ComplianceFinancial Fraud

DORA Mandates Credential Security as Financial Risk Control

Analyst 207||Source: BleepingComputer
Secure server room with rows of computer servers and restricted access controls.

"When a threat actor walks into your network using a legitimate username and password, which control stops them?"

That question, posed by Eirik Salmi, System Analyst at Passwork, frames a regulatory and operational reckoning for financial institutions across the EU. Since the Digital Operational Resilience Act (DORA) entered into application on 17 January 2025, credential security has moved from best practice to binding financial risk control — and supervisors now have concrete rules to enforce.

DORA Article 9: explicit legal duties on access and authentication

Article 9 sits inside the ICT risk management framework mandated by Article 6 and sets specific obligations relevant to credential management. Two provisions matter most for identity controls.

  • Article 9(4)(c) requires financial entities to "implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only." That language codifies the least-privilege principle as a legal duty.
  • Article 9(4)(d) requires entities to "implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes." The provision names strong authentication, standards-based mechanisms, and cryptographic key protection.

The text points operations teams toward phishing-resistant standards such as FIDO2/WebAuthn and to "dedicated control systems" — controls that map onto tools commonly referred to as privileged access management, session recording, just-in-time provisioning, and credential vaulting. The European Banking Authority and ESMA's Regulatory Technical Standards under DORA add sector-level guidance that reinforces Article 9's baseline.

Credential compromise as an operational-resilience failure

Viewed through DORA’s operational-resilience lens, stolen credentials are not a single security event but a sustained threat to continuity. IBM's Cost of a Data Breach Report (2025) cited an average dwell time of 186 days between compromise and detection, followed by another 55 days on average to contain the breach. That prolonged, invisible presence is precisely the interruption to operational continuity DORA seeks to prevent.

The mechanics were made concrete in January 2026 when a threat actor used the credentials of one civil servant to access Ficoba, France’s interministerial bank-account registry. Using that single account, the attacker extracted data on 1.2 million bank accounts — including IBANs, account holder names and addresses, and tax identification numbers. The system was taken offline, operations were disrupted, and the incident was reported to CNIL. The published account emphasized that the attack required no technical sophistication.

Under DORA, a credential-driven incident of that scale would also trigger Article 19 mandatory reporting: an initial notification within four hours of classification (and no later than 24 hours after detection), an intermediate report within 72 hours, and a final report within one month.

Third-party credentials and the Santander–Snowflake example

DORA’s compliance perimeter explicitly covers third-party ICT providers. The May 2024 incident referenced in public reporting shows why. Attackers used credentials stolen from employees of Snowflake to access a database containing customer and employee data for Santander across Spain, Chile, and Uruguay. Those credentials had been harvested months earlier by infostealer malware on contractor workstations, and none of the compromised Snowflake accounts had multi-factor authentication enabled.

Under DORA, a financial entity whose critical ICT provider suffers a credential-based breach faces regulatory exposure: institutions must contractually require equivalent authentication standards from providers and audit vendor compliance. A vendor’s password-policy gap is therefore a regulatory liability for the contracting financial entity.

Practical controls that close the Article 9 gap

The source lays out four structured control areas aligned to Article 9 and operational realities.

  • Phishing‑resistant MFA first: FIDO2/WebAuthn hardware keys, passkeys, and platform authenticators are recommended; SMS and TOTP one‑time codes are described as inadequate against current Adversary-in-the-Middle phishing techniques.
  • Enforce least privilege: Just‑in‑time access provisioning, immediate deactivation on offboarding, and removal of standing privileges reduce the blast radius when credentials are stolen.
  • Vault credentials: Service account passwords, API keys, and privileged credentials should live in an encrypted, access‑controlled vault rather than informal channels. Vaulting produces an auditable trail.
  • Continuous monitoring: Automated alerts for anomalous logins, unusual geolocations, off‑hours access, and lateral movement patterns are essential to shorten the 186‑day dwell time that drives operational risk.

The vendor that authored the source, Passwork, positions its self‑hosted password manager as a response to these needs: ISO/IEC 27001 certified, deployable on‑premises, supporting biometric and passkey MFA, SAML SSO and LDAP integration, role‑based permissions inherited from AD/LDAP groups, encrypted vault sharing, and tamper‑evident audit logs exportable for compliance reporting and SIEM integration. Those product claims align with the evidence-focused approach DORA requires.

How technologists, regulators, and procurement leaders are affected

  • Technologists and security teams: Expect operational priorities to shift toward deploying phishing‑resistant MFA (FIDO2/WebAuthn), JIT provisioning, credential vaulting, and continuous monitoring to shorten dwell times and produce demonstrable audit trails.
  • Policymakers and regulators: Supervisory consequences now attach to insufficient credential controls; Article 9(4)(c) and 9(4)(d) provide clear legal hooks, and Article 19 enforces rapid incident reporting timelines.
  • Procurement and third‑party risk officers: Contracts must require equivalent authentication standards from critical ICT providers and include rights to audit compliance; a vendor’s weak password posture converts into the financial entity’s regulatory liability.

DORA has reframed credential management from a technical hygiene problem into a verifiable financial‑risk control. The regulation’s text — particularly Articles 9(4)(c) and 9(4)(d) — is explicit about least privilege, strong authentication, and cryptographic key protection. For institutions operating in the EU, the immediate task is procedural and evidentiary as much as technical: audit credential controls against Article 9, document the findings, and have the evidence ready before a regulator asks.

Source: DORA and operational resilience: Credential management as a financial risk control

ComplianceEmerging ThreatsFinancial InstitutionsIdentity ControlsCredential SecurityDigital Operational Resilience ActEU RegulationsFinancial Risk ControlICT Risk ManagementAccess And Authentication
Related Intelligence

Continue Reading

Cluttered workshop with scattered electronics and concerned people.

Open Source Community Unprepared for EU's Cyber Resilience Act

The open source community is lagging behind on cybersecurity readiness, with stagnating awareness and a lack of preparedness for the EU's Cyber Resilience Act, which requires minimum security standards for hardware and software products by December 2027. It's time for urgent action to avoid falling short of compliance.

Analyst 207
Government office lobby with people interacting, natural light, and subtle technology integration.

States Adopt Effective Paid Family Leave Programs

When state governments combine paid family and medical leave programs with the right technology, everyone benefits - workers, employers, and state budgets alike. By leveraging purpose-built tech, states can deliver measurable results and make these programs affordable and sustainable.

Analyst 207
Google software engineer sits in a formal courtroom or government briefing room, surrounded by daylight from tall windows,…

Google Engineer Charged with Insider Trading Using Company Data

A Google engineer, Michele Spagnuolo, has been charged with insider trading in the Southern District of New York for allegedly using company data to make lucrative bets on a cryptocurrency-based prediction market. He faces serious penalties, including up to 10 years in prison for commodities fraud and 20 years for wire fraud and money laundering.

Analyst 207
Government officials gather in a well-lit conference room with a laptop and notes on the table, surrounded by modern and…

White House Overhauls Federal Cybersecurity Logging Rules

The White House is shaking up federal cybersecurity logging rules with a new set of guidelines aimed at cutting red tape and boosting efficiency. The updated rules, outlined in OMB memo M-26-14, replace previous requirements with a more streamlined approach to managing cybersecurity risks.

Analyst 207