Notifications
Clear all
Topic starter
25/06/2026 3:24 pm
TL;DR: Financial institutions face overlapping compliance pressure from DORA, NIS2, GDPR, and related identity governance demands, and Omada Identity’s white paper frames identity governance and administration as the control layer that helps evidence access, reduce privilege creep, and support audit readiness. The practical issue is less about policy intent than proving who has access, why they have it, and when it should be removed.
NHIMG editorial — based on content published by Omada Identity: Cybersecurity and Identity Governance in Financial Institutions
Questions worth separating out
Q: How should financial institutions use identity governance for DORA and NIS2 compliance?
A: They should use identity governance as the evidence layer for access approval, review, and removal.
Q: Why do lifecycle reviews matter so much for regulated identity programmes?
A: Because access that is granted once can remain in place long after the business need disappears.
Q: What breaks when privilege creep is not controlled in a financial institution?
A: Auditability breaks first, because teams can no longer explain why access exists or who approved it.
Practitioner guidance
- Map regulated access to owners and evidence Assign a business owner, technical owner, and review cadence to every regulated application, privileged role, and exception so access can be explained during audit.
- Tie lifecycle events to access removal Connect joiner, mover, and leaver workflows to entitlement updates, contractor expiry, and offboarding so stale permissions do not survive business change.
- Synchronise PAM and IGA decisions Require elevated access to be time-bound, reviewable, and linked back to identity governance records so privileged exceptions do not become permanent.
What's in the full article
Omada Identity's full white paper covers the operational detail this post intentionally leaves for the source:
- Comparison matrix linking DORA, NYCRR 500, and identity governance controls for financial institutions
- Practical recommendations for organising access reviews, lifecycle checks, and governance ownership in regulated environments
- Key considerations for aligning compliance obligations with identity administration workflows
- White paper framing on how IGA supports security and audit readiness across financial services
👉 Read Omada Identity's white paper on identity governance for DORA and NYCRR 500 compliance →
DORA and NIS2 compliance: what IAM teams need from identity governance?
Explore further
25/06/2026 4:55 pm
Identity governance is now a resilience control, not just an access administration function. DORA and NIS2 both reward organisations that can prove access oversight under stress, and that proof comes from governance operating as a control system rather than a ticketing layer. When the board asks whether access can be explained, reviewed, and revoked at speed, IGA is the answer point. Practitioners should treat governance evidence as part of operational resilience.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who should own identity governance when access spans employees, contractors, and service accounts?
A: Ownership should be split between business owners for justification, technical owners for enforcement, and governance teams for review. When access spans human and non-human identities, the programme needs one accountability model but different control treatments. That is the only way to avoid blind spots in reporting and remediation.
👉 Read our full editorial: Identity governance for DORA and NIS2 compliance in financial institutions
