DORA puts identity governance at the center of financial resilience

At a glance

What this is: This is RSA Security’s DORA analysis, and its core finding is that identity security has become a formal resilience requirement for financial institutions.

Why it matters: It matters because IAM, NHI governance, and access lifecycle controls now sit inside operational resilience, incident response, and compliance obligations for regulated financial environments.

By the numbers:

• 2025 marks the year where compliance now passes into enforcement stages, meaning organisations that do not comply with DORA face fines of either 2% of average global turnover or 1% of average daily turnover with the addition of daily fines levied on non-compliant organisations until they achieve compliance.
• Authentication availability during infrastructure outages improved from 67% to 99.9%.
• All ICT third-party contracts updated to include DORA-mandated resilience provisions within the 12-month preparation window.

👉 Read RSA Security's analysis of DORA, identity security, and financial resilience

Context

DORA makes identity a control plane for resilience, not just an access layer. In financial services, if access rights, authentication, and logging are weak or fragmented, continuity breaks under outage, attack, or regulatory inspection. That is why identity security now sits directly inside the compliance conversation for banks, insurers, asset managers, and their critical ICT providers.

The practical shift is from periodic administration to continuous governance. Financial institutions need to prove who can access what, under which conditions, and whether those controls still work during disruption. For teams managing human IAM, NHI credentials, and service access, the lesson is the same: resilience depends on identity controls that remain available and auditable when the business is under stress.

Key questions

Q: What identity control failures matter most under DORA?

A: The biggest failures are delayed access review, weak authentication, poor identity logging, and identity services that cannot survive disruption. Under DORA, those weaknesses affect both compliance and continuity, because regulators expect institutions to prove access control, incident detection, and recovery when systems are under stress.

Q: When should financial institutions prioritise identity resilience over new access features?

A: They should prioritise resilience whenever identity services support payments, trading, customer onboarding, or other critical functions. If authentication or governance cannot survive outage scenarios, new access features add complexity without improving regulatory readiness. DORA makes continuity and evidence more important than feature depth.

Q: What do teams get wrong about access reviews in regulated environments?

A: Teams often treat access reviews as a compliance task instead of a control that must reflect current privilege, business change, and service continuity. If reviews are slow or disconnected from provisioning, they cannot prevent privilege creep or support timely incident containment under DORA.

Q: Who is accountable when identity failures affect DORA compliance?

A: Accountability sits with the institution’s risk, compliance, and executive leadership, not just the IAM team. DORA treats identity as part of operational resilience, so business owners must be able to evidence control effectiveness, continuity planning, and incident readiness across the full environment.

Technical breakdown

DORA access control and real-time governance

DORA pushes access control beyond static role assignment. The article links the regulation to real-time access rights management and regular access reviews, which means entitlements must be current enough to withstand audit and operational disruption. In practice, this puts privilege creep, delayed recertification, and manual provisioning into the same risk bucket as technical outages. For regulated institutions, access governance is no longer a back-office process. It is evidence that the organisation can still control who can reach critical systems when conditions change quickly.

Practical implication: replace slow review cycles and spreadsheet-based certifications with automated entitlement governance tied to business risk.

Authentication resilience and failover under DORA

The article treats authentication availability as part of operational continuity, which is a meaningful change in architecture. If identity services fail during a cloud outage or on-premises disruption, users lose access to critical functions even if the applications themselves are healthy. That makes hybrid failover, device trust, and recovery testing part of the identity stack, not separate infrastructure concerns. For finance teams, the question is whether authentication can survive the same outage scenarios as core business systems.

Practical implication: test authentication failover and recovery as part of disaster recovery, not as an isolated IAM exercise.

Identity monitoring, anomaly detection, and incident reporting

DORA ties identity signals to incident detection and classification. The article’s example shows a service account behaving abnormally, triggering suspension, containment, and reporting under major-incident timelines. That is important because it treats identity telemetry as evidence for regulatory decision-making, not just security operations. Logging, anomaly detection, and response orchestration now have downstream compliance consequences. If identity events cannot be reconstructed quickly, the organisation may be unable to classify, notify, and report within DORA timeframes.

Practical implication: ensure identity logs, anomaly alerts, and deprovisioning workflows are usable for regulatory incident reporting, not just internal investigations.

Threat narrative

Attacker objective: The attacker’s objective is to move through a compromised service account into broader internal systems and disrupt or control critical financial operations.

1. entry: The article describes an adversary-in-the-middle phishing campaign that compromises a service account in a financial environment.
2. credential_harvested: The attacker uses the compromised identity to obtain authenticated access to fund administration systems and related infrastructure.
3. escalation: The service account is used for lateral movement within the network until detection and suspension stop the chain.
4. impact: The attack forces incident classification, reporting, and remediation while exposing the risk of identity-driven disruption to core financial operations.

Breaches seen in the wild

• Cisco DevHub NHI breach — IntelBroker exploited exposed Cisco credentials, API tokens and keys in DevHub.
• Zacks Investment Research breach — Zacks breach exposed 12M customer records including credentials.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.

