DORA Mandates Credential Management as Financial Risk Control
EU's DORA Article 9 legally requires financial firms to enforce authentication and access controls. A breach at a UK bank shows the cost of non-compliance.
Executive Summary
The European Union's Digital Operational Resilience Act (DORA), which came into full effect in January 2025, makes credential management and access control a legal obligation for financial entities under Article 9. The regulation requires firms to implement robust authentication mechanisms, enforce least-privilege access, and report breaches within strict timelines. A recent breach at a UK bank, where attackers exploited weak credential management to exfiltrate customer data, illustrates the operational and regulatory risks of non-compliance, according to a BleepingComputer analysis.
Technical Analysis
Article 9 of DORA specifically mandates that financial entities "ensure the security of authentication and access control systems" as part of their operational resilience framework. This includes requirements for multi-factor authentication (MFA) for privileged access, automated session termination after inactivity, and logging of all access attempts. The regulation also requires entities to have procedures for revoking access promptly when employment ends or roles change.
The UK bank breach referenced in the analysis involved attackers gaining access through compromised credentials that lacked MFA enforcement. Once inside, the attackers moved laterally using default service accounts, exfiltrating data over several weeks before detection. The breach triggered reporting obligations under both DORA and the UK's equivalent framework, with the bank facing potential fines of up to 2% of annual global turnover.
DORA's reporting requirements are particularly stringent: material cyber incidents must be reported to the relevant competent authority within four hours of classification as major. This creates a tight window for forensic analysis and notification, placing additional pressure on incident response teams to have credential-related detection and response capabilities in place.
Mitigations & Recommendations
Financial entities subject to DORA should prioritize credential management as a regulatory compliance issue, not just a security best practice. Specific actions include: enforcing MFA for all administrative and remote access, implementing privileged access management (PAM) solutions, conducting regular access reviews, and ensuring automated revocation processes are tested. Incident response plans should incorporate DORA's four-hour reporting timeline, with credential compromise scenarios specifically rehearsed.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.
