Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

DORA and ICT risk governance: what financial teams need now


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 9079
Topic starter  

TL;DR: DORA requires most EU financial entities to build a comprehensive ICT risk management framework, report major incidents quickly, test resilience regularly, and tighten oversight of third-party providers, according to Veriff. The practical shift is that operational resilience is now a governance discipline, not a technical side project.

NHIMG editorial — based on content published by Veriff: Digital Operational Resilience Act (DORA): Key steps for financial services success

By the numbers:

Questions worth separating out

Q: How should financial institutions align IAM and third-party access with DORA?

A: They should treat IAM, PAM, and NHI controls as part of the regulated ICT risk framework, not as separate technical tools.

Q: Why do third-party credentials create DORA compliance risk?

A: Because delegated access often persists longer than the business need that created it, especially across vendors, managed services, and temporary integrations.

Q: What breaks when identity events are not visible during an ICT incident?

A: The organisation loses the ability to classify scope, prove root cause, and produce timely regulatory reporting.

Practitioner guidance

  • Map identity controls into ICT risk governance Tie service account management, privileged access review, secret rotation, and third-party credential oversight to the same risk register used for DORA reporting and board review.
  • Add credential offboarding to supplier exit processes Require explicit revocation of API keys, certificates, tokens, and vendor accounts when a contract ends, is renewed, or changes scope.
  • Test identity failure inside resilience exercises Include compromised service accounts, broken federation, and third-party access loss in tabletop and technical tests so incident response teams practice the identity path, not just the infrastructure outage.

What's in the full article

Veriff's full article covers the operational detail this post intentionally leaves for the source:

  • The article’s step-by-step breakdown of DORA compliance tasks for financial institutions that need implementation sequencing.
  • The discussion of incident reporting timelines and how regulated entities should structure escalation and follow-up reporting.
  • The detailed examples of operational resilience testing methods, including threat-led penetration tests and scenario testing.
  • The vendor-focused explanation of how ICT third-party risk management, SLAs, and oversight are positioned in the regulation.

👉 Read Veriff’s analysis of DORA compliance for financial services →

DORA and ICT risk governance: what financial teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 8508
 

DORA is really a governance model for dependency risk, not just a compliance rule. The article frames resilience as a mix of risk management, reporting, testing, and supplier oversight, which is the right structure for modern financial operations. That matters because identity, hosting, and vendor access are now inseparable from service continuity. The practitioner conclusion is that ICT governance and identity governance have to be designed together.

A few things that frame the scale:

  • 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures, according to Ultimate Guide to NHIs.
  • Only 5.7% of organisations have full visibility into their service accounts, which is why third-party access and incident reporting are so often under-instrumented.

A question worth separating out:

Q: Who is accountable for ICT risk management under DORA?

A: Senior management is accountable, with regulated entities expected to assign clear responsibilities for ICT risk oversight, reporting, and resilience testing. In practice, that accountability extends to access governance because identity failures can trigger incidents, supplier exposure, and recovery problems. The board cannot delegate away the evidence requirement.

👉 Read our full editorial: DORA is reshaping ICT risk governance in financial services



   
ReplyQuote
Share: