DORA and Data Exfiltration: Anti-Exfiltration Controls for Financial Entities

DORA's ICT Risk Management Requirements for Data Protection

DORA Article 6 requires financial entities to establish and maintain a sound, comprehensive, and well-documented ICT risk management framework. Article 9 specifically addresses protection and prevention, requiring entities to implement policies, procedures, protocols, and tools that are necessary to ensure the resilience, continuity, and availability of ICT systems — including protection against data loss, data leakage, and unauthorised access. This is not an aspirational guideline: DORA is a binding EU regulation with direct applicability in all member states. Financial entities that cannot demonstrate technical controls against data exfiltration are non-compliant from day one.

• Article 6: comprehensive ICT risk management framework — board-approved and regularly updated
• Article 9(2): protection against data loss and data leakage as explicit requirements
• Article 9(3): mechanisms to detect anomalous activities and ICT-related incidents promptly
• Article 9(4)(c): policies restricting physical and virtual access to ICT systems and data
• Article 10: detection mechanisms for anomalous activities on networks and ICT systems
• Article 11: response and recovery requirements — business continuity must address data integrity

DORA Incident Reporting and How Anti-Exfiltration Reduces Exposure

DORA Article 19 requires financial entities to classify and report major ICT-related incidents to their competent authority. The classification criteria under Article 18 include: the number of clients or financial counterparts affected, the amount of data exfiltrated, the impact on transactions, and whether the incident caused data losses. Data exfiltration events will almost always meet the threshold for a "major incident" requiring mandatory reporting. An initial notification must be filed within 4 hours of classification, with an intermediate report within 72 hours and a final report within one month. Preventing data exfiltration eliminates the most common trigger for major incident classification under DORA.

• Initial notification: within 4 hours of classifying an incident as major
• Intermediate report: within 72 hours with detailed analysis
• Final report: within 1 month including root cause and remediation
• Classification criteria: clients affected, data exfiltrated, transaction impact, data losses
• Data exfiltration directly triggers multiple DORA classification thresholds
• Preventing exfiltration eliminates the trigger — not just the reporting obligation

How BlackFog ADX Addresses DORA Data Protection Requirements

BlackFog ADX operates at the endpoint level, monitoring all outbound network traffic from every device in your financial entity's environment. It blocks data transfers to unauthorised destinations — including command-and-control infrastructure, dark web staging servers, and anomalous external endpoints — in real time. For DORA compliance, ADX directly satisfies the Article 9(2) requirement for protection against data loss and data leakage. It provides the Article 10 detection mechanisms for anomalous network activities. It supports Article 11 response capabilities by containing incidents at the exfiltration stage before data leaves the entity's control. And critically, it produces the audit-ready evidence that competent authorities and European Supervisory Authorities (ESAs) expect to see during DORA compliance assessments.

• Article 9(2): blocks data leakage and data loss through outbound traffic control
• Article 10: detects anomalous outbound network activity in real time
• Article 11: contains incidents before data leaves the entity's environment
• Audit evidence: timestamped logs of all blocked and monitored transfers
• Deployment covers office endpoints, remote workers, servers, and cloud workloads
• No dependency on content classification — effective against encrypted exfiltration

Third-Party ICT Provider Obligations Under DORA

DORA Article 28 imposes specific requirements on financial entities regarding their relationships with ICT third-party service providers. Contracts must include provisions for data protection, data security, and the ability to terminate arrangements if the provider fails to meet security standards. If your organisation provides ICT services to financial entities, demonstrating anti-data-exfiltration controls is increasingly a contractual requirement under DORA. BlackFog's SOC 2 Type 2 certification and its anti-exfiltration capabilities together satisfy the due diligence requirements that financial entities must apply to their critical ICT providers. Deploying ADX demonstrates compliance with the provider's own data protection obligations while simultaneously enabling the financial entity to meet its Article 28 oversight requirements.

Digital Operational Resilience Testing and ADX

DORA Article 25 requires financial entities to conduct digital operational resilience testing at least annually. For significant financial entities, this includes advanced threat-led penetration testing (TLPT) under Article 26. These tests simulate real-world attacks — including data exfiltration attempts. Organisations with ADX deployed can demonstrate during TLPT exercises that even when attackers gain initial access, data cannot leave the environment through unauthorised channels. This provides concrete, measurable evidence of digital operational resilience that goes beyond theoretical risk assessments and directly addresses the regulator's primary concern: can your organisation withstand a real cyberattack without losing data?