IAM Maturity Assessment for DORA
DORA (Regulation (EU) 2022/2554) sets ICT risk management requirements for banks, insurers, investment firms, and other financial entities operating in the EU, and has applied since January 2025. Identity and access controls sit inside its ICT risk management framework, with management-body accountability for how access to ICT assets is protected and monitored.
- Maturity threshold
- 2.5 / 4.0
- Mapped questions
- 10
- IAM domains
- 3
- Assessment scope
- Workforce
What DORA Expects from Identity Programs
The identity-relevant themes below reflect the AXIS capabilities mapped to DORA citations in the question bank. They paraphrase where identity fits, not the legal text itself.
- Control of privileged and administrative access: credential protection, secrets management for non-human identities, just-in-time access, and session recording
- Strong and phishing-resistant authentication for staff, with hardened account recovery paths
- Detection of and response to identity-based threats, plus identity resilience and recovery planning
- Continuous visibility into identity posture and the identity attack surface
AXIS Questions Mapped to DORA
10 of the 37 questions in the AXIS bank carry DORA citations, including 4 domino controls (foundational capabilities that cap the overall score when weak).
| Question | Domain | Capability | DORA references |
|---|---|---|---|
| PAM-01 Domino | PAM | Admin Credential Protection | DORA Art. 9 |
| PAM-02 Domino | PAM | Secrets Management (Non-Human & Application Credentials) | DORA Art. 9 |
| PAM-04 | PAM | Just-In-Time (JIT) Cloud & Infrastructure Access | DORA Art. 9 |
| PAM-05 | PAM | Session Management and Recording | DORA Art. 9 |
| AUTH-01 Domino | Auth/SSO | Adaptive MFA | DORA Art. 9 |
| AUTH-04 | Auth/SSO | Phishing-Resistant MFA & Session Integrity | DORA Art. 9 |
| AUTH-05 | Auth/SSO | Account Recovery & Identity Verification Resistance | DORA Art. 9(4)(c); DORA Art. 9 |
| SEC-01 Domino | Security | Identity Threat Detection & Response (ITDR) | DORA Art. 9 |
| SEC-02 | Security | Identity Resilience & Disaster Recovery | DORA Art. 9 |
| SEC-05 | Security | Identity Posture & Attack-Surface Management (ISPM) | DORA Art. 8 |
How AXIS Scores DORA Alignment
A threshold model: each mapped control either meets the DORA maturity bar or it does not, and the alignment percentage is the share that does.
Threshold: 2.5 of 4.0
Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For DORA, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.
Citations live on individual answer options, so the exact set of controls counted for DORA in a given assessment reflects the answers selected. The table above lists every question whose answer options carry DORA citations.
80%+
Aligned
60-79%
At Risk
<60%
Non-Compliant
Scope and Industry Awareness
DORA is scored in the workforce and full assessment scopes, where its mapped controls are assessed.
It is shown when the assessed organization operates in: Financial Services. Other industries see only the frameworks relevant to them.
Indicative Alignment, Not Certification
This page describes how the AXIS assessment maps its question bank to Digital Operational Resilience Act (DORA). Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how DORA applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.
See Where You Stand Against DORA
Run the AXIS assessment and get your maturity score, DORA alignment, and a prioritized roadmap in one pass. No signup required to start.