Regulation & Compliance
NIS2, DORA, ISO 27001, BSI IT-Grundschutz — regulatory requirements for access security in practice.
DORA: What the Financial Sector Needs to Implement
DORA (EU 2022/2554) applies since 17 January 2025 to nearly all financial companies in the EU. Art. 5 mandates a comprehensive ICT risk management framework. Art. 28 regulates third-party security. Art. 17–20 define incident management and reporting requirements. PAM is a central control in the DORA compliance demonstration.
NIS2: Practical Impact on Access Management
NIS2 (EU 2022/2555) dramatically expanded scope: from ~5,000 to over 160,000 organisations across Europe. Art. 21 explicitly mandates access policies and MFA. NIS2 distinguishes between “essential” and “important” entities — both face strict PAM requirements.
ISO 27001:2022 and PAM-Relevant Controls
The 2022 version of ISO 27001 explicitly identified PAM-relevant controls. Annex A, controls 5.15–5.18 cover access management and access control. Control 8.2 explicitly addresses privileged access rights and their governance.
