Contents
Procedures that address access rights
Purpose and Scope
As part of the ICT risk management framework under Article 6(1) DORA, financial entities must establish and implement procedures that ensure strict control over both physical and logical access to information assets and ICT assets.
These procedures must ensure that:
- only legitimate and approved functions and activities justify access,
- all access rights are administered securely, consistently, and auditable,
- access is limited to the minimum necessary in line with need-to-know, need-to-use, and least-privilege principles.
The procedures apply to:
- staff of the financial entity,
- contractors and temporary workers,
- staff of ICT third-party service providers,
- system and service accounts,
- all physical premises, data centres, and sensitive designated areas.
Mandatory Components of the Procedures (Article 9(4)(c) DORA)
The procedures addressing access rights must establish a complete set of policies, processes, and controls that achieve the following:
Limitation of Physical and Logical Access
The procedures must ensure that access to:
- information assets,
- ICT assets,
- physical locations containing such assets,
is restricted to activities that are:
- legitimate,
- pre-approved,
- role-justified, and
- aligned with operational, security, and governance requirements.
All non-essential access must be prohibited.
Governance and Administration of Access Rights
The procedures must define a sound administrative model for access rights, including:
- criteria for granting access based on job role, function, and business need,
- conditions for modifying access (role change, new responsibilities, temporary needs),
- processes for revoking access without undue delay,
- rules ensuring the segregation of duties,
- full documentation of all granted, modified, or revoked access rights.
This must integrate with:
- identity management procedures (Article 20 RTS RMF), and
- the access control policy (Article 21 RTS RMF).
Controls for Physical Access
The procedures must define:
- physical access restrictions to sensitive locations,
- logging and monitoring of physical access events,
- measures to prevent unauthorised entry,
- controls for visitor management and third-party technicians,
- periodic review of physical access rights.
These controls must apply proportionally to the criticality of locations and ICT systems.
Controls for Logical Access
The procedures must establish controls to prevent unauthorised logical access to ICT assets, including:
- authentication requirements,
- strong authentication mechanisms for critical or important functions,
- password and credential management,
- privileged-access restrictions,
- continuous monitoring for anomalous access patterns.
Procedures must also ensure the integrity of:
- user account lifecycle management,
- privileged-access management,
- system-to-system (service account) authentication.
Ongoing Review and Maintenance of Access Rights
The procedures must support:
- periodic review of all access rights,
- semi-annual reviews for ICT systems supporting critical or important functions,
- annual reviews for all other ICT systems,
- verification that access rights remain aligned with legitimate and approved activities.
Reviews must result in:
- timely removal of obsolete access rights,
- correction of excessive privileges,
- identification and remediation of access anomalies.
Integration with the ICT Risk Management Framework
The procedures addressing access rights form a core element of the financial entity’s ICT risk management framework under Article 6 DORA.
They must therefore:
- align with business processes and digital operational resilience strategy (Article 6(8)),
- integrate with ICT security policies under Article 9(2),
- support ICT incident detection under Article 10 and RTS RMF Articles 22–23,
- meet audit and oversight requirements under Article 6(6)–(7).
They must additionally support:
- secure configuration baselines (Article 11(b) RTS RMF),
- logging requirements (Article 12 RTS RMF),
- network security requirements (Article 13 RTS RMF),
- identity management requirements (Article 20 RTS RMF),
- access control requirements (Article 21 RTS RMF).