Art. 20 Identity management | RTS on ICT risk management framework | DORA

This article sits within the broader access management framework of the regulation, acting as a foundational prerequisite to Article 21, which governs the actual assignment of access rights.

Article 20 establishes the identity management layer that must exist before those rights can be meaningfully assigned.

It requires financial entities to put in place policies and procedures that uniquely identify and authenticate every person and system seeking access to the entity's information and ICT assets.

Two core requirements underpin this: a one-to-one mapping between individuals (including staff of ICT third-party service providers) and user accounts, and a full lifecycle management process covering accounts from creation through to termination.

Important points:

Develop, document, and implement identity management policies and procedures that ensure every staff member and ICT third-party service provider staff member accessing your assets is assigned a unique identity and user account.
Maintain records of all identity assignments, including after organisational restructuring or the end of a contractual relationship, subject to applicable retention requirements.
Where feasible and appropriate, deploy automated solutions to manage the full lifecycle of identities and accounts.

1. As part of their control of access management rights, financial entities shall develop, document, and implement identity management policies and procedures that ensure the unique identification and authentication of natural persons and systems accessing the financial entities’ information to enable assignment of user access rights in accordance with Article 21.
1. The identity management policies and procedures referred to in paragraph 1 shall contain all of the following:
  1. without prejudice to Article 21, first paragraph, point (c), a unique identity corresponding to a unique user account shall be assigned to each staff member of the financial entity or staff of the ICT third-party service providers accessing the information assets and ICT assets of the financial entity;
  2. a lifecycle management process for identities and accounts managing the creation, change, review and update, temporary deactivation, and termination of all accounts.
2. For the purposes of point (a), financial entities shall maintain records of all identity assignments. Those records shall be kept following a reorganisation of the financial entity or after the end of the contractual relationship without prejudice to the retention requirements laid down in applicable Union and national law.
3. For the purposes of point (b), financial entities shall, where feasible and appropriate, deploy automated solutions for the lifecycle identity management process.