SECURE NETWORK ACCESS
Michael Levy October 29, 2025 4 minute read

DORA and the New Mandate for Secure Access: Why International Banks Must Rethink Their Network Strategy

When the EU’s Digital Operational Resilience Act (DORA) took effect, it redefined what cybersecurity accountability means for global financial institutions—especially when it comes to third-party access. Legacy VPNs and perimeter defenses can’t deliver the visibility, segmentation, or continuous verification DORA demands. Financial entities now need a way to secure and audit every external connection without slowing operations. AppGate ZTNA rises to that challenge, turning Zero Trust principles into practice with dynamic, identity-centric access controls built for resilience and compliance.

In January 2025, the Digital Operational Resilience Act (DORA) officially took effect across the European Union, ushering in a new era of cybersecurity accountability for financial institutions. For international banks operating in or serving EU markets, DORA is more than just another regulation—it’s a comprehensive framework that demands operational resilience, secure access, and continuous compliance across increasingly complex digital ecosystems.

But as many CISOs and compliance leaders are discovering, traditional access models—especially legacy VPNs and perimeter-based security—are ill-equipped to meet DORA’s rigorous standards.

Third-Party Access: DORA’s Hidden Risk Vector

One of the most consequential shifts DORA introduces is an explicit focus on third-party ICT risk. Financial institutions are now responsible not only for their internal systems but also for ensuring that vendors, contractors, and service providers accessing their infrastructure do so securely, traceably, and in compliance with EU standards.

This is a high-stakes challenge. Third-party access is often the weakest link in an organization’s security posture. Misconfigured permissions, lack of segmentation, and limited visibility can expose sensitive financial data to unauthorized actors, violating DORA’s core principles of auditability, segmentation, and operational resilience.

For CISOs and compliance leaders, the questions are urgent as DORA raises the bar for how third-party access must be controlled and verified:

  • Can we prove that third-party users access only the systems and data they’re explicitly authorized to use?
  • Are external sessions monitored and logged with the same rigor as internal ones?
  • Can we revoke access instantly if a vendor’s risk posture changes?

These aren’t theoretical concerns. DORA mandates that financial entities manage third-party access with the same precision and accountability as internal access, including:

  • Real-time verification of external identities
  • Granular segmentation of access privileges
  • Audit trails for every third-party session
  • Automated provisioning and deprovisioning workflows

From Perimeter to Principle: What DORA Demands

DORA’s scope is sweeping. It applies to banks, investment firms, insurance companies, and even third-party ICT providers. Its core objective is to ensure that financial entities can withstand, respond to, and recover from all types of ICT-related disruptions and threats.

Key requirements include:

  • Granular access control based on identity, role, and device trust
  • Continuous monitoring and auditability of access decisions
  • Secure third-party access with traceability and segmentation
  • Incident reporting and operational continuity
  • Proof of policy enforcement and real-time verification

These mandates are not optional. Institutions must demonstrate that their access infrastructure supports least-privilege principles, segmentation, and real-time risk evaluation—not just during audits, but continuously.

Leadership Concerns: What Keeps CISOs and Compliance Officers Awake

For security and compliance leaders, DORA introduces a new set of pressures. They are likely asking:

  • Can we prove who accessed what, when and why?
  • Are our access policies enforced consistently across cloud, on-prem, and hybrid environments?
  • Do we have visibility into third-party access and contractor sessions?
  • How quickly can we revoke access when risk changes, or when a breach occurs?
  • Are we relying on manual provisioning that introduces error and delay?

These questions reflect the real-world challenges of managing access in a dynamic, distributed financial environment, especially one that spans jurisdictions and regulatory regimes.

Zero Trust Network Access: The Right Model for DORA

Enter Zero Trust Network Access (ZTNA). Unlike traditional models that assume trust based on network location, ZTNA operates on the principle of “never trust, always verify.” Every access request is evaluated in real time based on:

  • User identity
  • Device posture
  • Location
  • Behavioral signals

ZTNA creates a segment-of-one, ensuring users only see and access what they’re explicitly authorized to use. This approach aligns perfectly with DORA’s emphasis on access segmentation, continuous verification, and auditability.

Appgate ZTNA: Operationalizing Zero Trust for Compliance

As a model, ZTNA defines how principles like segmentation, visibility and continuous verification align with DORA’s requirements for secure access, but turning those principles into practice requires the right platform. Appgate ZTNA delivers on that vision, engineered to meet mandates such as DORA, NIST 800-207, PCI-DSS, and HIPAA.

Here’s how Appgate ZTNA addresses DORA’s core requirements:

  • Granular, Dynamic Access Control Appgate enforces least-privilege access using an attribute-based policy engine. Access decisions are made in real time, adapting to changes in user risk, device health, and location.
  • Unified Visibility and Audit Readiness Centralized logging and session metadata provide a single pane of glass for compliance teams. Appgate integrates with SIEM and IAM tools, streamlining evidence collection and reducing audit prep time by up to 60%.
  • Secure Third-Party and Contractor Access Appgate’s segment-of-one architecture and Single Packet Authorization (SPA) make protected systems invisible to unauthorized users. This is critical for managing third-party risk, which is a major concern under DORA.
  • Automation That Reduces Human Error Manual provisioning is a compliance risk. Appgate automates access workflows based on identity and group membership, ensuring consistency and reducing the chance of misconfiguration or delay.
  • Resilience and Scalability Appgate’s distributed architecture eliminates centralized failure points and supports elastic scaling essential for maintaining operational continuity during disruptions.

Conclusion: From Regulation to Resilience

DORA is reshaping how financial institutions think about cybersecurity. It’s not just about protecting data, it’s about proving that protection is continuous, contextual and enforceable.

AppGate ZTNA offers a path forward. By embedding Zero Trust principles into every access decision, it helps international banks meet DORA’s mandates with confidence while improving performance, reducing complexity, and enhancing user experience.

If your organization is navigating DORA or preparing for future regulatory shifts, Appgate ZTNA can help you build a resilient, compliant access strategy from the ground up.  

Learn more about AppGate ZTNA or schedule a consultation

 

Receive News and Updates From AppGate