DORA, SYSC 13, and NIS2 demand demonstrable identity governance. IdentityFirst delivers the evidence your auditors require — read-only, in 24 hours.
FCA-regulated firms face a confluence of legacy infrastructure, accelerating regulatory demand, and a threat landscape that specifically targets the financial sector.
Mergers and acquisitions leave stale accounts, orphaned service accounts, and legacy Active Directory trusts with unknown blast radius. The identities from the 2018 acquisition are still present — enabled, privileged, and ungoverned.
FCA SYSC 9.1.4 requires evidenced access control. DORA mandates continuous ICT risk management. NIS2 applies to financial market infrastructure. These obligations converge on identity governance — and the expectation is demonstrable, documented evidence.
Financial services sees 2× the average dwell time before detection. Service accounts and Kerberoastable SPNs are the primary lateral movement paths — and in financial environments they frequently have access to trading systems, regulatory reporting shares, and payment processing infrastructure.
Each assessment maps findings directly to the specific articles and subsections that FCA supervisors and internal audit will reference.
Article 9 ICT risk management requires financial entities to implement sound access control and privileged access governance. IdentityFirst provides continuous identity risk evidence, privileged access mapping, and blast radius quantification aligned to these obligations.
SYSC 13 requires firms to manage operational risk from IT systems and to implement appropriate access controls. IdentityFirst documents every access control gap, stale account, and privilege sprawl finding in a format suitable for operational risk registers.
NIS2 Article 21 mandates access management, MFA, and supply chain security for essential entities including financial market infrastructure. IdentityFirst maps MFA coverage gaps, access management failures, and supply chain identity risks across your estate.
SYSC 9.1.4 requires firms to maintain records sufficient to evidence governance of access to systems. IdentityFirst produces a timestamped, immutable audit trail of who had access to what systems, their privilege level, and when the access was last reviewed.
Representative findings from a financial services assessment — the kind of risk that exists in most regulated firms and is invisible to manual review.
RC4-HMAC encryption. Password age: 847 days. SPN registered against the Charles River IMS trading integration. This account's TGS ticket can be extracted from any domain-joined workstation and cracked offline without generating a domain security event.
Blast Radius: Critical — svc_charlesriver_ims has local admin on 14 SQL servers backing regulatory reporting.
Account enabled. Last logon 3 days before departure. Still a member of Finance-Reporting-RW, VPN-Users, and SharePoint-FinanceTeam. HR system departure date: 109 days ago. No leaver process triggered in Active Directory or Entra ID.
Blast Radius: High — finance reporting share and VPN access to regulatory systems remain open.
d.walsh holds permanent Global Administrator in Entra ID. No PIM or JIT elevation configured. Role never time-limited. Assigned 3 years ago. No MFA registration event in the last 180 days recorded against the account.
Blast Radius: Critical — unrestricted tenant-wide administrative access with no time or scope constraint.
Four objects — including a file server with access to the regulatory reporting share — hold unconstrained Kerberos delegation. Any user authenticating to these systems will have their TGT cached on the host, extractable if the host is compromised.
Blast Radius: High — unconstrained delegation provides a credible path to Domain Admin via TGT abuse.
34% of accounts in privileged groups (Domain Admins, Finance-Reporting-RW, Azure-PIM-Eligible) are excluded from MFA enforcement via a legacy authentication exception in Conditional Access. The exception was created during a legacy ADFS migration and was never reviewed.
Compliance Gap: NIS2 Article 21, DORA Article 9, FCA SYSC 13 — MFA coverage gap across regulated system access.
A four-stage pipeline that requires no agents, no production changes, and no trading system access.
Read-only API and LDAP connectors attach to Active Directory, Entra ID, PAM tools, and IGA platforms. No agents installed. No production changes. No trading system access required at any stage.
IdentityMRI™ enumerates every identity, group, privilege assignment, and delegation scope across your estate. 40+ risk checks applied. Nothing sampled.
Each finding is scored by ICR (Identity Coverage Ratio), blast radius, and compliance mapping. DORA Article 9, SYSC 13, and NIS2 Article 21 obligations are cross-referenced automatically.
Board-ready PDF delivered within 48 hours. Named findings, timestamps, remediation playbooks, and dedicated DORA/SYSC evidence packs structured for FCA supervisory review and internal audit.
Straight answers to the questions compliance and security teams at FCA-regulated firms ask most often.
No. IdentityFirst connects exclusively via read-only LDAP queries and read-only API connectors to identity stores — Active Directory, Entra ID, and PAM tools. It does not require, request, or receive access to trading platforms, order management systems, market data feeds, or any front-office application at any point during the assessment.
DORA Article 9 requires financial entities to implement sound ICT risk management controls including governance of access rights and privileged access. IdentityFirst maps every privileged identity finding — stale accounts, Kerberoastable service accounts, standing Global Administrators, unconstrained delegation — directly to Article 9 obligations and produces remediation evidence suitable for regulatory submission.
The resulting evidence pack is structured to answer the specific Article 9 questions an FCA supervisor or DORA auditor is likely to raise: which privileged identities exist, what access they have, how they are governed, and what is being done about identified gaps.
Yes. IdentityFirst produces a board-ready PDF containing named findings, timestamps, severity classifications, blast radius analysis, and compliance mapping cross-referenced to DORA, SYSC 13, and NIS2 controls. The report is structured to satisfy FCA supervisory requests for evidence of access control governance and operational risk management under SYSC 9.1.4.
Internal audit teams regularly use IdentityFirst reports as input to IT general control testing and access management control assessments.
Initial findings are available within 24 hours of connector setup. Full report generation, including compliance mapping to DORA, SYSC 13, and NIS2 controls, is completed within 48 hours. Connector setup for a typical asset manager with Active Directory and Entra ID takes under two hours and requires only a read-only service account — no domain administrator credentials.
Yes. IdentityFirst ingests data from PAM tools including CyberArk PAS and BeyondTrust, and from IGA platforms including SailPoint IdentityNow and Saviynt, using read-only API connectors. Rather than replacing these tools, IdentityFirst surfaces gaps in their coverage — accounts that exist in Active Directory but are not governed by your PAM or IGA solution, and privileged access that has accumulated outside the formal provisioning process.
This gap analysis is frequently the most valuable output for firms that believe their existing tooling provides adequate coverage.
Book a live demo to see how IdentityFirst maps your own identity estate against DORA, SYSC 13, and NIS2 obligations — or explore a sample financial services report now.
Read-only • No agents • Findings in 24 hours • UK-hosted & ICO registered