Compliance is often seen as a necessary burden in financial services — a series of boxes to tick to avoid fines or reputational damage. But the Digital Operational Resilience Act (DORA) isn’t just another checkbox exercise. It represents a deeper shift in how regulators expect European organizations to manage digital risk.
For CISOs and identity leaders, DORA is an opportunity to turn compliance into a driver of long-term risk reduction and resilience. To realize that opportunity, they’ll need to start with identity.
Every digital transaction within a financial institution begins with a basic security question: who is requesting access? In an increasingly hybrid, cloud-connected, and remote-enabled environment, verifying and controlling identity is more complex — and more critical — than ever.
DORA recognizes that without secure and resilient identity systems, no organization can maintain operational continuity during a crisis. If you lose control of identity, you lose control of the business.
Traditional identity systems were not designed for today’s threat landscape or regulatory expectations. They are often reactive, policy-driven, and heavily reliant on passwords and manual processes.
Common gaps include:
- Static access policies that don’t account for contextual risk
- Lack of visibility into real-time identity behaviour
- Slow incident response due to siloed identity tools
- No backup strategy if IAM systems go offline
DORA expects more. It expects institutions to proactively manage identity risk as part of their operational resilience program. Financial organizations operating in the EU must now be complaint with these requirements as 17 January 2025 marked the beginning of the enforcement stages of DORA.
Identity Risk Management goes beyond enforcing access controls. It means continuously evaluating the risk posed by users, devices, and access attempts — and dynamically adapting security responses.
For example:
- Is a user logging in from a known location on a trusted device?
- Is their behaviour consistent with historical patterns?
- Is there a rise in help desk requests that could indicate social engineering?
These signals help build a real-time risk profile that guides authentication and access decisions.
RSA’s identity platform is purpose-built to address the identity risk requirements of DORA.
- Risk AI analyses behavioural signals to detect and block risky access
- Help Desk Live Verify prevents social engineering attacks at the point of human interaction
- Passwordless solutions (including FIDO2-certified solutions, OTP, biometrics, and more) reduce credential-related breaches
- RSA Governance & Lifecycle streamlines policy enforcement and compliance reporting
- Hybrid Failover ensures that authentication continues even when systems are down
Together, these tools allow institutions to manage identity as a dynamic, data-driven risk function.
Regulatory compliance is the starting point. But institutions that go beyond DORA’s minimum requirements will build more secure, more agile, and more trusted operations.
By investing in identity risk management now, CISOs can:
- Reduce the likelihood and impact of breaches
- Lower the cost and complexity of audits
- Improve user experience through adaptive, passwordless access
- Build lasting resilience across all digital operations
DORA is a wake-up call to rethink identity. Not just as an access gatekeeper, but as a critical risk signal and a cornerstone of resilience.
With RSA, financial institutions can rise to that challenge — and use identity not just to comply, but to lead.
Watch the RSA webinar, DORA & Digital Risk: Strengthening Identity Security in Financial Services, to learn what DORA compliance really means for Identity Security, best practices to prepare for DORA audits, and key compliance obligations related to user authorization, access, authentication, and business continuity.
