Financial Services Data Storage in the Cloud: The Encryption Imperative in 2026
Financial institutions have crossed the point of no return on cloud adoption. The question is no longer whether to store financial data in the cloud -- it's whether your encryption strategy is solid enough to protect it when, not if, something goes wrong.
The numbers speak for themselves: the average cost of a data breach in the financial sector now sits at $5.85 million per incident, and 60% of financial organizations say they struggle to secure data consistently across multi-cloud environments. At the same time, regulators have significantly raised the bar. DORA has been in full force since January 2025. PCI DSS 4.0.1 mandatory controls took effect in March 2025. NIS2 enforcement is accelerating across EU member states through 2026.
This article covers what the regulatory landscape actually requires of financial data storage today, where standard cloud encryption falls short, and what a genuinely secure key management architecture looks like in practice.
Table of Contents
- The Financial Data Security Problem
- What Regulations Actually Require
- Why Default Cloud Encryption Is Not Enough
- The Key Management Gap
- External Key Management: The Architecture That Satisfies Regulators
- Multi-Party Computation: The Next Generation of Key Control
- Financial Data Storage Best Practices
- How DuoKey Secures Financial Services Cloud Storage
- Compliance Coverage at a Glance
- FAQ
The Financial Data Security Problem
Financial institutions handle some of the most sensitive data that exists -- cardholder records, transaction histories, KYC documentation, credit files, and the internal communications wrapped around all of it. That data is increasingly spread across multiple environments: public cloud from multiple providers, SaaS platforms, on-premises systems, and hybrid architectures that can be genuinely hard to inventory.
The multi-cloud reality creates a specific problem. When financial data sits in AWS, Azure, and a third-party SaaS platform at the same time, each environment brings its own native encryption defaults, its own key management system, and its own audit trail. Getting consistent, auditable protection across all of them requires a control layer that sits above any single cloud provider -- not three separate policies loosely coordinated by someone's spreadsheet.
This isn't a hypothetical risk either. Breaches in the financial sector have repeatedly traced back to the same fundamental weakness: data was technically encrypted, but the keys were managed by the same party that got compromised, or were accessible in ways that gave attackers a path through. Encryption without meaningful key control is really just the appearance of security.
What Regulations Actually Require
The regulatory picture for financial data storage has shifted substantially in the past 18 months. It's worth going through each major framework specifically, because the requirements for encryption and key management are more prescriptive than many teams realize.
DORA
DORA entered full application on January 17, 2025 -- and unlike an EU directive, it applies identically across all 27 member states with no room for national variation. It covers banks, insurers, investment firms, payment service providers, and the ICT third-party providers that serve them.
For financial data storage, the most consequential requirements are around ICT risk management and third-party oversight. Financial entities must implement a documented risk management framework with board-level accountability, and encryption of sensitive data at rest and in transit is an expected baseline control. More specifically, the framework must address how cryptographic key material is protected -- not just that data is encrypted, but that the keys themselves are under the entity's meaningful control.
The third-party provisions are where things get particularly relevant for cloud-based storage. If you delegate key management to a cloud provider, DORA requires you to demonstrate ongoing oversight of that provider's controls. Regulators will scrutinize whether the cloud provider has unilateral access to your keys -- that is, whether they could decrypt your data without your involvement. If they can, your compliance posture on that front is weak. Non-compliance penalties run up to 2% of total annual worldwide turnover for financial entities.
NIS2
NIS2 classifies financial sector organizations as both "essential" and "important" entities. Article 21 explicitly requires encryption as a risk management measure, with controls proportionate to the risk. Enforcement is ongoing through 2026 -- German entities face a BSI registration deadline in April 2026, and other member states are working through their own timelines.
In June 2025, ENISA published nearly 200 pages of technical guidance for NIS2 implementation, making previously informal expectations explicit: specific standards for encryption in transit and at rest, key management practices, and vendor oversight methodologies. If your security team hasn't reviewed that document yet, it's worth doing.
