Full Report
Article 9 of DORA makes authentication and access control a legal obligation for EU financial entities. Here is what the regulation requires, and what a breach looks like when those controls are missing. [...]
Analysis Summary
# Regulation/Compliance: Digital Operational Resilience Act (DORA) - Article 9
## Overview
DORA is a comprehensive EU regulatory framework designed to strengthen the IT security of financial entities. Article 9 specifically focuses on **"Protection and Prevention,"** making credential management and access control a binding financial risk control rather than just a technical best practice. The goal is to ensure that financial institutions can withstand, respond to, and recover from ICT-related disruptions and threats.
## Key Details
- **Issuing Authority:** European Union (European Parliament and Council); supervised by ESAs (EBA, EIOPA, ESMA).
- **Effective Date:** January 17, 2025.
- **Jurisdiction:** European Union.
- **Status:** In Effect (Entered into application).
## Requirements
### Mandatory Requirements
1. **Least-Privilege Access (Article 9(4)(c)):** Entities must implement policies limiting physical and logical access to ICT assets to only what is required for legitimate and approved functions.
2. **Strong Authentication (Article 9(4)(d)):** Implementation of rigorous authentication mechanisms (MFA) based on relevant industry standards.
3. **Cryptographic Key Management:** Mandatory protection measures for cryptographic keys used for data encryption.
4. **Data Classification:** Protection measures must be based on the results of approved data classification and ICT risk assessment processes.
5. **Logging and Auditing:** While mentioned in the broader framework, Article 9 implies the necessity of tracking access to prevent unauthorized lateral movement.
### Recommended Practices
1. **Phishing-Resistant MFA:** Adoption of FIDO2/WebAuthn standards to counter Adversary-in-the-Middle (AiTM) attacks.
2. **Privileged Access Management (PAM):** Use of "dedicated control systems" for session recording and vaulting.
3. **Just-In-Time (JIT) Provisioning:** Granting elevated access only for the specific duration required for a task.
## Affected Organizations
- **Industries:** Banks, credit institutions, payment institutions, investment firms, crypto-asset service providers, insurance companies, and third-party ICT service providers.
- **Organization Size:** All sizes (though proportionality principles may apply to smaller entities).
- **Geographic Scope:** Any financial entity operating within the EU and their critical ICT third-party providers.
## Compliance Timeline
- **16 January 2023:** DORA entered into force.
- **17 January 2025:** DORA entered into full application; compliance is now mandatory.
- **Ongoing:** Periodic reviews and supervisory audits by national competent authorities.
## Implementation Guidance
### Assessment Phase
- Inventory all ICT assets and data classifications.
- Conduct a gap analysis between current credential management and the "Strong Authentication" requirement of Article 9.
### Implementation Phase
- Deploy Multi-Factor Authentication (MFA) across all information assets.
- Implement a centralized Credential Management or PAM system.
- Enforce granular access policies based on the principle of least privilege.
### Validation Phase
- Audit logs to ensure "authorized user" behavior aligns with actual duties.
- Perform penetration testing to verify if stolen credentials can be used for lateral movement.
## Technical Requirements
- **MFA Protocols:** Use of standards like FIDO2.
- **Encryption:** Encryption of data-at-rest and in-transit with secure key management.
- **Dedicated Control Systems:** Tools capable of managing privileged credentials and providing full audit trails.
## Penalties & Enforcement
- **Fines:** For critical ICT third-party providers, fines can reach up to **1% of the average daily worldwide turnover** in the preceding business year, applied daily for up to six months.
- **Other Consequences:** Public cease-and-desist orders, reputational damage, and mandatory administrative sanctions by national supervisors.
- **Enforcement:** National Competent Authorities (NCAs) oversee compliance and have the power to conduct onsite inspections.
## Related Standards
- **ISO 27001:** Core security management standards (Passwork and similar tools often hold this certification).
- **FIDO2/WebAuthn:** The benchmark for technical authentication compliance under Article 9.
- **NIST SP 800-63:** Digital Identity Guidelines (aligns with strong authentication mandates).
## Resources
- **Official Documentation:** [EU DORA Regulation Official Text](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R2554)
- **Guidance Documents:** [EIOPA DORA Homepage](https://www.eiopa.europa.eu/digital-operational-resilience-act-dora_en)
## Practical Recommendations
- **Treat Credentials as Financial Assets:** Move beyond seeing passwords as IT tickets; view them as the primary shield against financial operational risk.
- **Automate Compliance:** Use self-hosted or secure vaulting solutions that generate automated audit logs to satisfy regulators during audits.
- **Audit Immediately:** Financial institutions should assume credentials have already been targeted and ensure that current controls can stop a "legitimate" user from acting and moving maliciously.