How to Future-Proof Your Encryption landscape [in banking systems]

The introduction of the Digital Operational Resilience Act (DORA) has transformed how banks are expected to manage encryption. As of January 2025, all financial entities operating in the EU - including banks, insurers, payment institutions, and investment firms - must maintain full control over their information and communication technologies. This includes cryptographic dependencies. DORA is a regulation, not a directive, meaning it applies uniformly and directly across Member States.

Historically, banks addressed operational risks through capital reserves and technical controls. But that model never fully accounted for all ICT risk, especially not the kind introduced by cryptographic libraries buried in third party software, cloud service providers, or open source components. DORA now explicitly requires financial institutions to document, test, and manage the encryption used across their digital systems. That includes not only internal software, but also cryptography deployed by third-party providers.

The regulation’s five core pillars include ICT risk management, digital operational resilience testing, incident response, third-party risk oversight, and threat intelligence sharing. Encryption sits at the heart of three of them. Article 5 of DORA requires that banks implement specific controls for software and cryptographic integrity, patch management, encryption at rest and in transit, and key management processes. Regular penetration testing, including threat-led red teaming, is mandatory for systemically significant entities.

All of this points to an inescapable truth: encryption visibility is now a regulatory mandate. And that’s before accounting for quantum risk. The UK’s National Cyber Security Centre (NCSC) has published a three-phase migration roadmap, requiring critical sectors, including banking, to complete discovery of cryptographic assets by 2028, begin PQC migration by 2031, and complete it by 2035. The ECB, ESAs, and BIS have already referenced this timeline in forward-looking guidance.

This transition to quantum-readiness depends entirely on cryptographic agilityt - the capacity to locate, inventory, and swap out encryption libraries and primitives without architectural overhauls. Most banks are not ready, many still rely on outdated algorithms like 3DES and SHA-1 within legacy systems or unmanaged open source transitive dependencies. These are rarely captured in traditional scanning workflows because they are not tied to CVEs or don’t trigger known signature matches.

In 2023, a Tier 1 EU-based bank uncovered a deprecated TLS library within a white-labelled mobile lending platform operating across 14 countries. The dependency had no clear ownership. Remediation required six weeks of forensic analysis and temporary market withdrawal in several jurisdictions.

Banks that succeed under DORA will have comprehensively surfaced all cryptographic usage across their environment: not just the high-profile algorithms supporting customer-facing systems, but also the legacy cryptography buried deep in transitive dependencies, third-party code, and vendor software that “just works” and has gone unchecked for years. The winners will be those who can detect it, switch it, prove it, and demand the same from their suppliers.

SCANOSS helps banks and financial institutions build real cryptographic agility. Schedule a walkthrough to see how your stack holds up.