Writer: Eirik Salmi, System Analyst at Passwork
When a risk actor walks into your community utilizing a respectable username and password, which management stops them?
For many monetary establishments, the trustworthy reply is: nothing catches it instantly. The attacker appears to be like like an authorised person. They transfer laterally, escalate privileges, and map vital methods for a median of 186 days earlier than the breach is even recognized — and an extra 55 days to include it — in keeping with IBM’s Value of a Information Breach Report (2025).
By then, the operational injury is completed, and the regulatory clock has already began.
On January 17, 2025, the Digital Operational Resilience Act (DORA) entered into utility throughout the EU. Article 9 of the regulation makes credential safety a binding monetary threat management, with supervisory penalties for establishments that fall quick.
The query is now not whether or not your authentication posture meets greatest apply. It’s whether or not it meets the regulation — and whether or not you may show it.
This text traces the precise Article 9 necessities that govern credential administration, explains why a compromised password is an operational resilience failure beneath DORA’s framework, and descriptions the sensible controls that shut the hole.
The risk that DORA was constructed to counter
Stolen credentials are the only largest preliminary entry vector in 2025, accounting for 22% of all information breaches, per Verizon’s Information Breach Investigations Report. For monetary establishments, the sector-specific value of that publicity averages $5.56 million per incident, in keeping with IBM’s Value of a Information Breach Report — down from $6.08 million in 2024, but nonetheless the second-highest of any trade globally.
The availability aspect of credential theft has been absolutely industrialised. Preliminary Entry Brokers promote verified company community entry for a median of $2,700, with 71% of listings together with privileged credentials — pre-packaged entry that requires no technical ability to use, in keeping with Rapid7 analysis.
Infostealers akin to Lumma, RisePro, StealC, Vidar, and RedLine automate credential harvesting at scale. IBM X-Drive information exhibits their supply by way of phishing elevated 84% year-on-year in 2024, with 2025 information pointing to a fair steeper trajectory.
DORA’s Article 9 exists exactly to interrupt this chain. The regulation displays a documented, ongoing risk to the operational continuity of European monetary markets.
DORA Article 9 requires sturdy authentication, least-privilege entry, and documented controls.
Passwork delivers all three — self-hosted, ISO 27001 licensed, with full audit logs your compliance crew can export on demand.
Attempt Passwork Free
What DORA Article 9 truly requires
Article 9 of DORA — titled “Protection and Prevention” — sits throughout the ICT threat administration framework mandated by Article 6. It units out particular technical and procedural obligations that monetary entities should implement.
Two provisions are straight related to credential administration.
-
Article 9(4)(c) requires monetary entities to “implement policies that limit the physical or logical access to information assets and ICT assets to what is required for legitimate and approved functions and activities only.” That is the least-privilege precept, acknowledged as a authorized obligation.
-
Article 9(4)(d) goes additional, requiring entities to “implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and protection measures of cryptographic keys whereby data is encrypted based on results of approved data classification and ICT risk assessment processes.”
Unpacking that language in operational phrases: MFA is necessary. The reference to “relevant standards” factors on to FIDO2/WebAuthn — probably the most broadly deployed authentication commonplace at present immune to Adversary-in-the-Center (AiTM) phishing kits, which may bypass SMS and TOTP-based MFA in actual time. Cryptographic key administration is a regulatory requirement.
Privileged entry administration (PAM) instruments should not named explicitly within the regulation — however the controls they ship map straight onto Article 9’s necessities. Session recording, just-in-time (JIT) entry provisioning, and privileged credential vaulting are exactly the “dedicated control systems” the regulation describes.
Establishments that haven’t deployed these controls face a compliance hole that supervisors can act on.
The European Banking Authority (EBA) and ESMA’s Regulatory Technical Requirements beneath DORA present further specificity on ICT threat administration necessities, reinforcing the Article 9 baseline with sector-specific implementation steering.
Credential compromise as an operational resilience failure
DORA’s acknowledged function is to make sure monetary entities can face up to, reply to, and get well from ICT disruptions. A credential compromise appears to be like completely totally different by that lens than it does by a safety incident lens.
With a median dwell time of 186 days, a compromised credential doesn’t produce a discrete safety occasion. It produces a sustained, invisible risk to operational continuity — an attacker shifting laterally, escalating privileges, and mapping vital methods whereas showing as a respectable person. It’s a direct risk to the operational continuity DORA is designed to guard.
The breach of France’s nationwide financial institution registry in January 2026 made the mechanics concrete. A risk actor obtained the credentials of a single civil servant with entry to Ficoba — the interministerial database holding data on each checking account opened in France.
Utilizing solely that one account, the attacker accessed and extracted information on 1.2 million financial institution accounts, together with IBANs, account holder names and addresses, and tax identification numbers.
The affected system was taken offline, operations on the registry have been disrupted, and the incident was reported to France’s information safety authority, CNIL. The assault required no technical sophistication.
Below DORA, an incident of that scale at a monetary entity would set off necessary reporting obligations beneath Article 19 — an preliminary notification inside 4 hours of classification (and no later than 24 hours after detection), an intermediate report inside 72 hours, and a ultimate report inside one month.
