DuoKey logotype

Compliance

DORA

ICT risk management and resilience for the EU financial sector, with encryption and keys you can prove you control.

Talk to us

Requirements

What the regulation expects

DORA expects financial entities to manage ICT risk end-to-end—including how critical data is protected in the cloud. When the cloud provider holds the only copy of encryption keys, you cannot fully demonstrate that access to data is gated by *your* policies, logging, and incident processes. Customer-controlled keys close that gap: you retain custody of keys (or shares), align activation with your IAM, and keep evidence for auditors and regulators.
What the regulation expects

Customer-controlled keys under DORA

ICT risk management must cover who controls access to critical data—not only that encryption is toggled on.

ICT security and resilience measures

You must protect confidentiality and integrity of data and systems. Strong encryption is a baseline control; who controls the keys determines whether that control is real or delegated.

Third-party and cloud concentration risk

Outsourcing does not outsource accountability. You need defensible controls when data sits in vendor environments—including strict separation so provider access does not equal data access.

Incident detection, response, and evidence

Regulators expect traceability. Cryptographic operations and key usage should tie into your monitoring story—not a black box owned solely by the vendor.

Testing and governance

Operational resilience programmes must be testable. Key management that you govern (policies, roles, HSM or MPC backends you approve) supports tabletop exercises and real incident playbooks.

Solutions

Relevant DuoKey products

OpenBAO + DuoKey SD-HSM

Run KMS-style control with keys under your authority, integrated with business roles and approved hardware or MPC backends.

Learn more
AWS External Key Store (XKS)

Keep AWS data encryption keys in infrastructure you operate or mandate, so AWS cannot unwrap your data keys at will.

Learn more
Microsoft 365 — Customer Key & Double Key Encryption

Separate Microsoft’s service encryption from your master key material so highly sensitive mail and files are not decryptable by the vendor alone.

Learn more
SQL & database encryption

Apply consistent encryption and external key control for database workloads without re-architecting every application first.

Learn more

Key themes

Where customer-controlled keys fit

DuoKey gives financial entities the key custody and cryptographic governance that DORA's ICT risk framework demands — so your encryption measures are provably yours, not delegated to the cloud operator.

Encryption as an ICT risk control

Map technical measures to confidentiality and integrity obligations by owning key lifecycle and access paths.

Relevant products:
OpenBAO + DuoKey SD-HSMAWS XKSM365 DKE

Demonstrable separation from the cloud operator

Show that a provider compromise or lawful access channel at the operator does not automatically mean plaintext access to your data.

Relevant products:
XKSM365 Customer Key / DKEOpenBAO + DuoKey SD-HSM

Related links

Useful resources