
DORA Compliance
DORA & Privileged Access
Controlled, recorded privileged access under DORA – Art. 9 access control and Art. 28 third-party management, with session recording and an auditable trail. Delivered with the Blackfort Privileged Access Bridge.
What DORA requires for privileged access
The Digital Operational Resilience Act (DORA) has applied to EU financial entities since 17 January 2025. For ICT third-party providers the requirements take effect indirectly – through the contractual terms DORA mandates; providers designated as critical are additionally subject to direct EU oversight. Privileged access (administrators, maintenance accounts, external providers reaching critical ICT systems) sits at the centre of it: it is an attacker's most effective lever, and therefore a direct focus of DORA's ICT risk management.
Article 9 (Protection and prevention) requires financial entities to limit access to ICT systems to what is necessary (least privilege, Art. 9(4)(c)) and to protect it with strong authentication mechanisms (Art. 9(4)(d)). The related Regulatory Technical Standards (Delegated Regulation (EU) 2024/1774) make this concrete for identity and access management: privileged access only on a need-to-use/ad-hoc basis, every action attributable to an identifiable person, restriction of generic and shared accounts, and logging of security-relevant events (RTS Art. 12 and Art. 21).
In practice this means four things for privileged access: no permanently open standing access, but access on demand and time-limited; strong authentication (MFA) before every session; a recording of what actually happens inside the session; and a tamper-proof record of who did what and when – auditable for the supervisory authority and external auditors.
DORA and external ICT service providers (Article 28)
DORA explicitly obliges financial entities to actively manage the risk arising from ICT third-party providers (Article 28) and to keep a register of information covering all ICT service contracts. The most critical touchpoint is the technical access that external providers obtain to productive, critical ICT systems – for maintenance, support or operations.
Precisely this remote access must be controlled, observable and interruptible at any time. A provider reaching a core banking system through a permanently open VPN tunnel or shared administrative credentials conflicts with the DORA/RTS requirements: there is no clear attribution to the acting person (the RTS require identifiability and the restriction of shared accounts), no traceability of the session, and no ability to intervene immediately if something looks wrong.
As an ICT provider you are affected too – through the contractual DORA requirements of your financial clients and, where designated as critical, through direct EU oversight. You must be able to demonstrate that your access to client systems is controlled, traceable and interruptible. A controlled, recorded access layer is therefore relevant to both sides of the contract.
Session recording and complete evidence
DORA and the RTS require privileged activity to be logged and made available for supervision and audit. A pure network or login log is not enough: it shows that access happened, but not what took place in the session. Session recording closes this gap by making the privileged session itself reconstructable.
Decisive for auditability is actor accuracy: every security-relevant action must be attributed to the actual human – not to a technical shared or service account behind which several people disappear. Attribution therefore happens centrally at the gateway, tamper-proof and time-stamped.
These recordings are not an end in themselves: during a supervisory review or after a security incident they provide the evidence of effective control – for DORA as well as for NIS2, ISO 27001 and (for OT systems) IEC 62443. The evidence comes from the system, not from policy documents written after the fact.
From requirement to control: the Blackfort Privileged Access Bridge
The Blackfort Privileged Access Bridge (PAB) is the control layer that anchors exactly these DORA requirements structurally in the access process – instead of documenting them afterwards. It brokers privileged access to IT, OT and cloud systems as an agentless, hardened jump server: the user works in a recorded remote session, without anything being installed on the target system or the endpoint.
The DORA-relevant controls are therefore not additional work but part of the access itself: time-limited, on-demand access instead of permanently open tunnels; strong authentication before the session; session recording; live supervision from which a critical session can be terminated immediately; and a tamper-proof, actor-accurate audit trail as auditable evidence.
The PAB is operated in an EU-sovereign manner, either on-premises at the financial entity or as a managed service by Blackfort – including a break-glass model in which the operator retains no standing administrative access. This fits DORA's logic: controlled, demonstrable access without creating a new uncontrolled dependency.