GDPR and Schrems II
GDPR Article 32 has always required "appropriate technical and organizational measures" for personal data protection, and encryption is the canonical example. What Schrems II added -- through the invalidation of the EU-US Privacy Shield -- is a more operational requirement: organizations storing EU residents' financial data in US-based cloud infrastructure must be able to demonstrate that the data cannot be accessed by the cloud provider (or compelled from them by US authorities) without the data subject's knowledge and without the ability to revoke that access.
For any financial institution with EU customer data on AWS, Azure, or GCP, this creates a direct argument for encryption keys that never touch the cloud provider's infrastructure.
PCI DSS 4.0.1
PCI DSS 4.0.1 is now fully in force as of March 2025. Requirements 3 and 4 govern stored cardholder data and data in transit respectively. Requirement 3.7's key management provisions specify that cryptographic keys must be protected against disclosure and misuse, with documented custodians and split knowledge or dual control procedures for key-encrypting keys. These aren't new concepts, but they're now mandatory with no grace period remaining and no room for auditor discretion.
FINMA
For institutions with Swiss operations, FINMA's operational risk circular requires demonstrable key management sovereignty for data stored in cloud environments. Swiss regulators have consistently taken a conservative position on cloud data control, and they expect to see evidence of it rather than assertions.
Why Default Cloud Encryption Is Not Enough
AWS, Azure, and Google Cloud all encrypt data at rest by default. This is table stakes -- it's not a differentiator, and for regulated financial data, it creates a specific compliance problem that most organizations discover only when an auditor asks the right question.
With default cloud encryption, the cloud provider manages the keys. Their infrastructure generates them, stores them, and uses them on your behalf. This means a few things that matter for compliance. Under a lawful government order, a US-based cloud provider can be compelled to produce your key material -- and may not be permitted to tell you it happened. A breach of the cloud provider's key management infrastructure is, in practical terms, a breach of your encrypted data. And you have no independent way to verify that your encryption hasn't been silently bypassed.
Customer-managed keys (CMK) are an improvement -- they give you control over key policies, rotation schedules, and access conditions. But the key material itself still lives in the cloud provider's infrastructure. You're trusting a third party with the root of your cryptographic trust chain, and you're obligated under DORA to demonstrate ongoing oversight of that same third party.
For most data categories this trade-off is acceptable. For sensitive financial data -- cardholder records, personal financial information, transaction histories -- EU regulators increasingly expect more. The direction of regulatory travel is toward encryption key material that the financial institution genuinely controls, not key policies applied to keys a cloud provider holds on your behalf.
The Key Management Gap
The gap between "encrypted" and "actually secure" comes down to one question: who holds the keys?
Consider a typical financial services cloud architecture. Customer financial records in AWS S3, encrypted with customer-managed KMS keys. Transaction data in Azure SQL, encrypted via Azure Key Vault. Card processing handled by a third-party payment processor. Staff accessing all of the above through SaaS applications with provider-managed encryption.
In this picture, three different cloud providers each hold key material for different slices of your financial data. Your ability to centrally revoke access -- in the event of a breach, a regulatory directive, or a decision to exit a provider -- is fragmented. Your audit trail is split across three separate provider consoles. And your compliance position depends on each provider independently maintaining the security controls you assume they have.
That's the key management gap: encryption is present everywhere, but key control is dispersed, incomplete, and effectively delegated to vendors you didn't necessarily choose with that consequence in mind.
External Key Management: The Architecture That Satisfies Regulators
The direct answer to the key management gap is an external key management architecture: your cryptographic key material lives entirely outside any cloud provider's infrastructure, in a system your organization owns and controls. Cloud providers still perform encryption operations -- you're not replacing them -- but they cannot access the key material without an authorized call to your external key manager.
This architecture addresses the overlapping requirements of DORA, NIS2, and Schrems II through a single design decision. Key sovereignty is satisfied because keys reside in your infrastructure. Access revocation is real and immediate -- take your external key manager offline and all cloud encryption operations using those keys stop. A centralized audit trail becomes possible because every key usage event, across every cloud provider, flows through one system. And DORA's third-party risk requirements become substantially easier to meet when you are the key custodian, not a vendor you're obligated to oversee.
