Navigating DORA Compliance: Leveraging Privileged Access Management 

From 17 January 2025, the Digital Operational Resilience Act (DORA) officially applies to EU organizations, bringing sweeping changes to cybersecurity strategies and decisions in the financial sector. It was introduced by the European Union (EU) as a response to the growing risks associated with digitalization in the financial sector. 

In this context, ARCON and KuppingerCole recently co-hosted a webinar to discuss and analyze the importance of leveraging privileged access management to comply with DORA mandates in the European Union. On February 20th, 2025, Paul Fisher, Lead Analyst, KuppingerCole Analysts AG and Frank Schmaering, Senior Solutions Engineer, ARCON along with Rosemarie Hesterberg, Sales Development Representative, Europe came together to review and discuss –  

• DORA’s requirements and its impact on EU financial sector 

• The role of Privileged Access Management (PAM) in complying with DORA 

• Key features of ARCON | PAM and how it supports operational resilience 

• World-class case studies showing successful ARCON | PAM implementation to comply with DORA 

• Functionalities of ARCON | PAM, threat detection, access monitoring and audit readiness 

During the first half of the webinar, Paul Fisher, Lead Analyst from KuppingerCole, welcomed the audience to the webinar with a quick overview of the discussion areas followed by self-introduction (also introduced his co-speakers from ARCON). He initiated his discussion on DORA Compliance and below are the key takeaways: 

• DORA enforces strict cybersecurity and operational resilience standards where financial institutions must strengthen cyber defenses to meet compliance. The core areas for DORA include: 

1. ICT Risk Management  
2. Incident Reporting 
3. Digital Resilience Testing 
4. Third-Party Risk Management 

• Paul continued his discussion with the role of Privileged Access Management (PAM) in complying with DORA and how it protects critical assets from insider threats, cyberattacks and ensures only authorized users have privileged access. Therefore, it reduces the risk of data breaches and compliance violations in the EU organizations. 

• Further discussing how DORA enhances security and compliance, Paul added that PAM enforces least privilege access and provides real-time monitoring and auditing. A robust PAM solution strengthens authentication mechanisms and prevents credential abuse to support incident response and reporting. 

• The challenges of implementing PAM for DORA compliance are something crucial according to Paul. While weak access controls, balancing security with operational efficiency, and managing third-party and remote access risks are the common challenges, the best solution to address them are automated JIT access controls and continuous monitoring and AI-diven risk assessments. 

• At the end of Paul’s session, the focus shifted towards integrating PAM with a cybersecurity strategy through a multi-layered security approach. And it is possible only by – 

1. Combining PAM with Identity & Access Management (IAM)  
2. Leveraging Zero Trust security principles  
3. Aligning with Data Governance & CIEM for complete oversight 

• Paul finished his session with the key takeaways below: 

1. DORA compliance requires a strong cybersecurity foundation  
2. PAM is a key enabler of operational resilience & security 
3. PAM is a key enabler of operational resilience & security  
4. Organizations must act now to align with DORA mandates
5. A proactive PAM strategy isn’t just about compliance—it’s about building a resilient future    

In the latter half of the webinar, Rosemarie Hesterberg and Frank Schmaering from ARCON discussed the role of ARCON | Privileged Access Management (PAM) in navigating DORA compliance. Here are the key takeaways from their session: 

• Rosemarie initiated the discussion with a vivid overview of ARCON’s Mission and Vision as an organization and what is ARCON’s approach to navigate DORA compliance through risk management, operational resilience, third-party risk monitoring and incident reporting. 

• Later, Frank took over the discussion with a brief insight into the Security, Efficiency and Compliance features of ARCON | Privileged Access Management (PAM) solution. It helps the EU organizations to build an identity-first security approach with ICT risks Management, Incident Reporting, Operational Resilience and Third-party risk monitoring. 

• Talking about ICT Risk Management, Frank extended the discussion with the root cause and effect of it. He also added that The ICT risk management framework shall include at least strategies, policies, procedures, ICT protocols and tools that are necessary to duly and adequately protect all information assets and ICT assets, including computer software, hardware, servers, as well as to protect all relevant physical components and infrastructures, such as premises, data centres and sensitive designated areas, to ensure that all information assets and ICT assets are adequately protected from risks including damage and unauthorised access or usage. ARCON | PAM makes it possible with the help of – 

1. Privileged Account Lifecycle Management 
2. Fully automated with scan connectors 
3. Discover new Users and Devices with Semi and Auto mode 
4. Discover Users and Devices from AWS and Azure directories 
5. Integration with any ITSM, IAM or IGA solutions 
6. Import Utility to bulk onboard accounts 

• While discussing incident reporting, Frank highlighted ARCON’s robust reporting engine, access control and security logs, search by commands mechanisms that allow IT teams to create and manage remote access for third party users, partners or contractors. Moreover, it enforces adaptive MFA for critical access that allows administrators to build the level of security based on the relevance and importance of login attempt. At the same time, user access governance ensures that all the human and machine identities are governed seamlessly to build perimeter-centric security (especially privileged identities) and controls the access control module. 

• Operational resilience also plays a crucial role in navigating DORA compliance. ARCON | Privileged Access Management (PAM) ensuring that organizations can withstand, respond to, and recover from disruptions, including cyber threats, system failures, and insider risks. It safeguards critical assets, maintaining compliance, and ensuring business continuity even during cyber threats and IT operational disruptions. 

• Frank also spoke about ARCON | Global Remote Access (GRA) solution that implements necessary controls for third-party remote access. It not just allows IT teams to create and manage remote access for third party users, partners or contractors, but also enforces adaptive authentication (Multi-Factor Authentication) for critical access that allows administrators to build the level of security based on the relevance and importance of access. 

• Towards the end of the webinar Frank concluded his session with a complete overview of the stack of solutions that ARCON offers. All these solutions converged under one umbrella have a lot more to offer to the EU organizations to help them comply with the DORA mandates. He briefly discussed the below solutions: 

1. ARCON | Privileged Access Management (PAM) 
2. ARCON | Endpoint Privilege Management (EPM) 
3. ARCON | Security Compliance Management (SCM) 
4. ARCON | Global Remote Access (GRA) 
5. ARCON | Identity Access Management (IAM) & Single-Sign-On (SSO) 
6. ARCON | User Behaviour Analytics (UBA) & Data Intellect (DI) 
7. ARCON | Enterprise Vault & Secrets Management (EVM) 
8. ARCON | My Vault 

Conclusion 

The webinar concludes with discussing the poll questions shared by Paul earlier. Many participants responded by answering the questions and raising questions too to clarify their points related to DORA compliance mandates. Both Paul and Frank shared their valuable insights while analyzing the poll results and answering the questions.