Blackfort Technology
DORA & Privileged Access

DORA Compliance

DORA & Privileged Access

Controlled, recorded privileged access under DORA – Art. 9 access control and Art. 28 third-party management, with session recording and an auditable trail. Delivered with the Blackfort Privileged Access Bridge.

What DORA requires for privileged access

The Digital Operational Resilience Act (DORA) has applied to EU financial entities since 17 January 2025. For ICT third-party providers the requirements take effect indirectly – through the contractual terms DORA mandates; providers designated as critical are additionally subject to direct EU oversight. Privileged access (administrators, maintenance accounts, external providers reaching critical ICT systems) sits at the centre of it: it is an attacker's most effective lever, and therefore a direct focus of DORA's ICT risk management.

Article 9 (Protection and prevention) requires financial entities to limit access to ICT systems to what is necessary (least privilege, Art. 9(4)(c)) and to protect it with strong authentication mechanisms (Art. 9(4)(d)). The related Regulatory Technical Standards (Delegated Regulation (EU) 2024/1774) make this concrete for identity and access management: privileged access only on a need-to-use/ad-hoc basis, every action attributable to an identifiable person, restriction of generic and shared accounts, and logging of security-relevant events (RTS Art. 12 and Art. 21).

In practice this means four things for privileged access: no permanently open standing access, but access on demand and time-limited; strong authentication (MFA) before every session; a recording of what actually happens inside the session; and a tamper-proof record of who did what and when – auditable for the supervisory authority and external auditors.

DORA and external ICT service providers (Article 28)

DORA explicitly obliges financial entities to actively manage the risk arising from ICT third-party providers (Article 28) and to keep a register of information covering all ICT service contracts. The most critical touchpoint is the technical access that external providers obtain to productive, critical ICT systems – for maintenance, support or operations.

Precisely this remote access must be controlled, observable and interruptible at any time. A provider reaching a core banking system through a permanently open VPN tunnel or shared administrative credentials conflicts with the DORA/RTS requirements: there is no clear attribution to the acting person (the RTS require identifiability and the restriction of shared accounts), no traceability of the session, and no ability to intervene immediately if something looks wrong.

As an ICT provider you are affected too – through the contractual DORA requirements of your financial clients and, where designated as critical, through direct EU oversight. You must be able to demonstrate that your access to client systems is controlled, traceable and interruptible. A controlled, recorded access layer is therefore relevant to both sides of the contract.

Session recording and complete evidence

DORA and the RTS require privileged activity to be logged and made available for supervision and audit. A pure network or login log is not enough: it shows that access happened, but not what took place in the session. Session recording closes this gap by making the privileged session itself reconstructable.

Decisive for auditability is actor accuracy: every security-relevant action must be attributed to the actual human – not to a technical shared or service account behind which several people disappear. Attribution therefore happens centrally at the gateway, tamper-proof and time-stamped.

These recordings are not an end in themselves: during a supervisory review or after a security incident they provide the evidence of effective control – for DORA as well as for NIS2, ISO 27001 and (for OT systems) IEC 62443. The evidence comes from the system, not from policy documents written after the fact.

From requirement to control: the Blackfort Privileged Access Bridge

The Blackfort Privileged Access Bridge (PAB) is the control layer that anchors exactly these DORA requirements structurally in the access process – instead of documenting them afterwards. It brokers privileged access to IT, OT and cloud systems as an agentless, hardened jump server: the user works in a recorded remote session, without anything being installed on the target system or the endpoint.

The DORA-relevant controls are therefore not additional work but part of the access itself: time-limited, on-demand access instead of permanently open tunnels; strong authentication before the session; session recording; live supervision from which a critical session can be terminated immediately; and a tamper-proof, actor-accurate audit trail as auditable evidence.

The PAB is operated in an EU-sovereign manner, either on-premises at the financial entity or as a managed service by Blackfort – including a break-glass model in which the operator retains no standing administrative access. This fits DORA's logic: controlled, demonstrable access without creating a new uncontrolled dependency.

