DORA and Privileged Access: What EU Financial Services Need by 2025
DataDike Security Research
PAM Research & Field Engineering
The EU Digital Operational Resilience Act (Regulation 2022/2554, DORA) came into force on 17 January 2025 and applies to virtually every financial entity operating in the EU — banks, payment institutions, insurance, investment firms, crypto-asset service providers, and the ICT third-party service providers serving them. Unlike GDPR, DORA is not a data-protection regime. It is an operational-risk regime, and the part of operational risk most often under-instrumented is privileged access.
Why DORA matters for PAM
Read any of the existing post-incident reports from EBA, ESMA, or national competent authorities and the same root cause repeats: a privileged credential, used outside its normal pattern, with no compensating control fast enough to interdict. DORA was drafted with these post-mortems in front of the legislators. Articles 5–14 (the ICT risk management framework) contain language that previously appeared only in security guidance and now appears in binding regulation.
The headline shift: competent authorities (national regulators delegated to enforce DORA) can now demand evidence of privileged-access controls, ask for forensic timelines of past incidents, and impose administrative penalties for inadequate controls. The legal teeth move PAM from "best practice we can defer" to "auditable control we must demonstrate."
The five articles that map most directly
| Article | What it requires | PAM evidence |
|---|---|---|
| Art. 5 — Governance & organisation | Defined ICT risk-management framework approved at board level | Privileged-access policy with documented board sign-off; ownership matrix for vault and session controls |
| Art. 8 — Identification | Identify and classify all ICT-supported business functions and supporting ICT assets | Inventory of every system reachable via privileged credentials, classified by criticality and reachability |
| Art. 9 — Protection & prevention | Implement policies and procedures ensuring "robustness" of ICT systems and data | Vault, JIT, MFA, session recording, credential rotation — and audit evidence each control is enforced continuously |
| Art. 10 — Detection | Detect anomalous activities and ICT-related incidents promptly | Real-time session monitoring with anomaly detection on privileged sessions; SIEM forwarding within seconds |
| Art. 11 — Response & recovery | Documented incident-response plan with clear roles, communication, recovery objectives | Forensic timeline export within 1 hour of incident declaration; break-glass workflow audit |
The two-week reporting clock
DORA Article 19 requires significant ICT-related incidents to be reported to the competent authority within fixed time windows: initial notification within hours, intermediate report within 72 hours, final report within one month. Articles 14 and 17 require ICT-related-incident classification to determine which events trigger reporting, and the criteria include "criticality of services affected" and "duration of the impact." Both criteria depend on having a forensic record of what privileged access touched which systems.
In practical terms: if your privileged-access logs cannot produce a per-session command audit within hours of being asked, you cannot meet the Article 19 deadlines without guessing — and the regulator does not accept guesses. The forensic timeline must come from the PAM, not from a reconstructed syslog joining four sources.
The TPRM (third-party risk) angle
DORA also regulates ICT third-party service providers (Chapter V), which means PAM vendors themselves fall under scope when serving financial entities. The contracts with critical third-party providers have specific clauses required by Article 30: access rights for the financial entity, audit cooperation, transitional support on contract termination, and security and operational requirements proportionate to the criticality of the service.
When evaluating PAM vendors for a DORA-relevant deployment, the financial entity should expect — and require — that the vendor can produce evidence of their own internal access controls, sub-processor list, incident-response cooperation procedures, and exit-transition plan. "Trust us" is not the answer the procurement team can accept.
The deadline is operational, not aspirational
DORA was binding from January 2025. The first wave of national-authority audits has already begun in 2026. The institutions that did not have PAM-driven evidence ready for the audit cycle are the ones now spending eight-figure remediation budgets to catch up.
How DataDike maps to DORA
DataDike's audit hub ships pre-mapped reports for DORA Articles 5, 8, 9, 10, 11, and 14 — each producing the artifact in the format competent authorities have requested in recent inspections. The forensic-timeline export meets the Article 19 windows. The third-party cooperation posture is documented and contractable.
For institutions operating across EU and LATAM, the same evidence stream feeds DORA, LGPD, BACEN, and EBA Guidelines simultaneously — because the underlying data model (who accessed what, when, with what authorization, performing what commands) is the same. Operators stop maintaining four parallel evidence chains and run one.
