DORA Article 9 turns credential hygiene into a binding EU financial control

The Digital Operational Resilience Act, in force across the EU since January 2025, recasts credential management as a supervised financial risk control rather than an IT hygiene matter. Article 9 imposes binding obligations on financial entities to enforce least-privilege access and strong authentication grounded in recognised standards — language that points squarely at FIDO2/WebAuthn, cryptographic key protection, and the session recording, just-in-time provisioning, and credential vaulting delivered by privileged access management tooling. Institutions that cannot evidence these controls now face supervisory consequences, not just elevated breach risk.

The threat model justifies the rulemaking. Stolen credentials drove 22% of breaches in 2025, with financial sector incidents averaging $5.56 million and dwell times stretching to 186 days before detection. Initial Access Brokers sell verified corporate access for around $2,700 — 71% of listings include privileged credentials — while infostealers like Lumma, StealC, and RedLine industrialise harvesting at scale. The January 2026 compromise of France’s Ficoba registry, where one civil servant’s credentials exposed 1.2 million bank account records, illustrates how a single authentication failure becomes an operational continuity event triggering DORA’s 4-hour, 72-hour, and one-month reporting clocks.

DORA’s Chapter V extends this perimeter to vendors. The 2024 Santander breach — initiated through Snowflake contractor credentials harvested by infostealers, none protected by MFA — is the cautionary precedent: a third party’s authentication gap becomes the financial entity’s regulatory liability. Compliance now requires contractually enforced authentication standards across the supply chain and auditable evidence that they hold.