DORA Act

The Digital Operational Resilience Act (DORA) is an EU regulation for the financial sector that sets consistent requirements for how firms prevent, withstand, and recover from ICT-related disruptions and cyber incidents. It covers banks, insurers, investment firms, market infrastructures, and, indirectly, their critical ICT service providers.

In practical terms, DORA brings five pillars together under one rulebook:

• ICT risk management: governance, asset/dependency mapping, controls, business continuity, and disaster recovery.
• Incident management & reporting: classify ICT incidents, record them consistently, and report significant ones to the competent authority.
• Digital operational resilience testing: establish a testing program (from tabletop to advanced threat-led exercises for larger entities).
• ICT third-party risk: maintain a register of providers, set contractual security clauses, and monitor performance and concentration risk.
• Information sharing & oversight: participate in sector information-sharing where appropriate; critical providers face additional oversight.

How does it affect identity security?
From an identity perspective, DORA expects controls that make compromise less likely and recovery faster:

• Strong authentication everywhere: enforce MFA (preferably phishing-resistant) for admins and remote access; limit legacy protocols.
• Least privilege by default: right-size roles in cloud/SaaS, avoid wildcard permissions, and review entitlements regularly.
• Control privileged access: replace standing admin rights with just-in-time elevation; record privileged sessions and approvals.
• Lifecycle discipline (JML): automate joiner-mover-leaver to prevent orphaned accounts and privilege creep.
• Non-human identities: assign owners to service accounts/keys, rotate secrets on a schedule, and prefer short-lived tokens for workloads.
• Monitoring & response: centralize identity logs (IdP, directory, cloud IAM), detect risky sign-ins or rogue grants, and revoke tokens/disable accounts quickly.
• Third-party access governance: federate vendor access, enforce MFA, scope permissions to specific tasks, and review access against contracts.

Case study
A European financial firm preparing for DORA found gaps: shared admin credentials, inconsistent MFA for contractors, and unmanaged vendor support accounts. The remediation program:

• Hardened the IdP, enforced MFA/passwordless for admin roles, and shortened session lifetimes.
• Converted production admin roles to JIT with approvals and audit trails; removed legacy shared accounts.
• Cataloged all vendor identities and moved them to federated SSO with least-privilege roles and time-boxed access.
• Centralized identity telemetry and built playbooks to revoke sessions and rotate keys on suspicious activity.

Subsequent internal reviews showed fewer excessive entitlements, faster offboarding, and clearer evidence for incident handling and third-party oversight, directly supporting DORA objectives.