The technical integration uses protocols the major cloud providers already support: AWS KMS External Key Store (XKS), Azure Key Vault Managed HSM with HYOK, and GCP Cloud KMS with EKMS. Each allows the respective cloud provider to perform cryptographic operations using key material that never leaves your custody.
Multi-Party Computation: The Next Generation of Key Control
Traditional HSM-based external key management solves the cloud provider custody problem but introduces a different one: the complete key exists as a single secret in a single location. Physical compromise of that location, an insider threat with sufficient access, or a lawful compulsion order targeting that specific system are all credible attack vectors that a single HSM cannot defend against.
Multi-Party Computation eliminates this single point of failure at the cryptographic level. With MPC-based key management, no complete key ever exists anywhere -- not in a single device, not in a single jurisdiction, not in any one administrator's hands. Cryptographic operations are performed collaboratively across distributed key shares, each of which is mathematically useless on its own. A quorum of authorized parties must participate for any key operation to succeed.
In practice this means unauthorized key access requires simultaneously compromising multiple independent systems. An insider threat scenario requires collusion across parties who may not know each other. A government compulsion order targeting one location produces an incomplete key share that enables nothing. For financial services, MPC-based key management provides the strongest available defense against both technical attack and regulatory compulsion -- and it's the architecture that most credibly satisfies demanding interpretations of DORA's ICT risk requirements.
DuoKey's financial service encryption is built on MPC. It's not an add-on; it's the foundational architecture. The result is external key management without the residual single-point-of-exposure risk that traditional HSM solutions carry.
Financial Data Storage Best Practices
A few things represent the genuine baseline expectation for regulated financial data storage in 2026, regardless of which specific key management approach you take.
Start with data classification. Not all financial data carries the same regulatory sensitivity. Cardholder data under PCI DSS, personal financial records under GDPR, and operational telemetry have meaningfully different protection requirements. Classification drives appropriate control selection and makes compliance evidence easier to produce when auditors ask.
Encrypt everything in transit and at rest, without exceptions for traffic you consider "internal." PCI DSS 4.0.1 and DORA both treat this as non-negotiable. TLS 1.2 minimum for data in transit, AES-256 for data at rest. Organizations under NIS2 should review ENISA's June 2025 technical guidance -- some previously informal norms are now explicit.
Consolidate key management across cloud providers rather than maintaining separate key hierarchies per environment. Fragmented key management creates audit complexity, compliance risk, and operational brittleness. A centralized external key manager that integrates with all major cloud providers gives you the single, consistent audit trail that regulators actually want to see.
Plan for cryptographic agility. DORA, NIS2, and the EU NIS Cooperation Group's post-quantum roadmap (which targets 2030 for transitioning high-risk financial systems to PQC) all assume that cryptographic standards will continue to evolve. Design your key management infrastructure to be algorithm-agnostic now, before quantum-related regulatory pressure arrives in force.
Test your cryptographic infrastructure's resilience, not just your applications. DORA's resilience testing requirements extend to key management systems. Annual penetration testing and regular failover exercises are expected, and regulators will ask for evidence.
Document key custodianship properly. PCI DSS Requirement 3.7 requires formal custodian records and defined procedures for key generation, distribution, storage, retirement, and destruction. This documentation is among the first things auditors request, and organizations that improvise it under audit pressure don't make a strong impression.
How DuoKey Secures Financial Services Cloud Storage
DuoKey addresses the financial data storage problem at the layer that matters most: cryptographic key control that your organization genuinely owns.
The platform provides encryption for sensitive financial data across cloud environments -- structured data in cloud databases, unstructured data in object storage, data processed by cloud-native applications -- with keys that never leave customer-controlled infrastructure. Because DuoKey uses MPC rather than a traditional HSM, there is no single device to compromise, no single administrator with complete key access, and no single location that could be the target of a compulsion order.
