DORA: New requirements for ICT security in finance – here's what you need to know
The finance sector is increasingly dependent on digital systems and external IT providers. When something fails – whether due to technical error, cyber attack, or human error – the consequences can be significant. Therefore, the EU has introduced the DORA regulation (Digital Operational Resilience Act), which aims to strengthen digital resilience across the financial industry. DORA sets requirements for how businesses plan, prevent, detect, handle, and learn from ICT-related incidents. The goal is to ensure continuity, protect customer data, and reduce the risk of operational disruptions in a sector that is critical to society.
The regulation applies from January 2025 and includes banks, insurance companies, fund managers, payment institutions – and also many of their ICT providers. For many businesses, this means stricter requirements for oversight, documentation, and access control. It's not just about having good systems, but being able to show that you have control through insight into your own data.
How Bsure helps businesses meet the requirements
Bsure connects to Microsoft Entra ID and provides an updated and user-friendly overview of that part of your IT environment. Several of our features directly support the requirements in DORA's articles on ICT risk management, access control, and third-party management.
1. Users and access
DORA requirement: Access management should be based on the principles of least access and documented control.
Who has access to your systems
Users without enabled multi-factor authentication (MFA)
Inactive or outdated accounts
Guest users and external access
Users with administrative rights
Service accounts and applications – including what rights they have and where they log in from
Many think they have good control over user access and MFA because the policy states that all new accounts should have MFA, but often don't consider that the old on-prem AD is often synchronized up to the cloud – with old accounts, unused groups, and service accounts created before this policy came into effect. How do you catch that? It creates an unclear and vulnerable starting point.
2. Applications and license usage
DORA requirement: Businesses must have an overview of system usage and ensure that ICT resources are used in a controlled manner.
Which applications are in use
Who uses them – and how
Misused or unused licenses
Many businesses have far more applications integrated into Entra ID than they think – including third-party apps that employees have added themselves with their own rights. It is often unclear what data these apps have access to – or who actually uses them and where data is processed.
3. Devices
DORA requirement: All devices connected to the business's network should be monitored and controlled as part of ICT risk management.
Which devices are in use and who uses them
Operating systems and last usage time
Outdated or potentially vulnerable devices
Devices that have once connected to Entra ID often remain as "active" in the overview – even if they haven't been used for many months. This gives a false picture of the security status and can hide real vulnerabilities.
4. Documentation and follow-up
DORA requirement: Risk management and security measures should be documented and verifiable.
Document access management and security status
Identify and follow up on risks
Share relevant insights with management, audit, and supervisory authorities
It is easy to assume that documentation is in place as long as the measures are "described," but often the link to actual implementation and ongoing follow-up is missing. Without continuous insight and verification, security work becomes difficult to verify.
What Bsure covers – and what you still need to solve yourself
Bsure Insights is a practical solution for gaining control at the user, device, and application level, which is an important part of DORA. But to comply with the entire regulation, other measures and systems are also required. Here are some areas where you still need to supplement:
Incident reporting to authorities (requires own reporting systems and routines)
Testing of operational resilience (e.g., penetration tests from approved actors)
Continuity plans and recovery (backup, failover, crisis plans, etc.)
Management of contracts and agreements with ICT providers (e.g., SLAs, contract content)
Secure sharing of threat information (platforms for collaboration between actors)
DORA is a comprehensive regulation, but it doesn't have to be complicated to get started. Bsure helps you with the basics: gaining insight, cleaning up, and reducing risk in your business's digital infrastructure – in a practical and efficient way.
How Bsure supports specific requirements in DORA
Bsure contributes to compliance with several of the requirements in DORA, including these articles:
Articles 5–15: ICT risk management - Bsure provides ongoing insight into user access, inactive accounts, and devices - Contributes to monitoring and documentation of critical components
Article 16: Reporting of ICT incidents - Bsure provides basic data for identifying and following up on incidents
Articles 23–30: Third-party risk - Bsure provides insight into applications and associated rights from external parties
Articles 6 and 9: Access control and documentation - Bsure helps identify weaknesses in access management and provides a basis for audit and supervision
In summary – what Bsure covers and doesn't cover
Bsure helps you with:
Overview of users, access, roles, and MFA status
Insight into active and inactive devices
Applications and integrations connected to the business's Entra ID
Documentation of security status and improvement areas
Identifying risks related to old accounts and shadow IT
You still need to solve with other measures:
Reporting of serious ICT incidents to authorities
Crisis and continuity plans with backup and failover
Advanced penetration testing and technical resilience testing
Detailed contract and supplier follow-up
Sharing of threat information between businesses