DORA checklist: privileged access
- No permanently open administrative access
- On-demand, time-limited access (just-in-time)
- Strong authentication (MFA) before every session
- Session recording of privileged sessions
- Actor-accurate, tamper-proof logging
- Controlled access for external ICT providers
- Immediate termination of a session possible
- Auditable export for supervisor & auditors
Related pages
Check your DORA readiness
We analyse your privileged access and provider connections and identify the DORA gaps.
Get in touchIn practice
Why privileged access is DORA-critical
The requirements are clearly stated. In practice, DORA-compliant privileged access rarely fails on intent, but on grown access structures. These six patterns we see again and again.
Permanently open remote access
Maintenance and provider access over standing VPN tunnels is reachable around the clock – without cause, without time limit. For privileged access the RTS require the opposite: granted only on demand (need-to-use/ad-hoc).
Shared administrative accounts
Shared or service accounts obscure which real person acted. The unambiguous attribution to the actor that DORA and the RTS require is not possible this way.
No recording of the session
Login logs show that access happened – not what took place in the session. The decisive evidence for supervision and incident analysis is missing.
Uncontrolled provider access
External ICT providers reach critical systems without access, scope and timing being centrally controlled – a direct conflict with DORA Art. 28.
No emergency stop
When a running privileged session raises concern, the ability to end it immediately and precisely is often missing. Yet responsiveness is core to operational resilience.
Evidence only from documents
Policies describe how access should be controlled. What counts in an audit is evidence from the live system – not the statement of intent in the concept.
Product
Blackfort Privileged Access Bridge
The control layer for privileged access in IT, OT and cloud
The Privileged Access Bridge delivers the controls DORA requires for privileged access – not as after-the-fact documentation, but structurally anchored in the access process. Auditors receive data from the system, not from policy documents.
Agentless jump server
Access to IT, OT and cloud systems through the browser – nothing installed on target or endpoint. In BSI terms a hardened jump server (OPS.1.2.5 Remote Maintenance).
Time-limited access
Access is granted on demand and with an expiry instead of standing permanently open – the basis for the least-privilege principle DORA requires.
Strong authentication (MFA)
MFA enforcement before the session via established methods (TOTP/Duo) or the connected identity provider.
Session recording
Recording of privileged sessions including searchable playback – the session itself becomes reconstructable, not just its start.
Live supervision with instant stop
A supervisor can observe running sessions live and terminate a critical session immediately (emergency stop) – not preventable by the operator.
Tamper-proof audit trail
Security-relevant actions are logged actor-accurately, time-stamped and centrally at the gateway – the real user does not disappear behind a service account.
Controlled third-party access
External providers receive specifically assigned, recorded access to exactly the released systems – without a direct network path into the core network.
Auditable export
Audit trail and recordings provide the evidence for DORA, NIS2, ISO 27001 and IEC 62443 audits – data from the system instead of policy documents.
EU-sovereign & on-prem/managed
Operation on-premises or as a managed service by Blackfort – optionally with a break-glass model without standing operator access.
Status note: Core controls such as agentless access, session recording, time-limited access, live supervision with instant stop and a tamper-proof audit trail are the delivered scope. The PAB delivers the auditable evidence; the regulatory mapping – assigning that evidence to the concrete DORA requirements – is done jointly in the project.
Regulatory context
Privileged access across the regulatory frameworks
DORA does not stand alone: the same control layer also serves NIS2, ISO 27001 and – in OT – IEC 62443. The key references for privileged access.
DORA – Art. 9 (Protection & prevention) & RTS (EU) 2024/1774
Controlled, need-limited access (least privilege, Art. 9(4)(c)) and strong authentication (lit. d). The related RTS (EU) 2024/1774 additionally require attribution of every action to an identifiable person and logging of security-relevant events (Art. 12, Art. 21). The PAB anchors these controls in the access process itself and provides the required evidence.
DORA – Art. 28 (ICT third-party risk)
Access by external ICT providers to critical systems must be controlled, monitored and interruptible. The PAB bundles, time-limits, records and supervises exactly these provider sessions – including from the perspective of the provider, who is subject to DORA itself.
NIS2 – Art. 21(2) (access control & supply chain)
NIS2 requires measures for, among others, access control (Art. 21(2)(i)), multi-factor authentication (lit. j) and supply-chain security including service providers (lit. d). Management bodies must approve the measures, oversee their implementation and can be held liable for infringements (Art. 20). The PAB provides the controls and evidence needed for this.
IEC 62443-3-3 – Remote access in OT
For industrial systems: strong authentication, dedicated monitored remote-access channels, complete logging and immediate termination – not a general VPN into the OT network, but a controlled entry point.
Why Blackfort
Privileged access for the regulated sector
We combine our own PAM product with ongoing DORA project experience – the controls are not only delivered, but placed in their regulatory context and made sustainable in operation.
Experience in the financial sector
Ongoing DORA engagements and project experience with financial entities, insurers and regulated operators.
PAM from a single source
Product, rollout and operation of the Privileged Access Bridge by the same team – from requirement to audit.
Regulatory focus
Advice along DORA, NIS2, ISO 27001, BSI IT-Grundschutz and IEC 62443 – the controls are placed in their regulatory context, not just delivered technically.
EU-sovereign
On-premises or managed service in the EU – no forced transfer of privileged access data into a hyperscaler cloud.
OT- and critical-infrastructure ready
Agentless access to OT systems over a dedicated, monitored channel – suitable for critical-infrastructure and industrial environments.
Managed with break-glass
Optionally operated without standing operator access – controlled, demonstrable access without a new uncontrolled dependency.
FAQ: DORA & privileged access
Does DORA explicitly require session recording?
No – DORA and the related RTS (EU 2024/1774) do not name session recording explicitly. What is required is control of privileged access (least privilege, need-to-use/ad-hoc), attribution of every action to an identifiable person, and logging of security-relevant events (RTS Art. 12 and Art. 21). A mere login log does not show what happened in the session. Session recording is a widely used, field-proven way to make privileged sessions traceable and auditable for supervision and incident analysis – as a means of implementation, not an explicit legal obligation.
Does DORA apply to us as an ICT provider, not just to banks?
Indirectly, yes. DORA obliges the financial entities directly; their requirements are passed on to their ICT providers through the contractual terms DORA mandates. Only ICT third-party providers designated as critical are subject to direct EU oversight. So if you have privileged access to a financial client's systems, you must be able to demonstrate contractually that this access is controlled, traceable and interruptible. A controlled access layer is therefore relevant to both sides of the contract.
Isn't a VPN enough to grant DORA-compliant remote access?
A VPN grants network access but no granular control over what happens after dialling in – and it often stands permanently open. It typically lacks session recording, live supervision, time-limited access and unambiguous attribution to the acting person. The Privileged Access Bridge adds exactly these controls – it replaces or wraps the VPN/jump-host access with the control layer DORA requires.
Is there an official DORA certification for privileged access?
No. DORA has no formal product or certification scheme like ISO 27001. Compliance is examined and enforced by the competent supervisory authorities (in Germany BaFin, for banks also the ECB). What is mandatory are the DORA requirements themselves – not a specific product. The Privileged Access Bridge is a tool to implement the required controls for privileged access in a practical, demonstrable way.
Does the PAB run on-premises or only as a cloud service?
Both are possible. The PAB is a standard x86-64 Linux VM and runs on any common hypervisor – on-premises at the financial entity or as a managed service by Blackfort, EU-sovereign. On request with a break-glass model in which the operator retains no standing administrative access. No forced dependency on a hyperscaler cloud arises.
Does this also cover privileged access to OT systems?
Yes. Access is agentless over a dedicated, monitored channel – suitable for OT/industrial environments and in line with IEC 62443-3-3 (strong authentication, monitored remote-access channels, logging, immediate termination). Instead of a general VPN into the OT network, a controlled entry point is created.
Kontakt aufnehmen
Build DORA-compliant privileged access
Let us analyse your privileged access and provider connections together and establish a controlled, recorded access layer under DORA.