DORA and ICT risk governance: what financial teams need now

TL;DR: DORA requires most EU financial entities to build a comprehensive ICT risk management framework, report major incidents quickly, test resilience regularly, and tighten oversight of third-party providers, according to Veriff. The practical shift is that operational resilience is now a governance discipline, not a technical side project.

NHIMG editorial — based on content published by Veriff: Digital Operational Resilience Act (DORA): Key steps for financial services success

By the numbers:

• 90% of IT leaders say properly managing NHIs is essential for a successful zero-trust implementation.
• 92% of organisations expose NHIs to third parties, raising concerns about supply chain security.

Questions worth separating out

Q: How should financial institutions align IAM and third-party access with DORA?

A: They should treat IAM, PAM, and NHI controls as part of the regulated ICT risk framework, not as separate technical tools.

Q: Why do third-party credentials create DORA compliance risk?

A: Because delegated access often persists longer than the business need that created it, especially across vendors, managed services, and temporary integrations.

Q: What breaks when identity events are not visible during an ICT incident?

A: The organisation loses the ability to classify scope, prove root cause, and produce timely regulatory reporting.

Practitioner guidance

• Map identity controls into ICT risk governance Tie service account management, privileged access review, secret rotation, and third-party credential oversight to the same risk register used for DORA reporting and board review.
• Add credential offboarding to supplier exit processes Require explicit revocation of API keys, certificates, tokens, and vendor accounts when a contract ends, is renewed, or changes scope.
• Test identity failure inside resilience exercises Include compromised service accounts, broken federation, and third-party access loss in tabletop and technical tests so incident response teams practice the identity path, not just the infrastructure outage.

What's in the full article

Veriff's full article covers the operational detail this post intentionally leaves for the source:

• The article’s step-by-step breakdown of DORA compliance tasks for financial institutions that need implementation sequencing.
• The discussion of incident reporting timelines and how regulated entities should structure escalation and follow-up reporting.
• The detailed examples of operational resilience testing methods, including threat-led penetration tests and scenario testing.
• The vendor-focused explanation of how ICT third-party risk management, SLAs, and oversight are positioned in the regulation.

👉 Read Veriff’s analysis of DORA compliance for financial services →

DORA and ICT risk governance: what financial teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →