Contents
Identity management procedures
Purpose and Scope
Financial entities must develop, document, and implement identity management procedures as an integral part of their control of access management rights.
These procedures establish the mechanisms to uniquely identify and authenticate all:
- natural persons, and
- systems
that access the financial entity’s information assets and ICT assets.
Identity management procedures form a critical prerequisite for ensuring that user access rights are correctly assigned, controlled, monitored, and revoked in accordance with Article 21 RTS RMF (Access Control).
Mandatory Functional Requirements
Unique Identification of All Users and Systems
The procedures must ensure that:
- each natural person (including staff, contractors, and staff of ICT third-party service providers), and
- each system or service accessing information assets or ICT assets
is uniquely identifiable under a unique identity.
This requirement is foundational for access control, accountability, and audit traceability.
The procedure must therefore establish:
- unique user IDs for all human users,
- unique service accounts for systems and machine-to-machine communications,
- traceability of all identities to the entity requesting access.
Authentication Prior to Access
The procedures must require that:
- all identities (human and system) undergo authentication before any access is granted.
Authentication means verifying the identity via:
- credentials,
- authentication factors,
- certificates, or
- other mechanisms,
commensurate with the security classification of ICT assets under Article 8(1) DORA.
Authentication must be performed reliably, consistently, and independently to prevent unauthorized access.
Enabling the Assignment of Access Rights (Link to Article 21)
Identity management procedures must explicitly support the access-rights model under Article 21 RTS RMF, including:
- the need-to-know and least-privilege principles,
- segregation of duties,
- assignment of privileged and administrative access,
- lifecycle management of all accounts.
Identity management is thus the cornerstone enabling:
- correct granting of access rights,
- annual and semi-annual access reviews,
- timely revocation of rights upon role change or termination,
- accountability for all actions performed in ICT systems.
The procedures must therefore ensure that identities are structured and managed in a way that enables the access-control policy and processes to function as required.
Integration with the ICT Risk Management Framework
Identity management forms part of the broader ICT risk management obligations under Articles 6 and 9 DORA.
The procedures must therefore:
- be fully integrated with ICT access governance,
- support risk-based authentication methods,
- align with secure-configuration requirements,
- and enable monitoring and logging under Article 12 RTS RMF.
They must also make it possible to:
- detect anomalous activities linked to identities,
- enforce privilege management,
- support incident investigation and forensics.