DORA enforcement expands to mandate phishing-resistant MFA and privileged credential vaulting in EU financial sector

First reported

24.04.2026 17:10

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

The Digital Operational Resilience Act (DORA) has enforced Article 9 requirements since January 17, 2025, establishing credential security as a binding financial risk control for EU financial institutions. Stolen credentials remain the leading initial access vector, accounting for 22% of breaches and costing the sector an average of $5.56 million per incident. DORA’s Article 9(4)(c) mandates least-privilege access, while Article 9(4)(d) requires strong authentication mechanisms, including phishing-resistant standards such as FIDO2/WebAuthn, and cryptographic key protection. Institutions failing to meet these controls face supervisory consequences, with mandatory incident reporting timelines under Article 19 triggered by credential-based breaches. Vendor credential security now falls under the same compliance perimeter, as demonstrated by high-profile breaches leveraging third-party access.

Timeline

24.04.2026 17:10 1 articles · 2h ago

DORA Article 9 enforcement establishes credential security as mandatory financial risk control in EU financial sector
Since January 17, 2025, the Digital Operational Resilience Act (DORA) enforces Article 9 requirements, mandating least-privilege access, strong authentication (including FIDO2/WebAuthn), and cryptographic key protection for EU financial institutions. The regulation requires continuous monitoring, privileged credential vaulting, and least-privilege access enforcement, with supervisory consequences for non-compliance. Incident reporting under Article 19 is triggered by credential-based breaches, including those originating from third-party vendors.
Show sources

DORA and operational resilience: Credential management as a financial risk control — www.bleepingcomputer.com — 24.04.2026 17:10
Open in new tab

Information Snippets

DORA’s Article 9 entered into force across the EU on January 17, 2025, making credential security a legally binding financial risk control under ICT risk management frameworks.
First reported: 24.04.2026 17:10

1 source, 1 article
Show sources
- DORA and operational resilience: Credential management as a financial risk control — www.bleepingcomputer.com — 24.04.2026 17:10
Stolen credentials accounted for 22% of all data breaches in 2025, with an average dwell time of 186 days before detection and a containment period of 55 days, per IBM’s Cost of a Data Breach Report.
First reported: 24.04.2026 17:10

1 source, 1 article
Show sources
- DORA and operational resilience: Credential management as a financial risk control — www.bleepingcomputer.com — 24.04.2026 17:10
Article 9(4)(c) mandates least-privilege access, requiring institutions to limit physical or logical access to information assets to legitimate functions only.
First reported: 24.04.2026 17:10

1 source, 1 article
Show sources
- DORA and operational resilience: Credential management as a financial risk control — www.bleepingcomputer.com — 24.04.2026 17:10
Article 9(4)(d) requires strong authentication mechanisms based on relevant standards, explicitly pointing to FIDO2/WebAuthn as resistant to Adversary-in-the-Middle phishing kits, and mandates cryptographic key protection.
First reported: 24.04.2026 17:10

1 source, 1 article
Show sources
- DORA and operational resilience: Credential management as a financial risk control — www.bleepingcomputer.com — 24.04.2026 17:10
The 2026 breach of France’s national bank registry (Ficoba) involved a single compromised civil servant credential, exposing data on 1.2 million bank accounts, including IBANs, account holder names, and tax identification numbers.
First reported: 24.04.2026 17:10

1 source, 1 article
Show sources
- DORA and operational resilience: Credential management as a financial risk control — www.bleepingcomputer.com — 24.04.2026 17:10
The Santander breach in May 2024 used credentials stolen from Snowflake employees to access customer and employee data across Spain, Chile, and Uruguay, highlighting third-party credential risks.
First reported: 24.04.2026 17:10

1 source, 1 article
Show sources
- DORA and operational resilience: Credential management as a financial risk control — www.bleepingcomputer.com — 24.04.2026 17:10
DORA’s Chapter V places explicit obligations on financial entities to ensure ICT third-party providers meet equivalent authentication standards, with regulatory liability extending to vendor credential gaps.
First reported: 24.04.2026 17:10

1 source, 1 article
Show sources
- DORA and operational resilience: Credential management as a financial risk control — www.bleepingcomputer.com — 24.04.2026 17:10
EU supervisory authorities, including the European Banking Authority (EBA) and ESMA, provide Regulatory Technical Standards under DORA, reinforcing Article 9’s requirements with sector-specific guidance.
First reported: 24.04.2026 17:10

1 source, 1 article
Show sources
- DORA and operational resilience: Credential management as a financial risk control — www.bleepingcomputer.com — 24.04.2026 17:10

Summary

Timeline

DORA Article 9 enforcement establishes credential security as mandatory financial risk control in EU financial sector

Information Snippets