DORA and the metamorphosis of credentials: from attack vector to regulatory control and operational resilience

When an attacker enters a network using a legitimate username and password it seems, at first sight, that there is nothing that can stop it: traffic and actions are mixed with those of an authorized user. This reality transforms the management of credentials into a matter of operational resilience, not just of computer security; and in the European Union, since the entry into force of DORA, it is also a binding regulatory issue. Credentials are no longer just a technical risk vector: they are a financial risk control subject to audit.

The data from the sector show why: the theft of credentials remains one of the main routes of initial access to corporate environments, with consequences that are counted in months of hidden activity and millions in costs per incident. Public and IBM reports on the cost of gaps and Verizon reports on gaps research document both the frequency and the economic impact of these attacks ( IBM Cost of a Data Break Report, Verizon DBIR). That combination of probability and damage is precisely what DORA aims to mitigate.

In operational terms, DORA requires financial institutions to implement controls to reduce the likelihood of unauthorized access and, crucially, to demonstrate such implementation. Article 9 places the principle of minimum privilege and the obligation of robust and standard-based authentication mechanisms. In practice this means migrating from vulnerable factors such as SMS or TOTP codes that are susceptible to AiTM attacks to phishing-resistant solutions such as FIDO2 / WebAuthn and passwords.

It is not enough to say that there is a policy: regulators expect operational evidence. A technical control without registration proves nothing to a supervisor. This is why the combination of technologies - physical authenticators - resistant, a corporate credentials manager that generates immutable records, and a privileged access management solution (PAM) with just- in- time provision and session audit - is the one that closes the circle between practice and compliance.

The risk does not end in its own perimeters: DORA extends obligations to the supply chain. The consequences of gaps in suppliers show that the credentials of third parties are in practice your credentials. This requires contracts requiring equivalent levels of MFA, scheduled audits and contractual mechanisms to verify and remedy non-compliance by the supplier.

From a technical and detection perspective, reducing the average time an intruder remains on the network is the most effective measure to limit damage and regulatory exposure. Here come into play tools and practices such as identity anomalies detection (ITDR / UEBA), integration of login in ICES, network segmentation to contain side movements, and automated response to abnormal access patterns. The combination of resistant prevention and early detection shortens the operating window.

In the chapter on concrete and prioritized actions, organizations should start by auditing their identity position: full inventory of privileged and service accounts, strong MFA verification on all access routes, elimination of permanent privileges through JIT and automated offboarding review. At the same time, establishing an encrypted credentials repository with access control based on unchanging roles and records facilitates both safe operation and response to regulatory requirements.

Evidence matters as much as technology. Having exportable, sealed and correlated records with other systems - corporate directories, PAM, endpoint and network solutions - transforms a regulatory inspection into a control demonstration rather than a list of shortcomings. To prepare reporting exercises and responses to incidents including the production of such evidence helps to meet the time limits required by DORA and to contain sanctions and reputational costs.

For those responsible for prioritizing investments, the message is clear: operational resilience begins by controlling identity. Adopting physical-resistant authentication, applying minimum privilege with temporary provision of access, encryption vaulting of credentials and continuous monitoring are not only good practices: they are central elements of compliance under DORA. Those who wait for the audit to act assume an unnecessary regulatory and operational risk.

If you are looking for additional resources to deepen specific regulatory and technical requirements, official documentation of DORA is an essential starting point ( Digital Operational Resilience Act (DORA) - EIOPA), and sectoral reports help to prioritize threats and controls with updated data ( IBM Cost of a Data Break Report, Verizon DBIR). Acting now, rigorously documenting and closing the gaps in credentials management is the strategy that reduces exposure, costs and sanctions in a regulatory environment that no longer forgives the lack of evidence.