not widely adopted (DANE), leaving sensitive data vulnerable. Also, email has become the largest source of digital data breaches. Over 95% of these breaches result from human errors, such as sending confidential information to the wrong recipient, using CC instead of BCC, or including unintended attachments. Addressing these vulnerabilities through robust email security practices is critical for financial organizations, especially given the sensitive nature of the data involved.
One of the cornerstones of DORA is proper data classification, outlined in article 6 - paragraph 2 (Encryption and cryptographic controls), article 7 - paragraph 2 (Cryptographic key management), article 13 – sub e (Network security management) and article 14, paragraph 2 (Securing information in transit).
Data classification is essential to ensure that appropriate safeguards are in place for different levels of information. Critical or important information requires higher levels of protection to mitigate ICT risks effectively. By assessing the value and sensitivity of the information being shared, entities can decide on suitable encryption protocols and authentication mechanisms, effectively minimizing the risk of unauthorized access.
In email communication, classification is particularly crucial because email is often the primary channel through which sensitive information leaves the organization. Misclassifying or failing to classify data appropriately can lead to inadequate protection measures, putting critical financial information at risk. By ensuring that information is properly classified, organizations can apply appropriate safeguards, such as encryption and restricted access, to protect sensitive data from unauthorized disclosure. Classifying information also helps organizations comply with regulatory requirements and ensures that sensitive communications are handled according to their risk level.
DORA places significant emphasis on encryption of data in transit, at rest and in use, described in Article 6, Encryption and cryptographic controls. Article 6, paragraph 2 states that financial entities should have policies that “contain rules for all of the following:
Encryption in transit ensures that emails and their attachments are protected against eavesdropping or unauthorized modifications during transmission. This is critical for preserving data confidentiality and integrity when communicating with clients or third parties.
Article 9, paragraph 2 of DORA requires financial entities to implement ICT security measures to ensure the continuity and availability of critical systems, with a focus on maintaining high standards of data availability, integrity, and confidentiality, including protection of data in transit.
Article 14, Paragraph 1, 'Securing Information in Transit', emphasizes that "as part of the safeguards to preserve the availability, authenticity, integrity and confidentiality of data, financial entities shall develop, document, and implement the policies, procedures, protocols, and tools to protect information in transit."
For data at rest, such as emails stored on mail servers, encryption helps prevent unauthorized access in case of a data breach. Article 7 also stipulates that financial entities must establish policies on cryptographic key management, ensuring that encryption keys are securely generated, stored, and retired, minimizing the chances of data compromise.
DORA also states, "Financial entities shall include in the policy on encryption and cryptographic controls provisions for updating or changing, where necessary, the cryptographic technology on the basis of developments in cryptanalysis." (Article 6, Paragraph 4).
Recipient authentication is another crucial aspect addressed by DORA. Article 20, paragraph 1 outlines the requirement for “policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities’ information to enable assignment of user access rights”. By ensuring that email recipients are authenticated, financial institutions can prevent unauthorized users from accessing sensitive communications, thereby reducing risks related to sending sensitive information to mailboxes protected with weak passwords and/or lacking multi-factor authentication (MFA).
Article 21, Access control, stipulates that financial entities shall develop, document, and implement a policy that contains “the use of authentication methods commensurate to the classification established in accordance with Article 8(1) of Regulation (EU) 2022/2554 and to the overall risk profile of ICT assets and considering leading practices”
To comply with DORA, organizations must protect emails containing sensitive information with MFA to verify the identity of recipients before granting access to critical data shared via email. This adds an extra layer of security, protecting sensitive information from unauthorized access.
Ensuring secure delivery confirmation and access by the right persons is essential in maintaining operational resilience, particularly in financial sectors where regulatory compliance is crucial. Under DORA, Article 14, stipulates that financial entities must develop and implement procedures that ensure “confidentiality of data during network transmission, and the establishment of procedures to assess compliance with those requirements”. Secure delivery confirmation mechanisms, such as delivery receipts or read confirmations, can help organizations ensure that the intended recipient has received critical communications.
Article 12, logging states that Financial entities shall, as part of the safeguards against intrusions and data misuse, develop, document, and implement logging procedures, protocols and tools, which, according to paragraph 2ci shall contain events related to all “logical and physical access control, as referred to in Article 21, and identity management”;
In email communication, proof of secure delivery and authorized access is particularly crucial when resolving conflicts, disputes, or investigating potential data leaks. Financial institutions often need to demonstrate that sensitive information was delivered to the correct recipient and that it was accessed only by authorized parties. This is especially important in the event of a data breach or when there are questions regarding the integrity of communications. By having proof of secure delivery, organizations can establish accountability, support compliance efforts, and mitigate potential legal or reputational risks.
Human error remains the leading cause of data breaches, particularly in email communications. DORA addresses this by requiring financial entities to implement security measures that prevent data loss. Article 9, paragraph 3c states that organizations must use ICT solutions that “prevent the lack of availability, the impairment of the authenticity and integrity, the breaches of confidentiality and the loss of data”. Article 9, paragraph 3d explicitly states that ICT solutions should also be “protected from risks arising from [..] human error”. Article 11, Paragraph 2i additionally states that the organization’s data and system security procedure should contain “the identification and implementation of security measures to prevent data loss and leakage for systems and endpoint devices”.
In the context of email security, human errors such as sending emails to incorrect recipients or sharing unintended attachments is the cause of >95% of data leaks and can have severe repercussions. One effective strategy is using data loss prevention (DLP) tools. These tools help organizations monitor outgoing emails and attachments, ensuring that sensitive information isn’t inadvertently shared with unauthorized parties. By leveraging DLP solutions that integrate with email systems, financial entities can significantly reduce the risk of data leaks and comply with DORA’s stringent data protection requirements. Additionally, educating staff about secure email practices and the importance of verifying recipients can further reduce the risk of data loss.
DORA lays out comprehensive requirements for the protection of ICT systems, particularly concerning the exchange of information via email. By focusing on classification, encryption in transit and at rest, recipient authentication, secure delivery and authorized access confirmation, and prevention of data loss by human error, financial entities can significantly improve their email security posture.
Compliance with DORA is not just about meeting regulatory requirements; it’s about ensuring operational resilience and protecting the organization from the potentially severe consequences of a data breach. By implementing the right measures, organizations can secure their email communications, thereby safeguarding sensitive financial information and maintaining trust with clients and stakeholders.
To find out how we can support you in meeting compliance with DORA’s email security requirements, get in touch or read our comprehensive guide on best practices for ensuring compliance with DORA.