Identity and access management

Explicit identity management requirements (Art. 20 RTS RMF)

BaFin notes that BAIT/VAIT already implied identity management, but DORA now makes it an explicit, documented discipline.

Under Art. 20 RTS RMF, financial entities must have documented identity management guidelines and procedures that ensure:

Unique identity for every person accessing ICT assets
- Every employee, including staff of ICT third-party providers, must have a unique identity for access to the institution’s information and ICT assets.
- No “shared” identities as a standard operating mode.
Persistence of unique identities across changes
- Identities must remain unique and traceable even:
  - after reorganisations, and
  - at the end of the contractual relationship (for forensic / audit purposes).
Lifecycle management for identities and accounts
- A full lifecycle process is required:
  - creation → modification (job change, role change) → suspension → deletion/archiving.
- DORA explicitly encourages automated solutions for identity & account lifecycle where possible.

BAIT/VAIT already required sound IAM, but did not spell out identity lifecycle and uniqueness so clearly.
Under DORA, the identity lifecycle becomes a formal control object:
- Own policy
- Own procedures
- Evidence that third-party staff identities are handled the same way as internal ones.

The access management part in RTS RMF adds one new principle and tightens some frequencies, otherwise it mostly re-labels BAIT/VAIT ideas.

Art. 21 RTS RMF introduces the “need-to-use” principle as a complement to:

from BAIT/VAIT Chapter 6.2.

BaFin’s interpretation:

In reality, need-to-use ≈ need-to-know/least privilege – it emphasises that access must only exist where there is a concrete operational need to actually use the resource.
Therefore, no big design change, but:
- it creates an explicit regulatory test (“Is this access really needed for use?”) for recertifications and role definitions.

BaFin lists the following as part of DORA’s minimum set: