Author

IAM as a Cornerstone for DORA Compliance

06 January, 2025, by Natasha Free

The Digital Operational Resilience Act (DORA) - Regulation (EU) 2022/2554 will come in to force on the 17th January 2025 and is focused on financial institutions in the European Union (or any institution outside of the EU who provide services to EU citizens or companies).

DORA mandates that financial institutions must be able to adapt and respond to disruptions without interruption to services. But what makes DORA particularly interesting is the focus on the whole ecosystem/supply chain.

Information technology systems used to deliver financial services have long been reliant on complex interactions between multiple products from multiple vendors. Ensuring the integrity of the entire supply chain is essential for operational resilience both in terms of preventing breaches and recovering from them. As the saying goes, you are only as strong as your weakest link.

Since financial services underpin such a large part of the economy in Europe and the UK, impacts to providers could have a significant impact not just on financial services, but also on the rest of the economy.

Identity & Access Management (IAM) is integral to DORA compliance as it requires businesses to have complete visibility into how and where human and machine identities access protected data.

In 2023, 70% of cyber-security attacks were identity related. It’s increasingly common now for bad actors to log in with stolen credentials, rather than hack in. And now, with the introduction of DORA, not only do businesses require reliable management of their own identities, but they must also control access rights for third party partners and suppliers.

Let’s look at the key areas for DORA compliance and how IAM contributes.

ICT Risk Management

The basis for protecting what you have is knowing what is there and how it is being used. Understanding risk and prioritising mitigation is key to a robust security posture.

Organisations need to be able to clearly demonstrate how access control and authentication are managed. A key focus should be the lifecycle management of all identities.

Risks can be substantially reduced through the use of a comprehensive IGA tool by addressing the following:

  • Immediate and demonstrable revocation of access rights
  • Reducing onboarding/provisioning delays and therefore negating the need for end users to find non-compliant workarounds
  • Accurate entitlement assignment, regardless of whether a user has changed role, i.e., mitigating the risk of "entitlement drag"
  • Over-privileged user prevention by adopting consistent entitlement assignment using business or technical roles
  • Identification of toxic combinations of entitlements

The key to making this work and maximising the return on governance investment is to get the business process right. Roles and permissions can be tricky to define when you get into the detail, but perseverance will be rewarded with a more robust security posture.

Information and Intelligence Sharing

A whole system view of operational resilience and reduction of the risks inherent in complex financial ecosystems must address information and intelligence sharing. No financial institution operates in isolation as they are often subject to the same risks and have many parts of the supply chain in common. A successful attack on one institution could be a prelude to an attack on many others.

Enterprise grade access controls and privileged access management platforms play an important part in keeping sensitive information safe, allowing organisations to share data safely. But they also provide valuable insight into how information is being accessed or shared and can be used to flag “abnormal” behaviours.

Incidents and Reporting

In tandem with intelligence sharing, it’s important that incident response is prompt and reporting is clear.

Automated detection and response are invaluable but what about looking for the root cause?

Could you quickly report on what users had access to what, when and how in order to meet the reporting requirements?

Do you have a single logical view of anyone who has access to your systems?

Don’t worry, "yes" answers to these questions are vanishingly rare but this is something that organisations can work towards. Comprehensive IGA tools can help and they should include a suite of reports that allow administrators to easily demonstrate compliance.

Third Party Risk Management

Supply chain breaches feature prominently in high profile breach reports. Complex modern digital supply chains are more exposed to vulnerabilities and have seen a significant increase in the attack surface area in recent years.

DORA has rightly addressed this and requires close monitoring of third-party contracts and IAM has a key role to play.

However, often organisations are not applying the same standard of lifecycle management to their third parties. They may have invested heavily in IAM for workforce and consumer but have ad-hoc controls in place for user types that sit outside of these traditional silos. A comparable and equally stringent focus needs to be applied to third party user lifecycle management.

Organisations are already feeling the strain of managing the increasing number of non-human identities or scaling to keep pace with business growth. Modern, streamlined IAM can ensure access and permissions are updated seamlessly and easily.

Summary

DORA will force a mindset change amongst financial institutions - no matter how small they may be. Strengthening access controls, governance controls, reporting controls, and ongoing compliance monitoring controls are no longer "nice to haves". They are mandatory. In addition, these organisations must address the careful management of third parties, with the same focus they use for workforce or consumer user identities.

If you need help with identity and access solutions as a result of the DORA legislation, we have the enterprise grade tooling you need.

Contact us to find out more.

© Copyright 2025 Madigan Solutions UK Limited
Madigan Solutions UK Limited is a company registered in Northern Ireland with Company Number NI675324. VAT Number 368 3929 47.

Home | Services | About | Blog | Contact

Terms & Conditions | Privacy Policy | Disclaimer