When the Digital Operational Resilience Act (DORA) was adopted by the EU, it signaled a fundamental shift in how financial institutions must approach cybersecurity, risk management, and operational continuity. For the first time, regulators didn’t just mention identity security in passing — they embedded it directly into the fabric of compliance.
This evolution recognizes a reality many security professionals have known for years: that identity is the foundation of digital security and a linchpin of operational resilience. Let’s look at what’s changed, the impacts DORA will have on identity security, the challenges that financial institutions face, and how CISOs must prepare to ensure that their organizations meet DORA requirements by the 2025 deadline.
Under DORA, every digital operation within a financial institution — from payments to customer onboarding to trading systems — must be secure, resilient, and continuously available. And that places identity security front and center. Because if you can’t verify who is accessing what, when, and from where, your identity strategy collapses.
In the new DORA regulatory reality, identity is no longer a back-office IT function. It is now a strategic imperative owned by risk leaders, compliance officers, and business executives alike.
Several articles within DORA directly or implicitly demand robust identity and access management (IAM) capabilities. For example:
- Access control and governance: DORA mandates that institutions manage user access rights in real time and conduct regular access reviews to prevent privilege creep and unauthorized access.
- Authentication requirements: Strong authentication methods, such as multi-factor authentication (MFA), are expected to protect systems from unauthorized access.
- Operational continuity: Institutions must ensure critical functions remain available during cyber incidents, outages, or disruptions. This includes maintaining identity services under duress.
- Monitoring and anomaly detection: Organizations must detect, respond to, and recover from cyber incidents quickly. Identity-related anomalies, such as unusual access patterns, are crucial indicators.
These requirements underscore the need for a modern, risk-aware identity security program.
2025 marks the year where compliance now passes into enforcement stages, meaning organisations that do not comply with DORA face fines of either 2% of average global turnover or 1% of average daily turnover with the addition of daily fines levied on non-compliant organisations until they achieve compliance. The stakes are now high.
Despite increased investments in security, many financial institutions still struggle with identity-related gaps in their security and operational functions, including:
- Legacy IAM systems that lack adaptability and visibility
- Siloed identity tools across on-premises and cloud environments
- Weak authentication methods that are vulnerable to phishing
- Manual governance processes that make compliance reporting slow and error-prone
These challenges leave organizations exposed — not only to attackers, but to regulatory scrutiny and compliance fines.
CISOs in the financial sector must take the lead in aligning identity strategy with DORA. That means:
- Adopting risk-based access models that adjust controls based on context and behavior
- Ensuring business continuity with hybrid failover for authentication and access
- Strengthening governance with automated provisioning, reviews, and access certification
- Embracing passwordless authentication to eliminate common attack vectors
At RSA, we help financial institutions operationalize identity as a pillar of resilience. Our security-first identity platform, RSA ID Plus, is built for regulated environments like finance.
- RSA Risk AI analyzes behavioral and contextual signals to enforce adaptive access policies
- RSA Mobile Lock protects access on unmanaged or compromised devices
- RSA iShield Key 2 Series authenticators enable phishing-resistant FIDO and OTP authentication
- RSA Governance & Lifecycle automates access governance and compliance workflows
- RSA Hybrid Failover ensures uninterrupted authentication during outages
Together, these solutions provide the controls needed to align with DORA — and strengthen your organization beyond compliance.
DORA marks a turning point for identity in financial services. It elevates IAM from a technical concern to a regulatory mandate — and a strategic enabler of operational resilience.
Financial institutions that embrace identity-first security strategies will not only meet DORA requirements, but also gain a competitive advantage in security, agility, and customer trust. Now is the time to rethink your identity posture before DORA enforcement begins.