DORA checklist: privileged access

  • No permanently open administrative access
  • On-demand, time-limited access (just-in-time)
  • Strong authentication (MFA) before every session
  • Session recording of privileged sessions
  • Actor-accurate, tamper-proof logging
  • Controlled access for external ICT providers
  • Immediate termination of a session possible
  • Auditable export for supervisor & auditors

Check your DORA readiness

We analyse your privileged access and provider connections and identify the DORA gaps.

Get in touch

In practice

Why privileged access is DORA-critical

The requirements are clearly stated. In practice, DORA-compliant privileged access rarely fails on intent, but on grown access structures. These six patterns we see again and again.

Permanently open remote access

Maintenance and provider access over standing VPN tunnels is reachable around the clock – without cause, without time limit. For privileged access the RTS require the opposite: granted only on demand (need-to-use/ad-hoc).

Shared administrative accounts

Shared or service accounts obscure which real person acted. The unambiguous attribution to the actor that DORA and the RTS require is not possible this way.

No recording of the session

Login logs show that access happened – not what took place in the session. The decisive evidence for supervision and incident analysis is missing.

Uncontrolled provider access

External ICT providers reach critical systems without access, scope and timing being centrally controlled – a direct conflict with DORA Art. 28.

No emergency stop

When a running privileged session raises concern, the ability to end it immediately and precisely is often missing. Yet responsiveness is core to operational resilience.

Evidence only from documents

Policies describe how access should be controlled. What counts in an audit is evidence from the live system – not the statement of intent in the concept.

Product

Blackfort Privileged Access Bridge

The control layer for privileged access in IT, OT and cloud

The Privileged Access Bridge delivers the controls DORA requires for privileged access – not as after-the-fact documentation, but structurally anchored in the access process. Auditors receive data from the system, not from policy documents.

Agentless jump server

Access to IT, OT and cloud systems through the browser – nothing installed on target or endpoint. In BSI terms a hardened jump server (OPS.1.2.5 Remote Maintenance).

Time-limited access

Access is granted on demand and with an expiry instead of standing permanently open – the basis for the least-privilege principle DORA requires.

Strong authentication (MFA)

MFA enforcement before the session via established methods (TOTP/Duo) or the connected identity provider.

Session recording

Recording of privileged sessions including searchable playback – the session itself becomes reconstructable, not just its start.

Live supervision with instant stop

A supervisor can observe running sessions live and terminate a critical session immediately (emergency stop) – not preventable by the operator.

Tamper-proof audit trail

Security-relevant actions are logged actor-accurately, time-stamped and centrally at the gateway – the real user does not disappear behind a service account.

Controlled third-party access

External providers receive specifically assigned, recorded access to exactly the released systems – without a direct network path into the core network.

Auditable export

Audit trail and recordings provide the evidence for DORA, NIS2, ISO 27001 and IEC 62443 audits – data from the system instead of policy documents.

EU-sovereign & on-prem/managed

Operation on-premises or as a managed service by Blackfort – optionally with a break-glass model without standing operator access.

Status note: Core controls such as agentless access, session recording, time-limited access, live supervision with instant stop and a tamper-proof audit trail are the delivered scope. The PAB delivers the auditable evidence; the regulatory mapping – assigning that evidence to the concrete DORA requirements – is done jointly in the project.

Regulatory context

Privileged access across the regulatory frameworks

DORA does not stand alone: the same control layer also serves NIS2, ISO 27001 and – in OT – IEC 62443. The key references for privileged access.

DORA – Art. 9 (Protection & prevention) & RTS (EU) 2024/1774

Controlled, need-limited access (least privilege, Art. 9(4)(c)) and strong authentication (lit. d). The related RTS (EU) 2024/1774 additionally require attribution of every action to an identifiable person and logging of security-relevant events (Art. 12, Art. 21). The PAB anchors these controls in the access process itself and provides the required evidence.

DORA – Art. 28 (ICT third-party risk)

Access by external ICT providers to critical systems must be controlled, monitored and interruptible. The PAB bundles, time-limits, records and supervises exactly these provider sessions – including from the perspective of the provider, who is subject to DORA itself.

