Question ID: 3476 - DORA 280
Regulation Reference: (EU) 2022/2554 - Digital Operational Resilience Act (DORA)
Topic: ICT risk management (DORA)
Status: Rejected
Date of submission: 08 Dec 2025
Question
I would like to clarify a specific point regarding the Digital Operational Resilience Act (DORA). Does DORA require encryption of data in use (i.e., data being processed in memory)? We operate on an IBM i (AS/400) platform and would like to confirm whether implementing technologies such as FieldProc or similar mechanisms is necessary to meet DORA compliance, specifically regarding protection of data in use.
Background of the question
We are trying to make our product DORA compliant
EIOPA answer
The question has been rejected because the provisions regarding data in use are clearly specified in article 6(2)b of Commission Delegated Regulation (EU) 2024/1774.
The second question has been rejected as it relates to institution-specific questions requiring bespoke advice.