DORA exposes the identity controls financial CISOs must harden

At a glance

What this is: This is RSA Security’s DORA playbook for aligning IAM, continuity, and governance with EU operational resilience requirements.

Why it matters: It matters because DORA makes identity a resilience control, not just an access layer, affecting NHI, autonomous-system, and human identity programmes.

👉 Read RSA Security's practical playbook for DORA-aligned identity controls

Context

DORA raises the bar for financial services by treating identity, authentication, and governance as part of operational resilience, not as separate security tasks. For IAM and IGA teams, the practical question is whether identity services can keep operating, keep proving access decisions, and keep producing audit evidence when systems are under stress.

RSA’s playbook reflects a familiar gap: many organisations still rely on static policies, manual certification, and assumptions that identity services will remain available when needed. Under DORA, those assumptions are no longer safe for workforce access, customer authentication, or the privileged and machine identities that keep critical services running.

Key questions

Q: How should financial services teams align IAM with DORA requirements?

A: Start by treating identity as part of operational resilience rather than a separate security control. Map authentication, governance, recovery, and evidence production to each critical service, then close the gaps where manual processes, weak failover, or stale entitlements could prevent you from proving control during disruption.

Q: Why do static access policies create problems for DORA compliance?

A: Static policies assume access conditions stay stable long enough for fixed rules to work, but DORA tests whether identity decisions remain defensible under changing context and outage pressure. Risk-based access and stronger authentication reduce the chance that a stolen credential or stale entitlement becomes an uncontrolled path into critical systems.

Q: What breaks when IAM continuity is not built into resilience planning?

A: When IAM continuity is ignored, a cloud outage, network failure, or regional disruption can stop authentication, delay approvals, and block governance evidence exactly when the organisation needs them most. That leaves critical services running without a reliable identity control plane.

Q: Who is accountable when identity controls fail under DORA?

A: Accountability sits with the institution, not just the IAM team. Financial firms must show that identity services, governance processes, and recovery paths were designed and tested as part of operational resilience, because DORA evaluates whether the business can withstand disruption, not whether a tool was installed.

Technical breakdown

Identity risk audit for DORA readiness

A DORA identity risk audit is a structured map of where access control, authentication, continuity, and detection rely on fragile manual steps or legacy policy. The point is not only to inventory systems, but to expose dependencies such as single points of failure in IAM, incomplete governance evidence, and weak control ownership. In resilience terms, identity is a control plane that must be observable and recoverable, not just functional in normal conditions.

Practical implication: map identity services, approvals, and recovery paths to critical business services before regulators or outages force the issue.

Risk-based access and phishing-resistant authentication

Risk-based access uses context such as device posture, location, time, and behavioural signals to adjust authentication decisions dynamically. Phishing-resistant authentication reduces the chance that a stolen password or intercepted OTP becomes a valid session. Together, these controls narrow the window in which attackers can reuse credentials and make access decisions more defensible under audit, especially where users, contractors, and administrators operate across multiple environments.

Practical implication: replace broad static access paths with context-aware controls and phishing-resistant methods for high-risk identities.

IAM continuity, governance, and lifecycle automation

Identity continuity is the ability to keep authentication and governance functioning during cloud, data centre, or network disruption. Lifecycle automation closes the gap between joiner, mover, and leaver events and actual entitlement state, which is essential when manual recertification cannot keep pace. For DORA, continuity and governance are inseparable: if you cannot certify or revoke access reliably during disruption, you do not really control the identity plane.

Practical implication: design failover for IAM and automate entitlement changes so governance survives outages, not just steady-state operations.

NHI Mgmt Group analysis

DORA turns identity into a resilience control, not a back-office governance function. The article is right to place IAM and IGA at the centre of operational continuity because access control is now part of the institution’s ability to keep serving customers and proving compliance. For financial firms, identity failures are no longer just security incidents; they are resilience failures. The implication is that IAM programmes must be owned as critical infrastructure.

Static access models do not meet the operational reality DORA is testing. The blog’s emphasis on risk-based access reflects a deeper problem: static policies assume access conditions stay stable long enough for predefined rules to remain valid. DORA pushes the market toward dynamic authorisation, context-aware authentication, and stronger evidence for why an access decision was made. Practitioners should treat static policy reliance as a resilience gap, not a tuning issue.

