EU Regulations & Directives

IAM Maturity Assessment for DORA

DORA (Regulation (EU) 2022/2554) sets ICT risk management requirements for banks, insurers, investment firms, and other financial entities operating in the EU, and has applied since January 2025. Identity and access controls sit inside its ICT risk management framework, with management-body accountability for how access to ICT assets is protected and monitored.

Maturity threshold
2.5 / 4.0
Mapped questions
10
IAM domains
3
Assessment scope
Workforce
Identity Expectations

What DORA Expects from Identity Programs

The identity-relevant themes below reflect the AXIS capabilities mapped to DORA citations in the question bank. They paraphrase where identity fits, not the legal text itself.

  • Control of privileged and administrative access: credential protection, secrets management for non-human identities, just-in-time access, and session recording
  • Strong and phishing-resistant authentication for staff, with hardened account recovery paths
  • Detection of and response to identity-based threats, plus identity resilience and recovery planning
  • Continuous visibility into identity posture and the identity attack surface
Question Mapping

AXIS Questions Mapped to DORA

10 of the 37 questions in the AXIS bank carry DORA citations, including 4 domino controls (foundational capabilities that cap the overall score when weak).

AXIS assessment questions mapped to DORA, with domain, capability, and framework references
QuestionDomainCapabilityDORA references
PAM-01
Domino
PAMAdmin Credential ProtectionDORA Art. 9
PAM-02
Domino
PAMSecrets Management (Non-Human & Application Credentials)DORA Art. 9
PAM-04PAMJust-In-Time (JIT) Cloud & Infrastructure AccessDORA Art. 9
PAM-05PAMSession Management and RecordingDORA Art. 9
AUTH-01
Domino
Auth/SSOAdaptive MFADORA Art. 9
AUTH-04Auth/SSOPhishing-Resistant MFA & Session IntegrityDORA Art. 9
AUTH-05Auth/SSOAccount Recovery & Identity Verification ResistanceDORA Art. 9(4)(c); DORA Art. 9
SEC-01
Domino
SecurityIdentity Threat Detection & Response (ITDR)DORA Art. 9
SEC-02SecurityIdentity Resilience & Disaster RecoveryDORA Art. 9
SEC-05SecurityIdentity Posture & Attack-Surface Management (ISPM)DORA Art. 8
Scoring Model

How AXIS Scores DORA Alignment

A threshold model: each mapped control either meets the DORA maturity bar or it does not, and the alignment percentage is the share that does.

Threshold: 2.5 of 4.0

Each framework in AXIS carries a research-derived maturity threshold (Methodology Section 7.2). For DORA, a mapped control counts as passing when its answered maturity level reaches 2.5: documented and consistently enforced. The alignment percentage is the share of mapped controls at or above that bar.

Citations live on individual answer options, so the exact set of controls counted for DORA in a given assessment reflects the answers selected. The table above lists every question whose answer options carry DORA citations.

80%+

Aligned

60-79%

At Risk

<60%

Non-Compliant

Scope and Industry Awareness

DORA is scored in the workforce and full assessment scopes, where its mapped controls are assessed.

It is shown when the assessed organization operates in: Financial Services. Other industries see only the frameworks relevant to them.

Indicative Alignment, Not Certification

This page describes how the AXIS assessment maps its question bank to Digital Operational Resilience Act (DORA). Alignment scores are indicative: they are not a certification, an audit opinion, or legal advice. Whether and how DORA applies depends on your organization, sector, and jurisdiction; consult qualified counsel or auditors for formal compliance determinations.

See Where You Stand Against DORA

Run the AXIS assessment and get your maturity score, DORA alignment, and a prioritized roadmap in one pass. No signup required to start.