Industries

Banking

The banking sector is subject to particularly intensive regulatory oversight. With DORA (in force since 17 January 2025), EU legislators have introduced binding ICT risk management requirements that directly address privileged access.

Regulatory Framework

DORA and requirements for banks

The Digital Operational Resilience Act (DORA), Regulation (EU) 2022/2554, has been in force since 17 January 2025 and applies directly — without national transposition — to all credit institutions in the EU. DORA has replaced BAIT and KAIT in Germany.

The ICT risk management framework under DORA Art. 6 ff. requires documented strategies, policies and protocols to protect all ICT assets. Privileged systems and access paths — core banking, SWIFT, treasury systems, trading systems — are directly affected.

For systemically important institutions, DORA Art. 26 mandates digital operational resilience tests (TLPT — Threat-Led Penetration Testing). Identity security for privileged access is a test category.

Important for German banks: With DORA coming into force on 17 January 2025, BaFin revoked BAIT and KAIT. DORA now applies as directly applicable EU law. Existing BAIT-compliant implementations must be reviewed for DORA compliance.

PAM in banking

Specific challenges

01

Core Banking and Critical Financial Systems

Core banking systems, SWIFT infrastructure, treasury and trading systems manage critical financial transactions. Privileged access to these systems must be controlled, recorded and auditable via PAM — for internal administrators and external service providers alike.

02

Third-party Access (DORA Art. 28 ff.)

DORA obliges banks to actively manage ICT third-party risks. External access by IT service providers and outsourcing partners to critical systems must be controlled via vendor PAM — with full session recording, JIT access and zero standing privileges.

03

Audit Trails for Regulators

Regulators (EBA, ECB, BaFin) and external auditors expect complete evidence of privileged access to security-relevant systems. PAM delivers: complete session recordings, access histories, password rotation logs — audit-proof and tamper-protected.

Banking

DORA-compliant PAM implementation

PAM Xpert supports banks in building DORA-compliant PAM structures.