Mapping DORA Requirements

to Delinea Privileged Access

Management

WHITEPAPER
WHITEPAPER
Mapping DORA Requirements to
Delinea Privileged Access Management

Mapping Digital Operational Resilience Act DORA Requirements

to Delinea Privileged Access Management

The financial sector is a critical component of the financial services companies seeking to improve security
European economy, providing essential services such as and compliance as well as needed consistency to the
banking, insurance, and investment management. It’s also State members to form national requirements.
a magnet for cyberattacks.
The Digital Operational Resilience Act (DORA), also
The European Parliament acknowledged that firms known as Regulation (EU) 2022/2554), aims to ensure the
operating in the financial services industry are 300 operational resilience of all entities that provide critical
times as likely as other companies to be targeted by financial services in the EU by establishing a harmonized
cybercriminals. Especially as cyberattacks become more set of rules and requirements.
sophisticated, budgets tighten, and business pressures
In this whitepaper, you’ll learn how DORA impacts the
mount, financial institutions struggle to prioritize
European financial sector, including specific security
cybersecurity controls that protect their complex,
controls you must have in place. You’ll also see how
interconnected networks and ensure business continuity.
Privileged Access Management (PAM) best practices and
To that end, the European Commission recognized the solutions, including Delinea’s PAM solutions, meet the
need for an overarching Act that would provide clarity to requirements of DORA.

Challenges for EU financial services organizations

Highly connected networks Overlapping incident reporting

The high level of interconnectedness across financial Incident reporting even in the newly launched NIS 2 doesn’t
institutions and third-party service providers creates cover the entirety of the highly interconnected financial
systemic risk. Day-to-day operations depend on cloud, services sector and limits requirements to financial
software, and hardware providers. Heavy dependence on market infrastructures (central counterparties, operators
third-party providers causes an inability to monitor risks of trading venues) and banking (credit institutions).
in the sub-outsourcing value chain. Financial companies Therefore, parts of the financial services industry don’t
often can’t confirm whether their provider had a data have a clear reporting path. This situation might cause
breach or experienced cyberattack that involved their those incidents to remain unreported which can result in a
sensitive data. A local cyber incident could quickly spread spillover effect.
to the entire financial system in the European Union, which
The fragmentation of incident reporting rules becomes
would have a disastrous effect on the stability and trust of
even more challenging for cross-border financial
the financial system.
institutions that operate outside the EU and have to
comply with additional requirements stemming from
regulations from third-country jurisdictions.

2
WHITEPAPER
Mapping DORA Requirements to
Delinea Privileged Access Management

On the other hand, large institutions have multiple ICT

The Digital Operational
and security incident reporting requirements, either
regulation-related like Foreign Direct Product Rule (FDPR), Resilience Act (DORA)i, ii
Electronic Identification, Authentication and Trust Services
DORA enhances the supervision and oversight
(eIDAS), national rules transposing Payment Services
of financial services organizations by competent
Directive (PSD2), The Network and Information Security
authorities and establishes a coordinated approach to
(NIS2), or supervisory-related like SSM and TARGET2.
incident reporting, testing, and response.
Therefore, security leaders need to navigate through a
complex and bureaucratic environment in order to report DORA is designed to:
the same incident.
• Reduce the risk of financial disruption and
instability
Lack of consistent regulatory oversight
• Address ICT risks more comprehensively and
Unfortunately, the regulatory landscape covering
strengthen the overall level of digital resilience
Information and Communication Technologies (ICT) risk of the financial sector
and operational resilience for the financial services sector
• Enable financial supervisors’ access to
in Europe has been fragmented, and regulatory provisions
information on ICT-related incidents
were developed at different times to address different
• Ensure that financial institutions assess the
types of risks. National requirements and supervisory
effectiveness of their preventive and resilience
guidance have filled some gaps, but the results have been
measures and identify ICT vulnerabilities
inconsistent across the EU. Without unified rules, financial
organizations struggle to prioritize their cybersecurity • Strengthen the outsourcing rules governing
the indirect oversight of ICT third-party
investments and develop effective strategies and cyber
providers
risk increases.
• Enable a direct oversight of the activities of ICT
third-party providers