NIS2 – Art. 21(2) (access control & supply chain)

NIS2 requires measures for, among others, access control (Art. 21(2)(i)), multi-factor authentication (lit. j) and supply-chain security including service providers (lit. d). Management bodies must approve the measures, oversee their implementation and can be held liable for infringements (Art. 20). The PAB provides the controls and evidence needed for this.

IEC 62443-3-3 – Remote access in OT

For industrial systems: strong authentication, dedicated monitored remote-access channels, complete logging and immediate termination – not a general VPN into the OT network, but a controlled entry point.

Why Blackfort

Privileged access for the regulated sector

We combine our own PAM product with ongoing DORA project experience – the controls are not only delivered, but placed in their regulatory context and made sustainable in operation.

Experience in the financial sector

Ongoing DORA engagements and project experience with financial entities, insurers and regulated operators.

PAM from a single source

Product, rollout and operation of the Privileged Access Bridge by the same team – from requirement to audit.

Regulatory focus

Advice along DORA, NIS2, ISO 27001, BSI IT-Grundschutz and IEC 62443 – the controls are placed in their regulatory context, not just delivered technically.

EU-sovereign

On-premises or managed service in the EU – no forced transfer of privileged access data into a hyperscaler cloud.

OT- and critical-infrastructure ready

Agentless access to OT systems over a dedicated, monitored channel – suitable for critical-infrastructure and industrial environments.

Managed with break-glass

Optionally operated without standing operator access – controlled, demonstrable access without a new uncontrolled dependency.

FAQ: DORA & privileged access

Does DORA explicitly require session recording?

No – DORA and the related RTS (EU 2024/1774) do not name session recording explicitly. What is required is control of privileged access (least privilege, need-to-use/ad-hoc), attribution of every action to an identifiable person, and logging of security-relevant events (RTS Art. 12 and Art. 21). A mere login log does not show what happened in the session. Session recording is a widely used, field-proven way to make privileged sessions traceable and auditable for supervision and incident analysis – as a means of implementation, not an explicit legal obligation.

Does DORA apply to us as an ICT provider, not just to banks?

Indirectly, yes. DORA obliges the financial entities directly; their requirements are passed on to their ICT providers through the contractual terms DORA mandates. Only ICT third-party providers designated as critical are subject to direct EU oversight. So if you have privileged access to a financial client's systems, you must be able to demonstrate contractually that this access is controlled, traceable and interruptible. A controlled access layer is therefore relevant to both sides of the contract.

Isn't a VPN enough to grant DORA-compliant remote access?

A VPN grants network access but no granular control over what happens after dialling in – and it often stands permanently open. It typically lacks session recording, live supervision, time-limited access and unambiguous attribution to the acting person. The Privileged Access Bridge adds exactly these controls – it replaces or wraps the VPN/jump-host access with the control layer DORA requires.

Is there an official DORA certification for privileged access?

No. DORA has no formal product or certification scheme like ISO 27001. Compliance is examined and enforced by the competent supervisory authorities (in Germany BaFin, for banks also the ECB). What is mandatory are the DORA requirements themselves – not a specific product. The Privileged Access Bridge is a tool to implement the required controls for privileged access in a practical, demonstrable way.

Does the PAB run on-premises or only as a cloud service?

Both are possible. The PAB is a standard x86-64 Linux VM and runs on any common hypervisor – on-premises at the financial entity or as a managed service by Blackfort, EU-sovereign. On request with a break-glass model in which the operator retains no standing administrative access. No forced dependency on a hyperscaler cloud arises.

Does this also cover privileged access to OT systems?

Yes. Access is agentless over a dedicated, monitored channel – suitable for OT/industrial environments and in line with IEC 62443-3-3 (strong authentication, monitored remote-access channels, logging, immediate termination). Instead of a general VPN into the OT network, a controlled entry point is created.

Kontakt aufnehmen

Build DORA-compliant privileged access

Let us analyse your privileged access and provider connections together and establish a controlled, recorded access layer under DORA.