The Digital Operational Resilience Act (DORA) is Regulation (EU) 2022/2554, an EU law that strengthens the digital operational resilience of the financial sector. It was adopted on December 14, 2022, entered into force on January 16, 2023, and became fully applicable on January 17, 2025, after a two-year implementation window. DORA was created because the financial sector depends heavily on technology and on third-party technology providers, which makes it vulnerable to cyberattacks and IT disruptions that can cascade across borders and threaten financial stability.
DORA is a regulation, not a directive. This is an important distinction. Unlike the NIS2 Directive, which each member state must transpose into national law, DORA applies directly and uniformly across all EU member states without the need for national transposition. The same core requirements apply everywhere in the EU, though member states set their own penalty frameworks. DORA is supplemented by a set of Regulatory Technical Standards (RTS) and Implementing Technical Standards (ITS) that specify its requirements in detail, including the authentication requirements that matter for MFA.
DORA covers four main areas: ICT risk management, ICT-related incident reporting, digital operational resilience testing, and ICT third-party risk management. It also establishes an EU-level oversight framework for the most critical technology providers to the financial sector. For financial entities, 2025 was largely a transition year, and 2026 is the year supervisory authorities move to active enforcement.
DORA applies to a broad range of financial entities operating in the EU, around 20 categories in total, as well as to the ICT third-party providers that serve them. In-scope organizations include:
A proportionality principle applies, so smaller entities such as microenterprises face simplified requirements. However, core obligations still apply regardless of size. The inclusion of ICT third-party providers is one of DORA’s most significant features, because it extends the regulation’s reach well beyond financial entities themselves.
A note for Canadian and other non-EU organizations: DORA has extraterritorial reach. A non-EU technology provider that supplies services to EU financial entities can fall within DORA’s scope, and a provider designated as a critical ICT third-party provider must establish an EU subsidiary within 12 months of designation. In November 2025, the European authorities named the first critical ICT third-party providers, a list that included major global technology firms. Even where DORA does not apply directly, EU financial clients increasingly require DORA-aligned security measures, including strong authentication, from their providers through contracts. Canadian financial entities with EU operations should expect to comply directly.
DORA’s requirements span ICT risk management, incident reporting, resilience testing, and third-party risk. The authentication requirements most relevant to MFA sit within the ICT risk management framework in Article 9 and are developed further in the Regulatory Technical Standard on ICT risk management. The table below maps the key provisions to their MFA relevance and how LoginTC supports them.
| DORA Provision | Requirement | MFA Relevance | LoginTC Relevance |
|---|---|---|---|
| Article 9(4)(d) | Implement strong authentication mechanisms based on relevant standards and the results of the ICT risk assessment | Mandatory | Strong MFA for remote access, privileged accounts, and applications via RADIUS/LDAP/AD |
| RTS on ICT risk management (Reg. 2024/1774) | MFA for all privileged access and access to systems supporting critical or important functions | Mandatory, legal force | MFA enforcement across privileged and critical-function systems |
| Article 9(4)(c) | Limit physical and logical access to ICT assets to what is required for legitimate functions | MFA enforces access control | Role-based and least-privilege access policies |
| Article 28-30 (third-party risk) | Manage ICT third-party risk, including the security practices of providers | Extends authentication expectations to vendors | MFA for third-party and vendor remote access |
| Article 5 (governance) | Management body defines, approves, and is accountable for the ICT risk management framework | Board must own the authentication policy | Centralized reporting for governance evidence |
Article 9 sits within DORA’s ICT risk management framework and sets out the protective measures financial entities must take to secure their systems and data. Among these, Article 9(4)(d) requires entities to implement policies and protocols for strong authentication mechanisms, based on relevant standards and dedicated control systems, and to protect cryptographic keys. Crucially, the requirement is tied to the results of the entity’s data classification and ICT risk assessment. In other words, DORA requires an entity to assess its ICT assets and processes and then decide where strong authentication is needed to reduce risk.
DORA’s high-level requirements are made concrete by the Regulatory Technical Standard on ICT risk management, Commission Delegated Regulation (EU) 2024/1774. This standard has legal force and adds prescriptive detail. On authentication, it specifies that strong authentication, including multi-factor authentication, must be applied to all privileged access and to access to all systems that support critical or important functions. This is the provision that turns DORA’s general “strong authentication” language into a concrete MFA obligation. The standard also brings service accounts explicitly into scope, requiring entities to maintain an inventory of them and apply appropriate controls.
DORA generally uses the phrase “strong authentication” rather than “MFA.” In practice, the requirement is met through multi-factor authentication: the use of at least two independent factors from different categories, being something you know, such as a password; something you have, such as a hardware token or authenticator app; and something you are, such as a biometric. The RTS makes clear that MFA is the expected mechanism for privileged and critical-function access. DORA’s authentication requirements apply to the workforce, meaning employees and contractors. Customer authentication for financial services is governed by separate legislation, the revised Payment Services Directive (PSD2).