• Incentivise the exchange of threat intelligence

in the financial sector

• Reduce the administrative burden and increase

supervisory effectiveness

• Streamline ICT-related incident reporting and

address overlapping requirements

• Reduce single-market fragmentation and

enable cross-border acceptance of testing
results

• Increase consumer and investor protection

i. https://www.europarl.europa.eu/doceo/document/A-8-2017-0176_EN.html

ii. https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R2554#d1e2289-1-1

3
WHITEPAPER
Mapping DORA Requirements to
Delinea Privileged Access Management

You must abide by DORA if you are a: DORA doesn’t apply to managers of alternative investment
funds, insurance and reinsurance undertakings, or
• credit institution;
institutions for occupational retirement provision which
• payment institution;
operate pension schemes which together do not have more
• account information service provider; than 15 members in total.
• electronic money institution;
PAM is critical to meet DORA requirements. Privileged
• investment firm;
Access Management (PAM) plays a vital role in protecting
• crypto-asset service provider; sensitive data and critical systems.
• central securities depository; It ensures that only authorised individuals and applications
can access critical systems and sensitive information by
• central counterparty;
enforcing strong authentication measures. This helps
• trading venue;
prevent unauthorized access and potential data breaches.
• trade repository;
PAM enables granular access control, allowing
• manager of alternative investment funds;
administrators to define and manage privileges based
• management company;
on job roles and responsibilities, limiting the risk of
• data reporting service provider; data exposure. A secure vault facilitates the secure

• insurance and reinsurance company; management and rotation of privileged account

credentials, reducing the likelihood of unauthorized access
• insurance intermediary, reinsurance
to sensitive financial data.
intermediary, ancillary insurance
intermediary;
PAM solutions enforce session monitoring and recording,
• institution for occupational retirement allowing for real-time visibility into privileged sessions to
provision; identify and respond promptly to any malicious activities.
• credit rating agency; Additionally, PAM tracks and logs privileged user activities,
providing an audit trail, and detecting any suspicious or
• administrator of critical benchmarks;
unauthorized actions.
• crowdfunding service provider;

• securitisation repository;

• ICT third-party service provider.

4
WHITEPAPER
Mapping DORA Requirements to
Delinea Privileged Access Management

In the chart below, learn how Delinea’s PAM solutions helps you meet the requirements of DORA.

DORA requirement Description How Delinea helps

Governance & Financial entities are required to The framework covers ICT risk across the endpoints.
organization establish internal governance and Servers play a crucial role within the IT infrastructure
Article 5 – 1-2 control framework to manage ICT of every financial institution as they hold critical
risk. information.

This framework should be Therefore, management must have an easy way to audit
documented and reviewed at them and produce accurate reports.
least once a year and be subject
to regular internal audit including To follow the best practices a vault should be used as a
a formal follow-up process. basis for governance and reporting purposes.

The management body is Delinea’s vault governs the usage of secrets across
responsible for defining, the organization. It records all actions a user takes
approving, overseeing, and on a password, like creating, updating, and sharing
implementing this framework. passwords.

This includes actions such as: In a situation when an employee leaves the
organization, admins can easily assess and control
• Setting and approving the vulnerability risk by using the User Audit Report feature.
digital operational resilience Admins can set up custom reports that will be delivered
strategy automatically.

• Implementation of continuity Delinea provides a holistic view of privileged activity

policy and ICT response and across Windows and Linux servers, IaaS, and databases
recovery plan together with reporting capabilities on Active Directory
environment, and the data is stored in a database that’s
• Review ICT internal audits optimised for reporting.

• Allocate budget related to Active Directory information can be synchronized to the

budget reporting database which then reporting data can be
accessed by the designated users.
• Approve and review policy
on ICT third-party service
Server PAM offers an auditing infrastructure that allows
providers
organizations to record and store session activity on
audited computers. This infrastructure empowers
auditors to query and generate reports on specific
events, access and analyze all or selected session
activity, modify the status of reviewed sessions, and
delete unnecessary sessions.

