DORA and operational resilience: Credential management as a financial risk control

DORA AND OPERATIONAL RESILIENCE: CREDENTIAL MANAGEMENT AS A FINANCIAL RISK CONTROL

Introduction

• A growing gap exists between traditional security controls and the real-world risks faced by financial institutions under new regulatory expectations.
• The entry point that once seemed harmless—the use of legitimate credentials—now represents a fundamental threat to operational continuity and regulatory compliance.
• This post outlines how Article 9 of the Digital Operational Resilience Act (DORA) reframes credential management as a binding financial risk control and what it takes to align practices with the law.

1) The Threat DORA Was Built To Counter

• In 2025, stolen credentials emerged as the leading initial access vector, driving a sizable share of data breaches.
• Financial institutions face substantial cost from credential-based incidents, even as industry averages shift (e.g., multi-million-dollar per-incident impacts).
• The credential supply chain has become highly industrialized, with initial access brokers selling verified corporate access that often includes privileged credentials.
• Automated credential harvesting tools routinely target organizations at scale, with phishing methods increasing year over year.

2) DORA Article 9: What It Really Requires

• Article 9, titled Protection and Prevention, sits within an ICT risk management framework and imposes concrete obligations for financial entities.
• Core requirements directly relevant to credential management:
• 9(4)(c): Implement policies that limit access to information and ICT assets to what is strictly necessary for legitimate functions (least-privilege).
• 9(4)(d): Implement strong authentication mechanisms based on recognized standards and dedicated control systems, plus protection of cryptographic keys and encryption aligned with data classification and risk assessment.
• Practical interpretation:
• Phishing-resistant MFA is mandatory, with emphasis on standards such as FIDO2/WebAuthn to counter adversary-in-the-middle phishing.
• Privileged access management and cryptographic key protection are treated as regulatory obligations, even though not named explicitly as such in the regulation.
• Related standards and guidance:
• Supervisory bodies provide sector-specific implementation details that reinforce Article 9 requirements.
• The emphasis is on concrete, auditable controls rather than policy documents alone.

3) Credential Compromise as an Operational Resilience Issue

• DORA’s purpose is to ensure resilience in the face of ICT disruptions, not just to prevent security incidents.
• A compromised credential can be invisible for a long time, allowing an attacker to move laterally, escalate privileges, and map critical systems while appearing legitimate.
• The operational impact is the focus: disruption of services, data exposure, and regulatory action triggered by slow, stealthy intrusions.
• Real-world illustration:
• A large national registry breach demonstrated how a single compromised account could expose millions of records and disrupt core operations, triggering rapid regulatory reporting obligations.

4) The Third-Party Dimension: Vendors and Credentials

• Article 9 extends beyond internal systems to the ICT supply chain and third-party risk.
• Examples show how vendor accounts without strong authentication can become entry points for large institutions.
• Regulatory implication:
• Financial entities must contractually require equivalent authentication standards from vendors and actively audit compliance.
• A vendor’s password policy gap translates into a direct regulatory liability for the financial institution.

5) Building a DORA-Compliant Credential Management Program

• A four-pillar approach aligns with Article 9 requirements and operational realities:
• Phishing-Resistant MFA
  • Deploy FIDO2/WebAuthn-based authentication using hardware security keys, passkeys, or platform authenticators.
  • Enforce phishing-resistant MFA for all users, with heightened attention to privileged accounts and remote access paths.
• Least-Privilege Access with Just-In-Time (JIT) Provisioning
  • Grant elevated access only for the duration of a specific task and revoke it when the task ends.
  • Ensure immediate deactivation on offboarding and address dormant accounts as a high-priority risk.
• Vaulting All Credentials
  • Store service accounts, API keys, and privileged credentials in an encrypted, access-controlled vault.
  • Move away from manual credential management to scalable, auditable vaulting that provides a clear audit trail.
• Continuous Monitoring and Anomaly Detection
  • Monitor for unusual login patterns, off-hours access, and lateral movement signals.
  • Automated alerts should trigger rapid responses to minimize dwell time and regulatory exposure.
• These four controls are interdependent, resting on how credentials are stored, shared, accessed, and monitored.

6) Operational Readiness: Documentation and Auditability

• DORA makes credential management an evidentiary discipline as much as a technical one.
• Evidence-based readiness means you can produce documentation on demand:
• Demonstrable enforcement of least-privilege across vaults and access points.
• Clear records of strong authentication usage and cryptographic protections.
• Comprehensive audit trails for credential access, changes, and sharing events.
• The absence of documentation itself can constitute a finding during regulator reviews.

7) The Practical Path Forward

• Start with a comprehensive credential management architecture that supports:
• Centralized, encrypted vaults with strict access controls and detailed activity history.
• Identity-centric governance that ties access rights to directory group changes and lifecycle events.
• Strong authentication across all entry points, with particular emphasis on privileged pathways and remote access.
• End-to-end traceability for audits, including the ability to export compliance-ready reports.
• In planning and implementation, emphasize evidence generation:
• Prepare artifact-heavy documentation that can withstand regulatory scrutiny.
• Align technical controls with Article 9(4)(c) and 9(4)(d) expectations to reduce regulatory friction.
• The overarching objective is to transform credential management from a security checkbox into a robust, auditable, and regulator-ready program that supports operational resilience.

Conclusion

• Under DORA, credential management is no longer a purely security concern; it is a financial risk control with explicit regulatory implications.
• Effective management of credentials—through phishing-resistant authentication, strict least-privilege, encrypted vaulting, and continuous monitoring—directly supports the resilience of financial operations.
• By treating identity as the first line of defense and evidence as the currency of compliance, institutions can meet Article 9 requirements and demonstrate their preparedness ahead of regulatory reviews.