Identity continuity is the control most organisations underinvest in until outage conditions expose it. The article’s failover discussion is important because identity services are often assumed to be available even when the rest of the stack is not. That assumption breaks quickly in cloud, network, or regional outages. Financial institutions should treat IAM continuity as a board-level recovery requirement, not an implementation detail.

Lifecycle automation is now a compliance mechanism, not just an efficiency play. Manual certification campaigns and entitlement reviews cannot keep pace with DORA’s demand for continuous oversight across people, devices, and entitlements. The broader governance lesson is that if access state can drift faster than review cycles, the institution cannot prove control. Practitioners should reframe lifecycle automation as evidence generation for resilience and auditability.

The identity control stack must be evaluated across human, machine, and privileged access together. DORA’s resilience expectations do not stop at workforce logins. Service accounts, administrative access, and federated authentication paths all influence whether the identity layer stays available and defensible during disruption. Teams that segment these controls into separate programmes will miss the interconnected failure modes that auditors and attackers both exploit.

From our research:

• 1 in 4 organisations are already investing in dedicated NHI security capabilities, with an additional 60% planning to do so within the next twelve months, according to The State of Non-Human Identity Security.
• 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, which shows how quickly delegated access can outrun governance.
• Read next: Review the Ultimate Guide to NHIs for the lifecycle and control foundations that support resilient identity programmes.

What this signals

DORA will force many financial institutions to prove that identity continuity is a recoverable capability, not an assumption hidden inside infrastructure design. Identity continuity gap: where authentication, governance, and failover are treated separately, resilience evidence becomes fragmented and hard to defend. Teams should expect audit pressure to move from policy statements to tested recovery paths.

The practical consequence is that IAM roadmaps now need to prioritise control evidence as much as control deployment. Where access reviews, entitlement changes, and authentication decisions are still partly manual, the programme will struggle to show that it can sustain operations under disruption.

Institutions that already manage machine identities, privileged access, and workforce authentication in one control model will be better placed to answer DORA questions consistently. That is the governance shift: resilience now depends on whether identity state can be changed, proved, and recovered quickly across all identity types.

For practitioners

• Map identity services to critical business services Identify which authentication, governance, and recovery components support each critical service, then document single points of failure, manual approval dependencies, and failover gaps.
• Replace static access paths with risk-based controls Use device posture, geolocation, time-of-day, and historical patterns to drive stronger decisions for high-risk access, especially for privileged users and external access.
• Test IAM continuity under outage conditions Run recovery exercises that include cloud, data centre, and network disruption so authentication, approvals, and audit logging continue to function when the primary path fails.
• Automate joiner, mover, and leaver governance Remove manual entitlement review bottlenecks by enforcing policy-based provisioning and timed revocation so access state stays aligned with employment and role changes.

Key takeaways

• DORA makes identity resilience a compliance requirement, which means IAM and IGA can no longer be treated as adjacent support functions.
• Static access models, manual governance, and untested failover are the weakest links when identity services must survive disruption.
• Financial institutions should measure whether authentication, entitlement changes, and evidence generation still work when primary systems do not.

Key terms

• Identity continuity: Identity continuity is the ability of authentication, authorisation, and governance processes to keep working during outages or degraded conditions. In practice, it means the identity control plane can fail over, preserve evidence, and still support business operations without relying on a single fragile path.
• Risk-based access: Risk-based access adjusts authentication or authorisation decisions using live context such as device posture, location, behaviour, and timing. It is more defensible than fixed rules when threat conditions change, because the decision can tighten or relax in response to current risk.
• Lifecycle automation: Lifecycle automation is the use of policy-driven workflows to create, change, and remove access as users, contractors, or systems move through joiner, mover, and leaver states. It reduces entitlement drift and helps produce audit evidence that access remained aligned to current need.
• Phishing-resistant authentication: Phishing-resistant authentication uses methods that are hard to replay or intercept, such as hardware-backed credentials and cryptographic challenge-response. For resilience programmes, it reduces dependence on secrets that can be stolen and reused during credential theft campaigns.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: A Practical CISO Playbook for DORA: Identity, Continuity and Controls. Read the original.