The auditing infrastructure relies on two types of

databases to store information: the management
database and the audit store database.

This together with the automated and customised

reporting capability will help to demonstrate
governance of the security program.

5
WHITEPAPER
Mapping DORA Requirements to
Delinea Privileged Access Management

DORA Description How Delinea helps

requirement

ICT risk The framework should Appropriate protection of ICT assets and information from
management include policies that will damage or unauthorized access requires the implementation
framework protect from damage of several actions impacting user, admin accounts,
Article 6 – and unauthorized access workstations and servers.
1,2,5,6,7 or usage all information
and ICT assets including: Firstly, companies must implement policies governing credentials
software, hardware, servers, so that access to sensitive information is restricted.
physical components and
infrastructures, such as
Using Delinea’s PAM vault, admins can specify who can access
premises, data centres, and
which systems, under what conditions, and what types of actions
sensitive designated areas.
they can take once they have access. To avoid standing access,
the principle of least privilege can be followed to allow privileged
Companies should monitor users to have only the access they need for a limited time.
and control the security and
functioning of ICT systems.
Vault controls access to privileged credentials, automatically
rotating passwords and facilitating login sessions for privileged
users without revealing the password.

Through continuous discovery, admins have visibility over all

users. Remote activity and access requests by the third party can
be recorded and monitored.

Endpoints are often a weak point exposed to ransomware

and malware attacks that can cause damage to the ICT
assets and data.

In order to improve the security across the endpoints, admins

must manage the use of applications which can be done by
deploying a single agent and creating a policy that will either
elevate, allow, deny, or restrict these applications.

Unmanaged admin rights open doors for a lateral movement for

the attacker. To avoid it, local admin rights must be removed and
then control which accounts are members of any local group.

Delinea MFA policies at system login, privileged application, and

command elevation, effectively block malware and ransomware
and stop lateral movement.

Servers are at the heart of the ICT infrastructure as they store

financial institutions’ critical information. Delinea protects
customer data and other sensitive information by strictly
controlling access to the host systems and the applications that
access and manage such data. Whether on cloud or on premise,
privileged access to servers must be protected.

Admins can centrally manage login, execution, and MFA policies in

Active Directory.

6
WHITEPAPER
Mapping DORA Requirements to
Delinea Privileged Access Management

DORA Description How Delinea helps

requirement

Identification Financial companies In order to conduct a comprehensive vulnerability scan,

of cyber are required to identify commonly referred to as an authenticated or credentialed scan,
threats and ICT sources of ICT risks and vulnerability tools require privileged credentials to establish
vulnerabilities assess cyber threats and access to devices, software, and networks. This is often
Article 8 – 2,3,4 ICT vulnerabilities relevant exploited by threat actors who look for static IDs and passwords
to business functions, configured in vulnerability tools to gain access.
information assets and ICT
assets. PAM solutions help ensure these tools aren’t exploited by tightly
controlling privileged credentials. Delinea vaults credentials
Identify and map all for vulnerability tools (such as Tenable.io’s Nessus) for greater
information assets and ICT protection and centralised management.
assets, including those
on remote sites, network Delinea, by automatically rotating these passwords, the
resources and hardware vulnerability scanner consistently retrieves the current password
equipment. from the vault, removing the requirement for manual password
updates by an administrator in the scanner.
Additionally, identify
all processes and Processes and connections of the third-party providers can
interconnections related be allowed, managed, and documented with Delinea PAM’s
to ICT third-party service Remote Access Service. This VPN-less model isolates critical
providers. internal systems from remote user devices which avoids the
spread of viruses and malware and prevents users from gaining
unauthorized access to the broader network.

Admins can record these sessions for monitoring purposes.

Access/ Financial entities must Usernames and passwords alone are not sufficient for
authentication ensure that data is protected protecting important resources. If a user’s credentials are
Article 9 – 1,3,4 from risks arising from data compromised, it is crucial to detect such events and prevent
management, including poor attackers from moving laterally within the systems.
administration, processing-
related risks, unauthorized In the context of Privileged Access Management (PAM),
access and human error. authorization controls guarantee that only authorized users,
whether on-premise or in the cloud, can access sensitive IT assets
and data.