Yes. DORA requires strong authentication under Article 9, and the accompanying Regulatory Technical Standard on ICT risk management makes multi-factor authentication mandatory for all privileged access and for access to systems that support critical or important functions. This is not guidance. The RTS is a technical standard with legal force, so MFA on privileged accounts is a binding obligation for in-scope financial entities.
The requirement is risk-based, which shapes how it applies but does not weaken it. DORA expects entities to conduct an ICT risk assessment, classify their assets, and determine where strong authentication is needed to reduce risk. For privileged access and critical-function systems, the RTS removes the discretion: MFA is required. For other access, the entity must assess and document its decisions. Supervisors have been clear that undocumented MFA exceptions are a compliance finding, and that exceptions must be justified, risk-accepted by management, and mitigated with compensating controls.
Early DORA examinations have highlighted a consistent theme: the gap between what policies say and what evidence shows. Supervisors are not accepting well-written authentication policies at face value. They are asking for operational evidence that the controls are actually running, such as access review outputs, service account inventories, and exception logs. An entity that cannot produce this evidence has a gap regardless of what its policy states.
The technical expectation is also rising. For privileged access, phishing-resistant methods such as FIDO2 security keys are increasingly preferred over weaker factors such as SMS codes. The bottom line for financial entities is clear: MFA is legally required for privileged and critical-function access, it must be provable with evidence, and for the highest-risk access it should be phishing-resistant.
DORA establishes a strict penalty regime, and it applies differently to financial entities, individuals, and critical ICT third-party providers.
For financial entities, competent authorities can impose fines of up to 2% of total annual worldwide turnover, or up to 1% of average daily worldwide turnover for certain ongoing breaches. Because DORA is a regulation rather than a directive, member states set the specific national penalty frameworks, and some have gone well beyond the baseline. Individual members of the management body can face personal fines of up to €1 million, reflecting DORA’s emphasis on management accountability under Article 5, which makes the board responsible for the ICT risk management framework.
Critical ICT third-party providers face a separate penalty regime enforced directly at the EU level by a lead overseer. The lead overseer can impose periodic penalty payments of up to 1% of the provider’s average daily worldwide turnover for each day of non-compliance, for up to six months. For a large cloud provider, this can amount to a very substantial daily figure. In the most extreme cases, the lead overseer can recommend that financial entities suspend or terminate their arrangements with a non-compliant provider.
Beyond fines, supervisors can issue binding instructions, require specific remediation, restrict business activities, and publicly name non-compliant firms. In EU financial markets, public naming often draws more board attention than a monetary penalty. DORA also connects to other regimes: a single major incident could expose an entity to a DORA penalty, a GDPR penalty, and personal liability at the same time. With enforcement moving from a transition posture in 2025 to active supervision in 2026, the practical exposure is real and growing.
DORA ties authentication requirements to your data classification and ICT risk assessment, so start there. Identify and classify your ICT assets, and determine which systems support critical or important functions. This classification drives your MFA scope, because the RTS requires MFA for privileged access and for access to critical-function systems. A documented risk assessment is also the evidence that supports your authentication decisions during a supervisory review.
Map every privileged account and every access path into critical-function systems, including administrator accounts, remote access, and service accounts, which DORA brings explicitly into scope. Distinguish privileged from standard access, and document the purpose of each privileged and service account. This inventory becomes your MFA deployment target and a key piece of audit evidence.
Choose an MFA solution that can enforce strong authentication across the access points in scope, including remote access, privileged accounts, and the applications and infrastructure behind critical functions. Look for support for RADIUS, LDAP, and Active Directory to cover the systems common in financial environments, and consider whether you need cloud, on-premises, or hybrid deployment based on your infrastructure and data handling requirements. For legacy financial applications that cannot integrate with modern identity systems, plan for an access proxy or privileged access approach that can enforce MFA without rewriting the application.
Because supervisory expectations favor phishing-resistant authentication for high-risk access, deploy methods such as FIDO2 security keys or smart cards for privileged accounts and administrators. DORA’s Article 9 explicitly ties strong authentication to protection against phishing, so phishing-resistant factors align directly with the requirement for your most sensitive access.
Roll out MFA to all privileged access and all access to critical-function systems, which the RTS makes mandatory. Include remote access and third-party and vendor access, which fall under DORA’s third-party risk requirements. Avoid the common coverage gaps that show up in examinations, such as MFA on the VPN while critical applications remain password-only, or vendor access that bypasses MFA through shared accounts. Make coverage explicit and complete.
DORA is evidence-based and places accountability on the management body under Article 5. Document your authentication policy, the systems and accounts covered, and any exceptions with their justification and management sign-off. Have the management body approve and oversee the framework. Keep the risk assessment, the policy, the account inventories, and the exception log together, since these are exactly what a supervisor will ask for.
Ensure your MFA solution logs all authentication events, including successful and failed attempts and MFA challenges, and forward them to your monitoring or SIEM platform. DORA expects entities to detect and respond to incidents quickly, and authentication logs are central to that. Establish regular access reviews and produce the review outputs, since supervisors expect to see evidence that controls are running over time, not just documented once.
