Legacy VPNs often assume network location equals trust, but DORA requires continuous proof of who accessed what, when, and under which approval. A tunnel may connect a user, but it does not by itself prove segmentation, least privilege, or revocation readiness. Regulated access needs identity-centric controls that can be audited session by session.
Why Legacy VPNs Miss the Point for DORA
Legacy VPNs were built to create a secure tunnel, not to prove operationally defensible access. That distinction matters under DORA, where firms must show continuous control over who accessed systems, what they touched, and whether access could be revoked or constrained quickly. A network connection alone does not demonstrate least privilege, segmentation, or session-level accountability.
For regulated environments, the real problem is not remote connectivity. It is that VPN trust often persists after authentication, while DORA-aligned governance expects stronger evidence across identity, access, and monitoring. That is why identity-centric models map more naturally to NIST Cybersecurity Framework 2.0 and to the audit perspective described in Ultimate Guide to NHIs, Regulatory and Audit Perspectives.
NHIMG research shows how quickly credential-centric access fails in practice: 79% of organisations have experienced secrets leaks, and 80% of identity breaches involved compromised non-human identities such as service accounts and API keys. In practice, many security teams encounter failed audit evidence only after a VPN-backed access path has already been abused, rather than through intentional control testing.
How DORA-Aligned Access Should Work Instead
DORA pushes organisations toward access models that can be evidenced, reviewed, and revoked at the level of the individual session or workload. The working pattern is increasingly identity-first: authenticate the actor, authorise the task, limit the duration, and log the outcome. That applies to human users and also to services, scripts, and automation that rely on NHIs.
For human remote access, best practice is moving away from broad network trust toward contextual controls such as step-up authentication, conditional access, and privileged session recording. For machine access, that means short-lived credentials, tightly scoped tokens, and clear ownership of each NHI. The lifecycle requirements discussed in Ultimate Guide to NHIs, Lifecycle Processes for Managing NHIs are especially relevant because DORA expects resilience, not just reachability.
- Use VPNs, if they remain, only as transport, not as the trust decision.
- Bind access to identity, device posture, approval, and purpose of access.
- Apply least privilege with explicit session time limits and rapid revocation.
- Maintain logs that show the identity, target system, approval path, and duration.
This aligns with the control intent of NIST SP 800-53 Rev 5 Security and Privacy Controls, especially where access enforcement and auditability must be demonstrable. These controls tend to break down when third-party administrators share a single VPN path because attribution, revocation, and session boundaries become too weak for reliable evidence.
Where the Gaps Usually Show Up in Real Operations
Tighter access control often increases operational overhead, requiring organisations to balance compliance evidence against change velocity. That tradeoff is real, especially in financial services where legacy applications, vendor support channels, and emergency break-glass access still depend on VPN tooling. Current guidance suggests treating the VPN as one component in a broader access architecture, not as the control that satisfies DORA on its own.
The biggest gap appears in environments with shared admin tunnels, flat network segments, or long-lived credentials embedded in automation. Those patterns make it difficult to prove who did what, and they weaken incident containment when an account is compromised. The risk is even clearer in breach scenarios like the SonicWall VPN Mass Breach via Stolen Credentials, where access control failed at the identity layer rather than the tunnel layer.
There is no universal standard for this yet, but the practical direction is consistent: reduce standing access, strengthen session traceability, and make revocation fast enough to matter under incident pressure. That approach fits both DORA and the NHI governance lessons in Top 10 NHI Issues.
Standards & Framework Alignment
This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.
OWASP Non-Human Identity Top 10 and OWASP Agentic AI Top 10 address the attack and risk surface, while NIST CSF 2.0, NIST SP 800-63 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.
| Framework | Control / Reference | Relevance |
|---|---|---|
| NIST CSF 2.0 | PR.AC-1 | DORA-aligned access must verify and limit identities before granting remote connectivity. |
| NIST SP 800-63 | Digital identity assurance supports stronger proof than a VPN tunnel alone. | |
| NIST Zero Trust (SP 800-207) | Zero Trust rejects implicit trust from network location, matching the DORA challenge. | |
| OWASP Non-Human Identity Top 10 | NHI-03 | Short-lived credentials and rotation reduce exposure of VPN-adjacent service access. |
| OWASP Agentic AI Top 10 | A1 | Autonomous or automated access paths need runtime control, not static VPN trust. |
Replace trust-by-network with identity-based access checks and session-level authorization.