DORA Compliance Resource

DORA Identity & ICT
Resilience Checklist 2026

Practical controls for financial entities to manage third-party ICT risk, survive TLPT, enforce phishing-resistant authentication, and maintain operational resilience.

Run Free Maturity Assessment →

01 — THIRD-PARTY ICT RISK

Maintain a complete register of all ICT third-party providers

Article 28 requires an up-to-date inventory of all ICT service providers, including those with identity/access implications (IdPs, PAM vendors, cloud brokers, etc.).

Pre-engagement due diligence on third-party identity posture

Assess how vendors manage their own privileged access, NHI, and incident notification obligations before granting them access to your environment.

Contractual rights for audit, monitoring, and incident notification

Ensure contracts include audit rights, security standards, and timely notification of incidents affecting your identities or systems (DORA Article 30).

02 — TLPT & RESILIENCE TESTING

Identity-based microsegmentation to limit lateral movement

During TLPT, red teams will target identity systems. Microsegmentation (e.g. Elisity-style) ensures a compromised credential has minimal blast radius.

Just-in-time privileged access with session recording

No standing privileged access for humans or machines. All elevated sessions must be requested, approved, time-limited, and recorded for forensic review.

Regular tabletop exercises including identity compromise scenarios

Practice the full chain: credential compromise → privilege escalation → lateral movement → containment, with clear decision points for classification under DORA.

03 — AUTHENTICATION & ACCESS

Phishing-resistant MFA (FIDO2/WebAuthn) for privileged and remote access

Basic MFA is no longer sufficient. Regulators expect hardware-backed or platform authenticators that are resistant to real-time phishing and MFA fatigue.

Continuous / risk-based authentication for high-value transactions

Re-evaluate trust throughout the session for critical actions, not just at login.

04 — GOVERNANCE & OVERSIGHT

Board-approved ICT risk management framework including identity

The management body must explicitly approve the framework covering privileged access, third-party identity risk, and resilience testing.

Regular reporting of identity risk metrics to the board

Metrics should include privileged access coverage, NHI inventory health, open high-risk findings, and TLPT identity-related observations.

NEXT STEP

Get your scored resilience assessment

Run the free Identity Maturity Assessment mapped to DORA third-party and identity obligations.

Start Free DORA Assessment

Takes ~60 seconds • Instant results • No obligation

Related resources: Full DORA Hub · Supply Chain & Third-Party Identity · Incident Reporting Under Article 19

DORA Identity & ICT Resilience Checklist 2026

Get your scored resilience assessment

DORA Identity & ICT
Resilience Checklist 2026