Cyber attacks targeting financial institutions are becoming more frequent and more sophisticated. The European Union is establishing clear rules with DORA to strengthen the digital resilience of the financial sector. The regulation creates a consistent set of standards for IT security and risk management that all financial service providers within the EU must comply.
The EU regulation officially became effective on January 17, 2025. Companies within the financial sector are already obliged to take the new requirements into account and to start adapting their IT security measures. They have to implement the regulatory technical standards (RTS) by July 17, 2026. The guidelines contain detailed specifications for securing digital processes, providing protection against cyberattacks and risk management. The legal acts will be effective from October 17, 2026. These EU regulations solidify and complement the DORA policies. Companies ignoring this regulation or acting too late not only face penalties but also expose themselves to serious security vulnerabilities.
DORA and its relevance for e-mail security:
This regulation defines five key areas to strengthen the resilience of financial institutions. Nowadays, they usually operate within a historically established IT mix of on-premises and cloud systems – a complex network that encourages security vulnerabilities. Cyber attacks such as phishing, spoofing or the spread of malware are often launched via email –therefore safety measures have to include email communication.
As one of the most common attack vehicles, e-mail will automatically be subject to the general DORA requirements for risk management, reporting obligations and security checks. Financial institutions have to identify and record email-based threats and reduce them to a minimum by conducting regular tests such as phishing simulations, information security audits and stress tests. DORA is also calling financial institutions to share information about threats, as cyber attacks are constantly evolving.
Key points for financial companies:
The compliance requirements associated with DORA mainly require the review of communication processes and their protection. A specialist in communication solutions could provide support in this regard. The following points are particularly important when choosing a solution and a partner:
1. EU hosting and GDPR compliance: An e-mail provider operating data centers in Europe has to comply with data protection and regulatory requirements. This is because solutions that rely on international hyperscalers such as Amazon’s AWS, Google or Microsoft are associated with compliance risks. Preferably, the service provider operates its infrastructure with its own staff and refrains from outsourcing sensitive activities. Certifications such as ISO 27001 or SOC 2 are proof of a consistent security strategy.
2. Reliability due to redundant infrastructure: A multi data center architecture ensures stable operation. This is ensured by geo-redundant data centers with a guaranteed high level of availability. An additional focus lies on the protection of internal communication. E-mails should not be routed via public Internet exchange points, but via extra secured dedicated network segments. In the event of an IT infrastructure failure, the provider should also provide a solution for email consistency. A secure external webmail service, which runs autonomously alongside the primary e-mail system, enables employees to communicate by e-mail without interruption at any time.
3. E-mail security beyond standard filters: Conventional spam and phishing filters alone are no longer sufficient. Protection against modern cyber attacks requires Advanced Threat Protection (ATP), which detects and stops threats in real time. Important components include an AI-based sandbox, post-delivery protection and protection against social engineering and ransomware.
4. End-to-end encryption and e-mail management: The solutions used should support established encryption methods such as S/MIME, PGP and OpenPGP to ensure authenticity, integrity and privacy of communication. Integrated e-mail management also ensures that messages can be retraced and monitored any time. Consistent certificate management effectively prevents e-mail spoofing and identity piracy.
