Identity Controls for DORA

The EU Digital Operational Resilience Act (DORA) applies to financial entities and their critical ICT providers, and it makes strong identity and access management an explicit operational-resilience requirement. It began to apply in January 2025.

What DORA expects of identity

DORA's ICT risk-management requirements translate into concrete identity controls:

• Strong authentication and access management for ICT systems, with least privilege and segregation of duties.
• Privileged access controls, since privileged accounts are the highest operational risk.
• Logging and monitoring that supports incident detection and reporting, with tight timelines.
• Third-party (ICT provider) access governance, because DORA extends scrutiny to your supply chain.

What good looks like

• Phishing-resistant MFA for workforce and especially privileged access.
• IGA for least privilege, segregation of duties, and evidenced access reviews.
• PAM with session recording and just-in-time elevation.
• ITDR feeding the monitoring and incident-reporting obligations.
• Governed, time-bound access for third-party providers, with full audit.

Common pitfalls

• Treating DORA as a documentation exercise rather than implementing detection and response.
• Ignoring third-party and ICT-provider access, which DORA explicitly covers.
• Privileged access without monitoring, incompatible with the resilience and reporting expectations.

Related

Financial services vertical, insurance vertical. Vendors: PAM, ITDR, IGA.