IT security teams improve their administration with the Delinea

centralised policies to govern access to the vault. Multi-Factor
Authentication (MFA) can be enforced at the vault and at the
endpoint on login and privilege elevation to ensure the identity of
the user accessing important data.

7
WHITEPAPER
Mapping DORA Requirements to
Delinea Privileged Access Management

DORA Description How Delinea helps

requirement

Policies Financial entities must Delinea protects access to backups by restricting access to
Article 9 – 4 implement policies managing: privileged accounts.

• authentication mechanisms For a comprehensive scan on every endpoint, including

servers and workstations, vulnerability scanners must run an
• changes to software, authenticated scan, sometimes called a credentialed scan.
hardware, firmware
components, systems or Delinea enables authenticated scans to run automatically and
security always has the correct credentials.

• patches and updates

Policies managing authentication mechanisms can be set
up on the Delinea vault as well as at the server level. MFA
• business continuity policy authenticates users before granting them access to vault or
server.

Protection & Financial entities must Delinea Privileged Behavior Analytics uses advanced machine
prevention establish robust mechanisms to learning to analyse activity on privileged accounts in real-
Article 10 – 1,2,3 proactively detect and identify time to detect anomalies and provide threat scoring and
anomalous activities. configurable alerts.

Furthermore, they should Delinea’s behavioral analytics solution detects suspicious

allocate ample resources and behavior with real-time alerts and threat scoring. When the
capabilities to continuously threat is detected, credentials can be rotated, and access
monitor user activity, identify ICT revoked entirely. This response can be manual or automatic.
anomalies, and detect potential Delinea uses advanced machine learning to track suspicious
cyberattacks. and anomalous activities.

Response Financial entities must implement Delinea granularly defines privileged access so that only a
and recovery policies to ensure business defined set of users can access, modify, or delete back-up
and backup continuity of the critical systems and files, even under certain conditions.
Article 11 – 1,2 functions and quick response
Article 12 - 1 mechanisms. With Delinea, credentials for back-up systems are protected
in a vault. High Availability and replication ensure that
They should have backup credentials are always accessible to designated backup
systems in place that can admins even if core systems are down.
be activated according to
established policies and
procedures.

These systems must not

compromise the security
of network and information
systems, or the availability,
authenticity, integrity, or
confidentiality of data. Regular
testing of backup and restoration
procedures is necessary.

8
WHITEPAPER
Mapping DORA Requirements to
Delinea Privileged Access Management

DORA Description How Delinea helps

requirement

Learning Financial institutions must be Assessing the usefulness of the new technologies, IT
and evolving equipped with the capabilities security teams can start with the Delinea maturity model
Article 13 - 1,7 and personnel to gather which provides a framework to adopt Privileged Access
information on vulnerabilities, Management.
cyber threats, ICT-related
incidents, and cyberattacks.

They should also analyse the

potential impact of these events
on their digital operational
resilience.

Additionally, they must

regularly monitor trends and
developments in cybersecurity
technology and possess solid
understanding of the possible
impact of the deployment of
such new technologies on ICT
security requirements and digital
operational resilience.

Next Steps Talk with an expert about how Delinea PAM can help you
meet the requirements of DORA.
Contact Delinea

Learn more about the other upcoming EU directive, NIS 2

delinea.com/resources/guide-to-nis2-whitepaper

Get the cybersecurity incident response template

delinea.com/resources/free-incident-response-plan-template

9
Delinea is a leading provider of Privileged Access Management (PAM) solutions for the modern,
hybrid enterprise. The Delinea Platform seamlessly extends PAM by providing authorization for
all identities, controlling access to an organization’s most critical hybrid cloud infrastructure
and sensitive data to help reduce risk, ensure compliance, and simplify security. Delinea
removes complexity and defines the boundaries of access for thousands of customers
worldwide. Our customers range from small businesses to the world’s largest financial
institutions, intelligence agencies, and critical infrastructure companies. delinea.com

© Delinea DORA-WP-0623-EN