The Importance of Credential Management for Financial Institutions

In today’s digital landscape, the security of credentials is paramount for financial institutions. When a threat actor gains access to a network using legitimate username and password credentials, it can go unnoticed for an extended period, causing significant damage. According to IBM’s Cost of a Data Breach Report (2025), it takes an average of 186 days to detect a breach and an additional 55 days to contain it.

The Digital Operational Resilience Act (DORA), implemented in January 2025, makes credential security a mandatory financial risk control for institutions. Compliance with DORA’s Article 9, which focuses on credential management, is crucial for financial entities to avoid regulatory consequences.

The Threat Landscape

In 2025, stolen credentials accounted for 22% of data breaches, with financial institutions bearing a significant financial burden as a result. Credential theft has become industrialized, with attackers selling access to corporate networks and automating credential harvesting.

DORA’s Article 9 aims to combat these threats by requiring strong authentication measures, least-privilege access, and documented controls. Institutions that fail to implement these measures face compliance gaps and regulatory action.

Understanding DORA Requirements

Article 9 of DORA mandates policies that restrict access to information assets to authorized functions only and require strong authentication mechanisms based on industry standards. Multi-factor authentication (MFA) and privileged access management (PAM) tools play a crucial role in meeting these requirements.

Financial entities must continuously monitor login activities and implement controls to prevent unauthorized access. Compliance with DORA’s regulatory technical standards is essential for maintaining operational resilience.

Addressing Credential Compromise

A compromised credential poses a significant threat to operational continuity, as attackers can exploit privileges and extract sensitive data without detection. Under DORA, incidents of credential compromise trigger mandatory reporting obligations, emphasizing the importance of swift detection and response.

Third-party vendors also play a role in credential security, as demonstrated by the Santander breach in 2024. Financial institutions must ensure that their vendors adhere to equivalent authentication standards to mitigate risks.

Implementing DORA-Compliant Controls

To comply with Article 9, financial institutions should prioritize phishing-resistant MFA, least-privilege access, secure credential vaulting, and continuous monitoring of login activities. Structured credential management is essential for effective policy implementation.

Passwork, a certified password manager, offers MFA enforcement, role-based access control, privileged account inventory, and audit logs for compliance documentation. Its self-hosted deployment ensures data security and regulatory compliance.

Conclusion: Ensuring Compliance with DORA

Compliance with DORA’s credential management requirements is a legal obligation for financial entities operating in the EU. By proactively implementing robust controls and documenting compliance, institutions can demonstrate operational resilience and mitigate regulatory risks.

Start your free Passwork trial today to strengthen your credential management practices and ensure compliance with DORA’s regulatory standards.

Disclaimer: This article is sponsored and written by Passwork.