The Digital Operational Resilience Act (DORA) introduces a high-stakes mandate for financial services operating in the EU: prove that your operations — and your cybersecurity defences — can withstand even the most severe disruptions.
For CISOs, this isn’t just about technology upgrades. It’s about building a new kind of resilience where identity plays a central role. This blog provides a practical playbook for CISOs and IAM leaders who want to align identity strategy with DORA before its 2025 deadlines come into effect.
Start with visibility. Map your current identity systems and policies to DORA’s core areas:
- Access control and governance
- Authentication and credential security
- Operational continuity of identity services
- Incident detection and response
Where are the gaps? Where are you relying on manual processes or legacy tools? Use this audit to prioritize risk areas and modernization needs.
Static policies are too blunt for today’s threats. DORA expects smarter controls that adjust to context. Implement adaptive access using:
- User behaviour analytics
- Device posture assessments
- Geolocation and time-of-day signals
- Historical access patterns
RSA Risk AI enables these capabilities, allowing real-time decisions that reduce false positives while stopping real threats.
Your IAM systems are mission critical. But can they survive an outage?
DORA requires institutions to demonstrate continuity of critical ICT systems. That includes your identity platform.
RSA’s Hybrid Failover ensures that authentication can continue even if your cloud, data centre, or network is compromised.
Phishing-resistant MFA is no longer optional. RSA offers a range of passwordless solutions, including:
- FIDO2-certified hardware keys (iShield)
- Mobile Lock for untrusted devices
- OTP and push-based soft tokens
Deploy these across workforce and customer identities to meet DORA expectations and stop credential theft.
Manual certification campaigns and entitlement reviews no longer scale, nor can they adequately manage the growing numbers of users, devices, entitlements, and environments. DORA requires continuous oversight.
With RSA Governance & Lifecycle, you can:
- Automate joiner/mover/leaver processes
- Enforce least privilege through policy-based provisioning
- Provide audit-ready reports with a few clicks
DORA will separate the prepared from the reactive. It’s not enough to have IAM in place — it must be intelligent, resilient, and tightly governed.
With RSA, CISOs gain the tools to not only comply with DORA, but to build an identity infrastructure that supports long-term operational excellence.
The time to act is now – enforcement is a reality in 2025, and your business is at real risk of hefty fines if you are not compliant. Use this playbook to strengthen your posture before regulators — or attackers — test your resilience.
Watch the RSA webinar, DORA & Digital Risk: Strengthening Identity Security in Financial Services, to learn what DORA compliance really means for Identity Security, best practices to prepare for DORA audits, and key compliance obligations related to user authorization, access, authentication, and business continuity.
