# DORA Article 9: Why Credential Management Is Now a Financial Regulation Requirement


The European Union's Digital Operational Resilience Act (DORA) fundamentally shifts how financial institutions approach cybersecurity. Unlike previous regulations that treated security as a best practice, DORA codifies operational resilience as a legal obligation—and Article 9 makes authentication and access control the foundation of that requirement.


For financial entities operating across the EU, this isn't optional. Non-compliance carries significant penalties, and security failures in credential management can trigger regulatory investigations, substantial fines, and reputational damage. Yet many organizations still treat password policies and access controls as IT hygiene rather than risk governance.


## What Is DORA and Why It Matters


The Digital Operational Resilience Act, which entered force on December 16, 2022, and applies across all EU27 member states plus EEA countries, represents the most comprehensive operational resilience mandate in financial regulation to date. It applies to all financial entities—banks, investment firms, insurance companies, credit unions, and even fintech platforms—with assets above certain thresholds.


DORA's core philosophy is straightforward: operational resilience failures cascade into systemic financial risk. When a bank's authentication system fails, customer accounts are compromised. When access controls are weak, insider threats materialize. When credential compromise goes undetected, entire enterprise networks become vulnerable.


The regulation sets three foundational pillars:

  • ICT risk management (Articles 6-10)
  • Incident reporting and transparency (Articles 18-20)
  • Operational resilience testing (Articles 21-24)

    • Article 9 sits squarely in the first pillar, establishing that authentication and access control are not discretionary security features—they are mandatory risk controls.


    ## Article 9: The Regulatory Requirements


    Article 9 mandates that financial entities implement and maintain comprehensive policies and procedures for:


    | Requirement | Scope | Key Obligation |

    |-------------|-------|-----------------|

    | Multi-factor authentication (MFA) | All privileged access, remote access, critical operations | No single-factor authentication for sensitive functions |

    | Encryption of credentials | At rest and in transit | No plaintext storage or transmission |

    | Access control frameworks | Role-based, segregation of duties | Principle of least privilege mandatory |

    | Credential lifecycle management | Creation, rotation, revocation, audit | Documented procedures for all phases |

    | Password policies | Minimum standards for complexity and rotation | Compliance with NIST or equivalent frameworks |

    | Monitoring and logging | All authentication events, unauthorized access attempts | Real-time alerting for anomalies |


    The regulation applies regardless of organization size. A regional credit union faces the same Article 9 requirements as a major bank—though the implementation may scale differently.


    Critically, DORA doesn't specify *how* organizations must implement these controls. Instead, it sets outcomes: financial entities must demonstrate that authentication and access control are effective, monitored, and subject to continuous improvement.


    ## Technical Realities of Credential Management Failures


    When credential management breaks down—and DORA investigations have documented numerous failures—the consequences are measurable and severe.


    ### Common Failure Patterns


    Weak authentication defaults: Many organizations deploy systems with default or easily-guessable administrative credentials, then fail to change them during deployment. Attackers routinely scan financial sector networks for open management interfaces running default credentials. Once inside, they pivot laterally using harvested credentials from compromised workstations.


    Credential reuse across systems: A single compromised employee password becomes a skeleton key to multiple systems. Without segregated credentials for different systems, a breach of one resource cascades into full infrastructure compromise.


    Missing MFA on critical functions: Even with strong passwords, accounts without MFA remain vulnerable to phishing and credential stuffing attacks. Financial regulations increasingly recognize this—DORA Article 9 effectively mandates MFA for any access that could facilitate unauthorized transactions or data exfiltration.


    Insufficient credential rotation: Credentials that persist for months or years represent extended exposure windows. If a password is compromised and never rotated, attackers maintain persistent access across multiple quarters.


    Inadequate logging and alerting: Many organizations log authentication events but never analyze them. Hundreds of failed login attempts might be recorded but never reviewed. An attacker conducting reconnaissance generates observable patterns—if anyone is looking.


    ### A Real-World Scenario


    Consider a European investment firm that suffered a credential-based breach in 2024:


  • An administrative account password was exposed in an unrelated third-party data breach
  • That credential was never rotated
  • The account held elevated permissions across multiple trading platforms
  • Attackers used the account to access transaction logs and client portfolios
  • No MFA was enforced, so possession of the password was sufficient
  • The firm's logging captured 47 suspicious login attempts over two weeks—but no alert was configured
  • By the time humans reviewed logs manually, the attacker had accessed client data, including investment strategies and account details

    • Regulatory outcome: The firm faced a €2.8 million administrative fine, mandatory security remediation, and a six-month period of enhanced supervision. Under DORA, a similar incident today could result in substantially higher penalties and mandatory disclosure to customers.


    ## DORA Enforcement and Compliance Verification


    The European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA) oversee DORA compliance. These regulators increasingly conduct on-site examinations that specifically audit credential management practices:


  • Sample credential strength testing across production systems
  • Access control audits verifying segregation of duties
  • Incident logs and alert reviews to assess monitoring effectiveness
  • Third-party assessments of authentication systems
  • Tabletop exercises simulating credential compromise scenarios

    • Non-compliance findings result in corrective action orders with specific timelines. Violations can lead to:

  • Fines up to 2% of annual revenue (or €5 million for firms under that threshold)
  • Forced remediation with ongoing supervisory scrutiny
  • Restrictions on business operations until compliance is demonstrated

    • ## Implications for Financial Organizations


    DORA Article 9 has three immediate implications:


    1. Credential management is now a governance issue, not just a technical issue. Financial institutions must document their authentication and access control policies at the board level. This elevates credential management from IT operations into risk governance conversations where compliance, audit, and business leadership have visibility.


    2. Legacy systems require urgent modernization. Many financial platforms—particularly core banking systems deployed 10+ years ago—lack modern authentication controls. Patching these systems to meet DORA requirements often requires significant investment and planning.


    3. Third-party suppliers become regulatory exposure. If a financial institution relies on external vendors for critical systems, DORA's supplier rules (Article 28-30) extend credential management requirements to those vendors. A weak authentication system at a payment processor or cloud provider becomes the financial institution's compliance problem.


    ## Practical Recommendations


    Organizations should prioritize:


  • Immediate audit: Catalog all systems requiring authentication. Verify that privileged access uses MFA. Identify systems still using default credentials.

  • Password policy standardization: Align on complexity requirements (minimum 12 characters, character variety) and rotation schedules (90-180 days for privileged accounts). Document the policy.

  • MFA deployment roadmap: Prioritize systems managing customer funds, regulatory reporting, and critical operations. Target 100% coverage for privileged access within 12 months.

  • Credential lifecycle automation: Use tools that enforce password rotation, prevent reuse, and generate audit trails. Manual credential management violates the spirit of DORA requirements.

  • Logging and alerting: Implement SIEM (Security Information and Event Management) solutions that aggregate authentication logs across systems. Configure alerts for failed login patterns, privilege escalation, and out-of-hours access.

  • Regular assessments: Conduct annual third-party penetration testing focused on credential compromise scenarios.

    • ## Conclusion


    DORA Article 9 transforms credential management from a technical implementation detail into a financial regulation compliance requirement. The EU is signaling that operational resilience depends fundamentally on controlling who has access to what, and financial regulators will increasingly verify this through examination and enforcement.


    For organizations still treating authentication as a checkbox exercise rather than a risk control, DORA creates both urgency and clarity: credential management failures now carry regulatory and financial consequences measurable in millions of euros, enhanced supervision, and reputational damage.


    The competitive advantage—and the compliance path forward—belongs to organizations that embed strong authentication into their operational resilience strategy today.