Request Demo Contact Login
Why eperiĀ®
Why eperiĀ®
Use Cases
Use Cases
By Use Cases
By Industries
Info Hub
Info Hub
Partners
Partners
Inside eperiĀ®
Inside eperiĀ®
Request Demo
eperiĀ® sEcure
Secure data in all cloud and web applications
eperi Logo
By Use Cases
AnyApp
Protect your data in web applications with comprehensive encryption and meet compliance requirements.
Microsoft 365
Secure your sensitive data in Microsoft 365 products against unauthorized access and ensure data protection and compliance.
SDK
Use the eperiĀ® sEcure SDK to protect data in almost any cloud platform and open up new business potential.
By Industries
Finance
Ensure maximum data security and comply with DORA regulations with eperiĀ® sEcure for the financial sector.
Healthcare
Protect patient data in the cloud and meet legal requirements for IT security in the healthcare sector with eperiĀ® sEcure.
Public Sector
Secure sensitive data in public administration and meet the requirements of the NIS-2 directive with eperiĀ® sEcure.
Mehr erfahren
eperi Logo
Newsroom
Stay up to date with our latest blog posts, press releases, press reports and event announcements.
References
Discover selected references for various use cases and industries.
FAQ
Our eperiĀ® sEcure FAQ page provides detailed answers about data protection and encryption for businesses. Find out more about product specifications, compliance support and industry-specific solutions for the optimal protection of sensitive data.
Unsere kostenlosen Whitepaper downloaden
eperi Logo
Our Partners
Benefit from the eperiĀ® Partner Network and receive comprehensive support for secure and legally compliant cloud projects.
Become a Partner
Increase your customer loyalty and differentiate yourself with our patented data protection solutions for SaaS and cloud applications.
eperi Logo
What eperiĀ® does
What makes eperiĀ® unique
Memberships
Find out more about our involvement in various associations and organizations
Careers
eperiĀ® - come for the job, stay for the team
eperi Logo

DORA Oversight Guide: What financial organizations need to know now about encryption and key sovereignty

The new DORA Oversight Guide requires clear evidence of data and key sovereignty. Find out what financial companies can expect now - and how you can prepare yourself.

9 min

On July 15, 2025, the European Supervisory Authorities (ESAs) published the first DORA Oversight Guide: a crucial document that specifies the future monitoring of critical ICT third-party service providers. At its heart: the establishment of so-called Joint Examination Teams (JETs) for the Europe-wide monitoring of cloud providers, software suppliers and other important third parties.

However, the guide contains far more than just organizational advice. In particular, Article 5.4.1 of the guide makes it clear that supervisory authorities will be able to make recommendations on subcontracting and encryption technologies in future - with serious consequences for all financial companies that use hyperscalers such as Microsoft, Amazon or Google.

Why is this relevant now? Because when DORA comes into force in January 2025, all affected organizations will have to prepare for a new level of control - and time is running out if they haven't already done so.

What does the DORA Oversight Guide say?


The 74-page guideline describes in detail how the ESAs (EBA, ESMA and EIOPA) will exercise their supervisory powers over critical ICT service providers in future. A central mechanism: the Joint Examination Teams (JETs), which carry out cross-border audits, technical inspections and on-site visits.

The aim is to enforce uniform standards and ensure that providers of critical infrastructure do not jeopardize the risk and resilience profile of the financial sector.

Particularly relevant: ESA can make recommendations on critical safety measures, including:

  • Security requirements for subcontractors (subcontracting),
  • Use of strong encryption,
  • Proof of key sovereignty by the financial company itself.

Article 5.4.1 - The key to key control


Article 5.4.1 of the Oversight Guide is particularly important. It states that supervisory authorities may make recommendations that also concern cryptographic protection measures, particularly with regard to sub-service providers and outsourced IT environments.

In concrete terms, this means that if a financial company uses cloud services from Microsoft, AWS or Google, it must be able to prove that it has sovereignty over the encryption keys used at all times - even for redundant or outsourced systems.

This brings a point that has often been neglected into focus:

Who controls your data and who holds the keys?

Why traditional cloud encryption is no longer enough


Many financial companies already rely on encryption. However, keys are often stored in the cloud itself or managed by the provider. The problem:

  • Data sovereignty is not fully guaranteed.
  • In the case of subcontracting (e.g. globally distributed data centers), there is no overview.
  • The supervisory authorities could view this as a deficiency, including compliance risks.

The requirements of the DORA Oversight Guide demand a new level of transparency and control.

The solution: eperi sEcure - key sovereignty remains with you


With eperi sEcure, you can rely on an encryption solution that is perfectly tailored to the requirements of DORA. The software encrypts your data before it reaches the cloud - client-side and format-preserving, so that it can be processed in the background.

What makes eperi sEcure special:

Key control remains completely with you: neither cloud providers nor third parties have access.

Compatible with Microsoft 365, Salesforce and other web applications.

Meets the strictest regulatory requirements - including DORA, NIS2, GDPR.

No loss of functionality - search functions, sorting and collaboration

With this architecture, you can prove to supervisory authorities that the cryptographic protection measures are fully under your control - exactly what Article 5.4.1 requires.

Conclusion: If you hand over your keys, you also hand over control


The new DORA Oversight Guide clearly shows that the supervisory authorities will be taking a close look at third-party ICT service providers in future. For financial companies, this means that only those who can demonstrate data sovereignty and key control will meet the requirements.

With eperi sEcure, you retain full control: technically, legally and organizationally. And create the conditions for a future-proof, resilient IT strategy in the financial environment.

Find out more now: How eperi sEcure helps to encrypt in compliance with DORA and keep your keys where they belong: with you.

Would you like to read the DORA Oversight Guide for yourself?
šŸ“„ C lick here for the official ESA document (PDF)

Did you like this article?


Then like it now or share it with colleagues, business partners, and friends.

Email
Facebook
LinkedIn
X

Insure against cyber risks

Cyber attacks have long been part of everyday life - but anyone hoping for support from their cyber insurance in an emergency must now more than ever provide concrete proof of security. Encryption is no longer a "nice to have", but a prerequisite. In our white paper, you can find out what the current AVB Cyber 2024 requirements are, what insurers pay particular attention to and how you can demonstrably protect your data with eperi sEcure.

Prepare your company optimally - before a claim occurs. Download now free of charge and make an informed decision.

Inform now & download free of charge
Datenschutzeinstellungen