DORA and identity controls: what financial teams must prove now

TL;DR: DORA turns identity security into a regulatory control for financial services, requiring real-time access governance, strong authentication, resilient identity services, and fast incident reporting, according to RSA Security. The compliance question is now whether IAM, PAM, and lifecycle processes can sustain continuity under stress, not just pass an audit.

NHIMG editorial — based on content published by RSA Security: DORA, Digital Risk, and the New Identity Mandate in Financial Services

By the numbers:

• 2025 marks the year where compliance now passes into enforcement stages, meaning organisations that do not comply with DORA face fines of either 2% of average global turnover or 1% of average daily turnover with the addition of daily fines levied on non-compliant organisations until they achieve compliance.
• Authentication availability during infrastructure outages improved from 67% to 99.9%.
• All ICT third-party contracts updated to include DORA-mandated resilience provisions within the 12-month preparation window.

Questions worth separating out

Q: What identity control failures matter most under DORA?

A: The biggest failures are delayed access review, weak authentication, poor identity logging, and identity services that cannot survive disruption.

Q: When should financial institutions prioritise identity resilience over new access features?

A: They should prioritise resilience whenever identity services support payments, trading, customer onboarding, or other critical functions.

Q: What do teams get wrong about access reviews in regulated environments?

A: Teams often treat access reviews as a compliance task instead of a control that must reflect current privilege, business change, and service continuity.

Practitioner guidance

• Map identity controls to DORA articles and evidence requirements Tie access governance, authentication resilience, monitoring, and incident reporting to the specific DORA obligations your organisation must demonstrate.
• Shorten access review cycles and automate certification Replace manual review spreadsheets with automated access certification for user, service, and privileged accounts.
• Test identity failover under outage conditions Run recovery exercises that include authentication service loss, cloud dependency failure, and hybrid connectivity disruption.

What's in the full article

RSA Security's full blog covers the operational detail this post intentionally leaves for the source:

• Step-by-step DORA implementation scenarios for a large bank, a hybrid mid-size firm, and an investment manager.
• Specific RSA product mappings for access governance, hybrid failover, risk analytics, and phishing-resistant authentication.
• Incident timeline detail showing how detection, deprovisioning, and reporting can fit DORA notification windows.
• Document lists and success metrics that support audit preparation and regulatory evidence collection.

👉 Read RSA Security's analysis of DORA, identity security, and financial resilience →

DORA and identity controls: what financial teams must prove now?

Explore further

View Full Forum →  |  NHI Foundation Course →