GoKawiilAuthor: Eirik Salmi, System Analyst at Passwork
When a threat actor walks into your network using a legitimate username and password, which control stops them?
For most financial institutions, the honest answer is: nothing catches it immediately. The attacker looks like an authorised user. They move laterally, escalate privileges, and map critical systems for an average of 186 days before the breach is even identified — and a further 55 days to contain it — according to IBM's Cost of a Data Breach Report (2025).
By then, the operational damage is done, and the regulatory clock has already started.
On January 17, 2025, the Digital Operational Resilience Act (DORA) entered into application across the EU. Article 9 of the regulation makes credential security a binding financial risk control, with supervisory consequences for institutions that fall short.
The question is no longer whether your authentication posture meets best practice. It is whether it meets the law — and whether you can prove it.
This article traces the specific Article 9 requirements that govern credential management, explains why a compromised password is an operational resilience failure under DORA's framework, and outlines the practical controls that close the gap.
The threat that DORA was built to counter
Stolen credentials are the single largest initial access vector in 2025, accounting for 22% of all data breaches, per Verizon's Data Breach Investigations Report. For financial institutions, the sector-specific cost of that exposure averages $5.56 million per incident, according to IBM's Cost of a Data Breach Report — down from $6.08 million in 2024, yet still the second-highest of any industry globally.
The supply side of credential theft has been fully industrialised. Initial Access Brokers sell verified corporate network access for an average of $2,700, with 71% of listings including privileged credentials — pre-packaged access that requires no technical skill to exploit, according to Rapid7 research.
... continue reading