The modern cybersecurity landscape for financial institutions has shifted from defending against complex technical exploits to managing the systemic risk of legitimate access being weaponized by external actors. When a threat actor enters a corporate network using a valid username and password, traditional perimeter defenses often fail to trigger alerts because the intruder’s behavior mimics that of an authorized employee. According to the 2025 IBM Cost of a Data Breach Report, financial institutions face an average dwell time of 186 days—more than six months—before a breach involving stolen credentials is even identified. Once detected, it takes an additional 55 days to contain the incident, leaving a window of nearly eight months for lateral movement, privilege escalation, and data exfiltration.
In response to this persistent vulnerability, the European Union’s Digital Operational Resilience Act (DORA) entered into full application on January 17, 2025. This landmark regulation transforms credential security from a recommended IT "best practice" into a binding financial risk control. Specifically, Article 9 of DORA mandates that financial entities implement rigorous protection and prevention measures to ensure the continuity of critical services. For the banking, insurance, and investment sectors, the question has evolved from whether their security posture is adequate to whether it is legally compliant and verifiable under regulatory scrutiny.
The Industrialization of Credential Theft
The urgency behind DORA’s implementation is underscored by the rapid industrialization of the cybercrime ecosystem. Data from the 2025 Verizon Data Breach Investigations Report indicates that stolen credentials remain the primary initial access vector, accounting for 22% of all global breaches. For the financial services sector, the stakes are particularly high; while the average cost of a breach dipped slightly to $5.56 million in 2025, it remains the second-most targeted and costly industry globally.
The methodology of these attacks has moved away from brute-force guessing toward a sophisticated supply chain of "Initial Access Brokers" (IABs). Research from Rapid7 reveals that verified corporate network access is now sold on dark web forums for an average of $2,700. Notably, 71% of these listings include privileged credentials, providing buyers with high-level administrative access that requires no further technical exploitation. This "access-as-a-service" model is fueled by infostealer malware such as Lumma, RisePro, and RedLine. These automated tools harvest credentials at scale, with IBM X-Force reporting an 84% year-on-year increase in infostealer delivery via phishing campaigns. By the time a financial institution realizes a workstation has been compromised, the credentials have often already been sold, tested, and utilized for lateral movement.
Navigating the Mandates of Article 9
DORA Article 9, titled "Protection and Prevention," functions as the technical core of the broader ICT risk management framework established in Article 6. The regulation moves beyond vague suggestions, requiring financial entities to maintain high standards of availability, authenticity, integrity, and confidentiality of data. Two specific provisions within Article 9 are central to the management of digital identities and credentials.
Article 9(4)(c) mandates the implementation of policies that prevent the unauthorized access of data and ensure that only authorized personnel can access sensitive systems. In operational terms, this necessitates the deployment of Multi-Factor Authentication (MFA). However, the regulation specifies that these controls must align with "relevant standards." In the current threat environment, this is widely interpreted by regulators and auditors as a requirement for phishing-resistant MFA, such as FIDO2/WebAuthn. Traditional SMS-based or TOTP (Time-based One-Time Password) methods are increasingly viewed as insufficient due to the rise of Adversary-in-the-Middle (AiTM) phishing kits that can intercept these codes in real time.
Furthermore, Article 9(4)(d) requires the use of "dedicated control systems" to manage privileged access. While Privileged Access Management (PAM) is not mentioned by name, the functions it provides—such as session recording, just-in-time (JIT) provisioning, and secure credential vaulting—are the exact mechanisms required to satisfy the law. For EU financial entities, the absence of these controls now represents a direct compliance gap that could lead to administrative sanctions or compulsory remedial actions by national competent authorities.
A Chronology of Regulatory Evolution and Systemic Failure
The path to DORA began in September 2020, when the European Commission first proposed the act as part of the Digital Finance Package. The goal was to harmonize the disparate security requirements across the EU’s 27 member states. Following its adoption by the European Parliament in November 2022 and its entry into force in January 2023, institutions were given a two-year implementation period.
