DORA

DORA is an EU regulation that applies to financial entities including banks, insurance companies, investment firms, payment institutions, and the ICT third-party providers that serve them. It establishes requirements for managing ICT risk, detecting and reporting ICT-related incidents, testing digital operational resilience, and managing risks arising from third-party ICT service providers.

The regulation requires strong authentication and access management controls as part of the ICT risk management framework. Financial entities must ensure that access to critical systems is restricted, monitored, and logged. ICT third-party risk management provisions extend oversight to cloud providers, identity platforms, and other technology suppliers that support the financial entity’s operations.

Unlike a directive, DORA is directly applicable across EU member states without national transposition, creating a single rulebook for digital resilience in financial services.

For CIAM, DORA matters when the identity platform serves financial institutions or acts as a critical ICT third-party provider. Authentication, access logging, and resilience requirements directly affect platform design and operations.

Sources

• Regulation (EU) 2022/2554 (DORA): https://eur-lex.europa.eu/eli/reg/2022/2554/oj