• Make identity a control layer inside the ICT risk management framework, not a side process.

• Maintain a register of critical application owners, privileged roles, service accounts, and third-party ICT access.

• Use access reviews and SoD controls as repeatable evidence for resilience testing.

• Tie incident playbooks to account compromise, privilege escalation, and third-party access failure scenarios.

• 30 days: inventory critical ICT services and map privileged access paths.

• 60 days: automate reviews for critical roles, third parties, and admin groups.

• 90 days: run tabletop testing and produce board-ready evidence for control effectiveness.

• Ongoing: monitor orphaned access, toxic combinations, stale privileges, and concentration risk.

• Critical ICT access map across employees, contractors, vendors, service accounts, and APIs.

• Access certification linked to critical or important functions.

• Third-party access expiry and review tied to the ICT third-party register.

• Incident runbooks for credential compromise and privileged access abuse.

• Metrics: review completion, emergency access use, orphaned accounts, privilege drift, and unresolved exceptions.

EBA DORA application resources

EU DORA Regulation text

European Commission DORA overview