NHI Mgmt Group analysis

Identity controls that are only audit-ready are not resilience-ready: DORA exposes the gap between periodic governance and continuous operational control. Regular access reviews and provisioning workflows matter, but they fail if they cannot sustain service during outage, incident, or rapid role change. The implication is that financial institutions must treat access governance as an always-on control surface, not a quarterly compliance chore.

Standing access in financial services now carries a regulatory blast radius: DORA does not just pressure stronger authentication, it raises the cost of persistent privilege that survives business change. When privileged access remains in place across subsidiaries, cloud boundaries, and third-party dependencies, the organisation inherits a larger compliance and continuity exposure. Practitioners should read DORA as a demand to reduce privilege persistence across the full identity lifecycle.

Identity telemetry has become part of the incident evidence chain: The article’s service-account example shows that anomalous access, deprovisioning speed, and reportability are now linked. That means identity logging is no longer purely operational; it is evidence for regulatory classification and recovery. Financial institutions should expect identity records to be used to prove containment, not just to investigate it.

Hybrid identity resilience is now a governance requirement, not an architecture preference: The regulation assumes identity services remain available while other systems fail. That assumption breaks where authentication depends on a single cloud path or manually recovered infrastructure. The implication is that continuity planning must include identity failure modes, or the broader resilience programme remains incomplete.

Continuous identity governance: DORA effectively rewards institutions that can compress access certification, deprovisioning, and anomaly response into the same operational window. Long review cycles and disconnected controls create a mismatch between regulatory timing and real-world attack speed. Practitioners should reframe governance around response latency, not just policy completeness.

From our research:

• Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities, according to The State of Non-Human Identity Security.
• The same research found that 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, with 38% reporting no or low visibility and 47% reporting only partial visibility.
• That visibility gap is why teams should also read Ultimate Guide to NHIs , Lifecycle Processes for Managing NHIs when mapping identity continuity into regulatory controls.

What this signals

Continuous identity governance: DORA is pushing financial institutions toward shorter control loops across access review, deprovisioning, and incident evidence collection. Where governance still depends on monthly or quarterly cycles, the programme will struggle to produce the operational proof regulators now expect.

With only 1.5 out of 10 organisations highly confident in securing NHIs, according to The State of Non-Human Identity Security, the gap is not just tooling. It is the ability to govern service identities, privileged access, and lifecycle events as a continuous resilience function.

Teams should expect identity resilience to become a board-level reporting topic alongside incident readiness and third-party risk. That makes lifecycle evidence, hybrid failover testing, and anomaly response artefacts more valuable than policy statements alone, especially in regulated financial services.

For practitioners

• Map identity controls to DORA articles and evidence requirements Tie access governance, authentication resilience, monitoring, and incident reporting to the specific DORA obligations your organisation must demonstrate. Build an evidence matrix for access reviews, continuity testing, and major-incident reporting so controls can be audited without rework.
• Shorten access review cycles and automate certification Replace manual review spreadsheets with automated access certification for user, service, and privileged accounts. Track completion time, exception rates, and orphaned entitlements so the business can prove continuous governance rather than one-off cleanup.
• Test identity failover under outage conditions Run recovery exercises that include authentication service loss, cloud dependency failure, and hybrid connectivity disruption. Verify that critical users can still reach core systems and that the recovery path is documented for audit and operational review.
• Instrument service-account anomaly detection and response Alert on atypical geolocation, access pattern drift, and unexpected system reach by service accounts. Make sure the detection path can trigger rapid suspension and deprovisioning, because DORA timelines depend on how quickly identity issues are contained.

Key takeaways

• DORA turns identity governance into a resilience control, which means slow access reviews, brittle authentication, and weak logging now create compliance risk as well as operational risk.
• The article’s examples show that service-account compromise can trigger lateral movement, incident reporting, and continuity failures in the same chain, so identity telemetry is now part of the evidence trail.
• Financial institutions should design identity controls for outage conditions, fast containment, and audit-ready proof, because those are the conditions DORA now expects them to survive.

Key terms

• Operational Resilience: The ability of a financial institution to keep critical services running during disruption and to recover quickly when controls or infrastructure fail. In identity programmes, resilience depends on authentication, access governance, and logging staying available under outage or attack conditions.
• Access Certification: A formal review of who has access to what, usually performed to confirm that entitlements are still appropriate. In regulated environments, certification is only useful when it is timely, evidence-backed, and connected to provisioning and deprovisioning workflows.
• Identity Telemetry: Logs, alerts, and behavioural signals that show how identities are being used across systems. In practice, telemetry becomes valuable when it can prove anomalous access, support incident classification, and provide defensible evidence for audit or regulator review.
• Hybrid Failover: A continuity design that allows authentication or identity services to switch between cloud and on-premises paths when one environment fails. For regulated organisations, it is a resilience requirement because access must remain available even when core infrastructure is disrupted.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity security are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.

This post draws on content published by RSA Security: DORA, Digital Risk, and the New Identity Mandate in Financial Services. Read the original.