The third-party dimension: Vendor credentials are your credentials
DORA’s Chapter V locations specific obligations on monetary entities relating to ICT third-party threat. The compliance perimeter doesn’t cease on the establishment’s personal methods.
The Santander breach in Might 2024 is the European reference level. Attackers used credentials stolen from workers of Snowflake to entry a database containing buyer and worker information throughout Spain, Chile, and Uruguay.
The credentials had been harvested months earlier by infostealer malware infecting contractor workstations. Not one of the compromised Snowflake accounts had multi-factor authentication enabled.
The entry level was not inside Santander. It was a vendor’s weak authentication posture — and it uncovered information belonging to one in all Europe’s largest banks with out a single exploit being written.
Below DORA, a monetary establishment whose vital ICT supplier suffers a credential-based breach faces direct regulatory publicity. Establishments should contractually require equal authentication requirements from their distributors and audit compliance in opposition to these necessities.
A vendor’s password coverage hole just isn’t the seller’s downside alone — it’s the monetary entity’s regulatory legal responsibility.
Constructing a DORA-compliant credential administration
Assembly Article 9’s necessities calls for a structured programme throughout 4 areas.
-
Deploy phishing-resistant MFA first. FIDO2/WebAuthn-based authentication — {hardware} safety keys, passkeys, platform authenticators. SMS and TOTP-based one-time passwords should not satisfactory in opposition to present assault strategies. Implement phishing-resistant MFA for all customers, with explicit rigour on privileged accounts and distant entry paths.
-
Implement least-privilege entry. JIT provisioning — granting elevated entry solely at some stage in a selected job — eliminates the standing privileges that make credential theft so damaging. Deactivate accounts instantly on offboarding. Dormant accounts are among the many commonest and most avoidable assault vectors.
-
Vault all credentials. Service account passwords, API keys, and privileged credentials have to be saved in an encrypted, access-controlled credential vault. Guide credential administration at scale is operationally unworkable and produces no audit path. A enterprise password supervisor Passwork — deployed on-premise throughout the establishment’s personal infrastructure — supplies the encrypted vaulting, granular entry controls, and full exercise historical past that Article 9 calls for.
-
Monitor repeatedly. Anomalous login behaviour — uncommon geolocations, off-hours entry, lateral motion patterns — should set off automated alerts. Decreasing that 186-day common dwell time is the only handiest lever for chopping each monetary publicity and DORA incident reporting obligations.
All 4 controls rely on the identical basis: how credentials are saved, shared, accessed, and monitored. With out construction at that layer, even well-designed insurance policies fail at execution.
How Passwork helps DORA compliance in apply
Passwork is a company password supervisor licensed to ISO/IEC 27001 and obtainable as a self-hosted deployment — that means your credential information by no means leaves your personal infrastructure.
For monetary entities navigating DORA’s Chapter V provide chain obligations, that distinction issues: a third-party SaaS credential retailer introduces precisely the type of ICT dependency the regulation requires you to manipulate.
For establishments working by the 4 controls above, Passwork addresses the credential administration dimension of every.
-
MFA enforcement throughout the credential layer. Passwork helps biometric, passkey, and safety key MFA natively, with SAML SSO and LDAP integration for enterprise environments.
-
Function-based entry management and least privilege. Permissions are assigned at vault and folder stage, inherited from AD or LDAP teams, and up to date mechanically on listing modifications. Offboarding revokes entry to shared credentials in a single operation — logged and timestamped, producing the proof an investigator will request beneath Article 9(4)(c).
-
Privileged account stock and safe sharing. Passwork supplies a structured, searchable repository of all organisational credentials, together with shared administrative accounts. Encrypted vault sharing replaces casual channels that depart no audit path and can’t be revoked.
-
Audit logs for compliance documentation. Each credential entry, permission change, password reset, and sharing occasion is recorded in a tamper-evident log, exportable for compliance reporting and integrable with SIEM methods. A structured exercise historical past is a substantively stronger response to a regulator than a coverage doc alone.
DORA compliance is as a lot an proof downside as a technical one. The establishments that navigate enforcement most successfully are these that may produce documentation on demand.
Act earlier than the audit
DORA has transformed credential administration from a safety greatest apply right into a binding monetary threat management. Articles 9(4)(c) and 9(4)(d) are specific: least-privilege entry, sturdy authentication, and cryptographic key safety are authorized obligations for each monetary entity working within the EU.
Operational resilience begins with id — and id begins with controlling who holds the keys.
Audit your credential controls in opposition to Article 9, doc the findings, and have the proof prepared earlier than a regulator asks. Below DORA, the absence of documentation is itself a discovering.
Passwork is designed for precisely this example: a self-hosted password supervisor that retains credential information inside your personal infrastructure, enforces MFA throughout each entry level, and generates the tamper-evident audit logs that flip a compliance dialog from a legal responsibility into an indication. ISO/IEC 27001 licensed, with LDAP and SAML SSO integration for enterprise environments.
Begin your free Passwork trial — full performance, no limitations.
Sponsored and written by Passwork.
