DORA’s Article 9 sets out ICT security requirements that make identity and access controls central to operational resilience. For financial services organisations, that means being able to demonstrate that access is controlled, privileged activity is governed and evidence exists when supervisors, auditors or internal risk teams ask for it. Read our blog for more on Intragen as a DORA-ready organisation.
Financial entities need to show:
Least privilege and need-to-know
Access rights should be assigned on a least-privilege basis, documented, reviewed and aligned to the user’s role.
Dedicated privileged accounts
Privileged tasks should be performed through dedicated accounts, not the same accounts used for day-to-day work, email or standard business activity.
Strong authentication
Multi-factor authentication should protect privileged access and systems supporting critical or important functions.
Timely revocation
Access should be removed when it is no longer required, supported by joiner-mover-leaver processes that operate reliably in practice.
Operating evidence
The distinction supervisors draw is between having a policy and having a control that demonstrably operates. Session records, access review trails, certification evidence and privileged access reporting help prove that controls are working.
Third-party access is also in scope. DORA makes financial entities accountable for the ICT providers they rely on, which means supplier access, contractor access and outsourced operations need clear ownership, control and evidence. Unsure where your privileged access controls stand against DORA, audit or internal risk expectations? Book a free two-hour PAM Quick Check and get a practical summary of your maturity, key observations and top risks.