DORA - The Regulatory Awakening

Uploaded on 2025-06-03 in TECHNOLOGY--Resilience, FREE TO VIEW, BUSINESS-Services-Financial

In today’s digital age, AI-enabled attacks have never been more prevalent. From deepfake attacks to the rapid dissemination of malware techniques, AI tools are falling into malicious hands, and cyber criminals are increasingly leveraging it to compromise user credentials to access confidential data.

Amid this sophisticated threat landscape, organisations of all shapes and sizes are at risk of attack. However, sitting on vast amounts of lucrative data and confidential assets, the financial services industry is top of cyber criminals hit lists.

As the scale and severity of attacks grow, the EU’s new Digital Operational Resilience Act (DORA) comes at a crucial time. With nearly 50% of financial organisations surveyed experiencing a security breach in the past two years, DORA is a vital step towards strengthening the sector’s cyber resilience.

Under DORA, financial institutions operating in the EU, and their third-party information communication and technology (ICT) providers, must adhere to new technical requirements aimed at helping organisations recover from cyber risk.

Enforcement of DORA compliance is now in full force, and organisational resilience must remain front of mind. Organisations need to establish clear policies for managing ICT risk, particularly those related to outdated systems and unauthorised access.

Navigating Supply Chain Complexities

Cyber risks in financial services have been heightened by the growth of large and often complex supply chains. Whether through acquisitions or onboarding new partners, larger supply chains allow for more identities to operate freely within the chain – often unchecked.  
 
This rise of temporary employees, partners, and contractors entering systems means identities can easily fly under the radar, leading to security risks like ‘overprovisioned’ access. In fact, nearly 80% of financial organisations surveyed are concerned about vulnerabilities resulting from the overprovisioning of non-employees, according to our research.

This lack of visibility is a cause for concern. Not only is there a risk of identities being compromised by bad actors, who can then gain access to confidential systems, but users with too much access can cause unintentional mishaps, like deleting important files.
 
The proliferation of third-party identities is a growing problem, but the challenge is heightened by the increasing number of applications those users need access to and the range of entitlements that must be managed.  
 
For stretched IT teams - many still reliant on legacy tools and manual processes - this creates an overwhelming burden. Managing hundreds of users manually is an almost impossible task, often resulting in loosely controlled access, poor oversight, and increased cyber risk.

The Burden Of Legacy Technology

Managing ICT risks associated with overprovisioned identities must be a top priority for organisations. However, 53% of surveyed financial organisations manage this data manually, making compliance a daunting task. Any lack of visibility can create significant security gaps, leaving businesses open to attack.  

ICT teams must carefully control which identities in their supply chain have access - to what, when, and for how long. Access should be granted strictly on a need-to-know basis, with rigorous management of onboarding, offboarding, and the entire identity lifecycle in between.

Enhancing visibility into these identities is crucial for mitigating risk. 
 
To reduce the manual pressures of this task, AI serves as a silent but effective partner. Technology such as AI-enabled identity security can automate these tasks and seamlessly manage access requirements in real-time. This real-time oversight enables IT teams to keep on top of the surge in identities needing access to different applications, ensuring that each identity only has as much access as is required to perform their role.  
 
Today, sophisticated AI-enabled identity security solutions are already impacting how organisations see, manage, control, and secure all variations of identity. This technology also helps to reduce the attack surface, enabling easy detection of suspicious and unusual behaviour well ahead of a breach, easing the burden on IT teams and supporting compliance efforts. 

A Comprehensive Picture  

Despite robust preventative measures, security breaches are inevitable. To comply with DORA, financial firms should standardise ICT-related incident management and reporting processes to understand how incidents happened and users’ roles. In the event of a breach, detailed information must be collected and shared to identify attack patterns and enhance cyber resilience. 
 
To support incident reporting, modern identity security systems can help provide a comprehensive picture of events. In recent years, there has been a rapid growth of identity threat detection and response (ITDR) solutions, which enrich the context of security incident analyses so organisations can better identify unusual patterns of behaviour, enabling more proactive and predictive capabilities.  
 
ITDR solutions, combined with identity security solutions, provide an incredible amount of context in real time, helping organisations to identify threatening activity and what remediation is needed - all in a single source of truth. AI, combined with the power of unified identity data, is a clear path forward to help stay ahead of threats today.  

Making Regulation A Reality  

Amid the pervasiveness of sophisticated threats, DORA compliance is non-negotiable - but it also shouldn’t be seen as a mere box to tick. To simplify compliance complexities, adopting a proactive, AI-driven identity security strategy will be crucial in enhancing visibility and governance over ICT risks.

Improving oversight of users and access requirements within intricate financial supply chains will be vital for closing security gaps and ensuring a resilient future.

Mo Joueid is Identity Security Consultant at SailPoint

Image: Ideogram

You Might Also Read:

How To Streamline Compliance With NIS2 & DORA:

If you like this website and use the comprehensive 8,000-plus service supplier Directory, you can get unrestricted access, including the exclusive in-depth Directors Report series, by signing up for a Premium Subscription.