Banking
The banking sector is subject to particularly intensive regulatory oversight. With DORA (in force since 17 January 2025), EU legislators have introduced binding ICT risk management requirements that directly address privileged access.
DORA and requirements for banks
The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, has been in force since 17 January 2025 and applies directly — without national transposition — to all credit institutions in the EU. DORA has replaced BAIT and KAIT in Germany.
The ICT risk management framework under DORA Art. 6 ff. requires documented strategies, policies and protocols to protect all ICT assets. Privileged systems and access paths — core banking, SWIFT, treasury systems, trading systems — are directly affected.
For systemically important institutions, DORA Art. 26 mandates digital operational resilience tests (TLPT — Threat-Led Penetration Testing). Identity security for privileged access is a test category.
Important for German banks: With DORA coming into force on 17 January 2025, BaFin revoked BAIT and KAIT. DORA now applies as directly applicable EU law. Existing BAIT-compliant implementations must be reviewed for DORA compliance.
Specific challenges
Core Banking and Critical Financial Systems
Core banking systems, SWIFT infrastructure, treasury and trading systems manage critical financial transactions. Privileged access to these systems must be controlled, recorded and auditable via PAM — for internal administrators and external service providers alike.
Third-party Access (DORA Art. 28 ff.)
DORA obliges banks to actively manage ICT third-party risks. External access by IT service providers and outsourcing partners to critical systems must be controlled via vendor PAM — with full session recording, JIT access and zero standing privileges.
Audit Trails for Regulators
Regulators (EBA, ECB, BaFin) and external auditors expect complete evidence of privileged access to security-relevant systems. PAM delivers: complete session recordings, access histories, password rotation logs — audit-proof and tamper-protected.
DORA-compliant PAM implementation
PAM Xpert supports banks in building DORA-compliant PAM structures.