DuoKey integrates with AWS KMS via XKS, Azure Key Vault, and GCP EKMS, so financial institutions can maintain centralized key control across heterogeneous cloud environments without replacing existing infrastructure or modifying applications. Encryption and decryption operations happen within the existing cloud provider API surface; the key management layer is transparent to workloads.
The compliance benefits are architectural rather than just documented. DORA's key sovereignty and third-party oversight requirements are addressed by the design itself. Schrems II access revocation capability is built in. PCI DSS split knowledge requirements are satisfied by MPC's key share model. And the centralized audit trail across all cloud environments simplifies the evidence collection that regulators and auditors request.
Compliance Coverage at a Glance
| Regulation | What It Requires for Data Storage | How External Key Management Addresses It |
|---|---|---|
| DORA | Key material under financial entity control; third-party oversight; resilience testing | Keys held externally; cloud provider has no access; MPC reduces single point of failure risk |
| NIS2 | Encryption as a risk management measure; state-of-the-art technical controls | AES-256 encryption with external key custody; aligned with ENISA June 2025 guidance |
| GDPR / Schrems II | Access revocation capability; cloud provider cannot access personal data | Immediate kill switch via external key manager; no key material on cloud provider infrastructure |
| PCI DSS 4.0.1 | Split knowledge / dual control for key-encrypting keys; documented custodianship | MPC key shares support split knowledge by design; full audit logging |
| FINMA | Cloud data sovereignty; operational risk management | Centralized external key control with Swiss data residency options |
FAQ
What is financial services data storage security?
It's the set of controls that protect financial data -- cardholder records, transaction data, personal financial information -- when stored in cloud environments. The most important layer is encryption combined with genuine key control: ensuring that encrypted data can't be accessed even if the underlying storage is compromised, or if the cloud provider is subject to a legal order.
Is standard cloud encryption enough to comply with DORA?
For the most sensitive financial data categories, generally no. When a cloud provider manages your keys, you're delegating key custody to a third party that DORA requires you to oversee. External key management is the architecture that most credibly satisfies DORA's intent around meaningful key control.
What's the difference between BYOK and HYOK?
Bring Your Own Key (BYOK) means you generate the key and import it into the cloud provider's key management infrastructure, where they take custody. Hold Your Own Key (HYOK) means the key never leaves your infrastructure -- the cloud provider calls your external key manager whenever it needs to perform a cryptographic operation.
Does external key management slow things down?
It adds a round-trip for cryptographic operations, but in practice the impact is often minimal for financial workloads. Cloud services cache data encryption keys, so external key managers are not called for every individual record access.
How does MPC improve on a traditional HSM?
An HSM holds the complete key in a single tamper-resistant device. MPC distributes key shares across multiple independent systems so no single share can execute operations alone. For financial institutions, that is a material improvement in both security posture and regulatory defensibility.
Do any regulations explicitly require external key management?
Not by name. But DORA, NIS2, and Schrems II create compliance expectations that external key management is a strong and credible way to satisfy -- particularly around key sovereignty, limiting cloud provider access, and immediate access revocation capability.
The Bottom Line
Financial data in the cloud is secure when two conditions are genuinely met: strong encryption, and key material under the financial institution's actual control -- not delegated to a cloud provider. In 2026, with DORA and PCI DSS 4.0.1 in full force and NIS2 enforcement accelerating, meeting those conditions is the regulatory expectation, not a competitive differentiator.
Institutions that address this now build a compliance architecture that holds up under scrutiny. Those that defer tend to find out what retrofitting encryption controls under audit pressure actually costs -- which is considerably more than getting the architecture right from the start.
References and Further Reading
- EU Digital Operational Resilience Act (DORA) - Official Text
- ENISA NIS2 Technical Guidelines, June 2025
- PCI DSS v4.0.1 - PCI Security Standards Council
- GDPR Article 32 - Security of Processing
- NIST SP 800-57: Key Management Guidelines
- Cloud Security Alliance: Financial Services Cloud Key Management
- DuoKey secure cloud data storage use case
Related Resources