For many financial entities, the hardest part of DORA authentication compliance is not the modern cloud environment but the legacy systems and the third-party relationships that sit around it.
Financial institutions frequently run core systems that are decades old and were never designed to integrate with modern identity platforms. These systems often hold or support critical functions, which places them squarely within the scope of the MFA requirement, yet they cannot easily accept a standard MFA integration. The practical answer is to enforce MFA at the access layer, through RADIUS, an access proxy, or a privileged access approach, so that strong authentication is required before a user reaches the legacy system, without rewriting the application itself.
Third-party and vendor access is the other common gap. DORA places heavy emphasis on ICT third-party risk, and examinations frequently find vendor access that bypasses MFA through shared accounts or legacy support tooling. Every third-party path into a critical-function system needs the same strong authentication as internal access, and those arrangements need to be reflected in contracts and monitored over time. Addressing legacy systems and third-party access early is often what separates a smooth DORA examination from a difficult one.
LoginTC is well suited to the environments financial entities operate, where strong authentication needs to reach not only modern applications but also the legacy core systems and third-party access paths that DORA scrutinizes. LoginTC integrates through RADIUS, LDAP, and Active Directory, so financial entities can enforce MFA across remote access, privileged accounts, and critical-function systems without replacing existing infrastructure.
For the Article 9 strong authentication requirement and the RTS obligation to apply MFA to privileged and critical-function access, LoginTC enforces MFA on the access points that matter, including remote access, Windows logon, VPNs, and administrator accounts. It supports phishing-resistant factors such as FIDO2 security keys and hardware tokens, which align with DORA’s emphasis on protection against phishing for privileged access. For legacy financial applications that cannot integrate with modern identity systems directly, enforcing MFA at the access layer allows strong authentication without changes to the application.
For financial entities that need to keep authentication infrastructure within their own environment, LoginTC’s on-premises deployment option provides that control. Detailed authentication logs and centralized administration give compliance teams the operational evidence DORA examinations require, such as records that authentication controls are running, which is exactly the kind of proof supervisors ask for rather than policy documents alone.
Explore LoginTC for Finance | View All Connectors
Yes. DORA Article 9 requires strong authentication, and the Regulatory Technical Standard on ICT risk management (Commission Delegated Regulation (EU) 2024/1774) makes multi-factor authentication mandatory for all privileged access and for access to systems supporting critical or important functions. The RTS has legal force, so MFA on privileged accounts is a binding requirement, not a recommendation. For other access, entities must assess where strong authentication is needed based on their ICT risk assessment.
DORA applies to around 20 categories of financial entities operating in the EU, including banks, investment firms, insurers, payment institutions, crypto-asset service providers, and crowdfunding platforms, as well as the ICT third-party providers that serve them. Providers designated as critical face direct oversight from EU authorities. A proportionality principle gives smaller entities simplified requirements, but core obligations apply regardless of size.
Both are EU cybersecurity laws that require MFA, but they differ in scope and legal form. DORA is a regulation that applies directly and uniformly across the EU and is specific to the financial sector, where it takes precedence. NIS2 is a directive that each member state transposes into national law and covers a broad range of critical and important sectors. A financial entity is generally governed by DORA for ICT risk, while a group that includes non-financial entities may have subsidiaries under NIS2.
DORA requires strong authentication using at least two independent factors from different categories: something you know, something you have, and something you are. The RTS expects MFA for privileged and critical-function access. Article 9 ties strong authentication to protection against phishing, so phishing-resistant methods such as FIDO2 security keys are strongly preferred for privileged access. Weaker methods such as SMS codes are increasingly seen as insufficient for high-risk access.
Yes, in certain cases. A non-EU ICT provider that serves EU financial entities can fall within DORA’s scope, and a provider designated as critical must establish an EU subsidiary within 12 months. Non-EU financial entities with EU operations are directly in scope for those operations. Even where DORA does not apply directly, EU financial clients typically require DORA-aligned security measures, including strong authentication, from their providers through contracts.
No. DORA’s authentication requirements apply to the workforce, meaning employees, contractors, and other internal users. Customer authentication for financial services, such as customers logging into online banking or authorizing payments, is governed by separate EU legislation, the revised Payment Services Directive (PSD2). DORA focuses on the operational resilience and internal security of the financial entity.
No. DORA does not require a specific hosting model. Both cloud-based and on-premises LoginTC deployments can support DORA compliance. For financial entities that prefer to keep authentication infrastructure within their own controlled environment, or that need to enforce MFA on legacy core systems, LoginTC’s on-premises option and its ability to enforce MFA at the access layer are particularly useful.
Meeting DORA’s strong authentication requirement means more than switching on MFA. It means classifying your assets, covering privileged and critical-function access, handling legacy systems and third-party access that examinations focus on, and producing the operational evidence a supervisor will expect to see.
Our team helps financial entities and their technology providers deploy MFA that meets DORA’s requirements across modern and legacy systems, without disrupting core financial operations. If you are preparing for supervisory review or closing gaps in your authentication coverage, we are ready to help.