Position paper on the implementation of the DORA requirement “Encryption in Use”

With the Digital Operational Resilience Act (DORA), the EU is introducing new IT security requirements across the entire financial sector – including, for the first time, the requirement to encrypt sensitive data during active use (“encryption in use”). In a joint position paper, the German Banking Industry Committee (GBIC) and the German Insurance Association (GDV) assess the technical feasibility of this requirement, classify current threat scenarios, and point out that proven protective measures can ensure an equivalent level of security even without the full implementation of true technical encryption. The paper underscores the financial industry's common goal of further strengthening digital resilience – based on realistic, risk-based, and regulatory-compliant solutions.