The necessity of this timeline was highlighted by several high-profile incidents that demonstrated the fragility of the existing system. In May 2024, the Santander breach served as a pivotal case study for the European banking sector. Attackers utilized credentials stolen from employees of the third-party provider Snowflake to access databases containing sensitive information on millions of customers across Spain, Chile, and Uruguay. The investigation revealed that the compromised accounts lacked multi-factor authentication, allowing attackers to use harvested credentials without resistance.
More recently, in January 2026, a breach at France’s national bank registry (Ficoba) further illustrated the "operational resilience" aspect of DORA. A single set of credentials belonging to a civil servant allowed a threat actor to extract data on 1.2 million bank accounts. The incident forced the system offline, disrupting interministerial operations and triggering mandatory reporting under DORA’s Article 19. Under these rules, institutions must provide an initial notification within four hours of an incident’s classification, a follow-up within 72 hours, and a final report within one month. This rigorous reporting timeline is designed to prevent institutions from downplaying the scale of credential-based compromises.
The Third-Party Dimension and Chapter V Obligations
One of the most significant shifts introduced by DORA is the extension of responsibility to the ICT supply chain. Chapter V of the regulation stipulates that a financial entity’s compliance perimeter does not end at its own firewall. If a critical ICT third-party provider—such as a cloud storage firm or a software vendor—suffers a breach due to poor credential management, the financial institution is held regulatory accountable.
The Santander-Snowflake incident is the primary reference point for this shift. It demonstrated that a vendor’s weak authentication posture is not merely a vendor problem; it is a systemic risk to the financial institution. Under DORA, banks and insurers must contractually mandate that their providers adhere to equivalent security standards, including the use of strong encryption and MFA. Regulators now expect institutions to audit their vendors’ password policies and access controls as part of their broader resilience strategy.
Analysis of Implications: From Security to Governance
The transition to a DORA-compliant environment requires a fundamental restructuring of how credentials are treated within the enterprise. For most institutions, this involves four key pillars:
- Centralized Governance: Moving away from fragmented, department-level password storage toward a centralized, encrypted repository that provides a single source of truth for audits.
- Least-Privilege Enforcement: Implementing automated workflows to ensure that employees and contractors only have access to the specific systems required for their roles, and only for the duration necessary.
- Auditability and Evidence: Generating tamper-evident logs that record every instance of credential access, modification, or sharing. In the eyes of a DORA auditor, a control that is not documented is a control that does not exist.
- Localized Data Sovereignty: Given the focus on ICT third-party risk, many institutions are moving toward self-hosted credential management solutions. By keeping sensitive access data within their own infrastructure rather than on a third-party SaaS platform, they reduce the number of external dependencies that must be governed under Chapter V.
Solutions like Passwork have emerged as critical infrastructure for meeting these requirements. As a self-hosted, ISO/IEC 27001-certified corporate password manager, it allows financial entities to maintain total control over their credential data. By integrating with LDAP and SAML SSO, such platforms allow for the enforcement of MFA across all access points while providing the detailed audit logs necessary to prove compliance during regulatory inspections.
The Future of Financial Supervision
As the European Banking Authority (EBA) and the European Securities and Markets Authority (ESMA) continue to release Regulatory Technical Standards (RTS), the level of specificity regarding credential management is expected to increase. The first wave of DORA audits is likely to focus on "low-hanging fruit," such as the presence of MFA on all remote access points and the existence of a formal privileged access policy.
Ultimately, DORA has successfully elevated credential security from a technical footnote to a boardroom priority. By framing a compromised password as a failure of operational resilience, the EU has signaled that the era of "voluntary" security standards is over. Financial entities that act now to formalize their credential management frameworks will not only avoid the sting of regulatory penalties but will also significantly reduce their exposure to the most common and costly threat vector in the modern digital economy. Operational resilience, as DORA defines it, begins with the absolute control of the keys to the digital kingdom.
