ICT security controls have applied to EU finance since 17 January 2025.
DORA and email authentication — eu financial entities and the ict providers that serve them.
the ICT-protection article that frames authenticity and integrity of data in transit.
01
What DORA applies to
The Digital Operational Resilience Act (DORA) entered into application on 17 January 2025. It applies to a broad range of EU financial entities — banks, insurers, investment firms, payment institutions — and to the ICT third parties that serve them.
DORA is an operational-resilience regulation, not an email standard. But its ICT risk-management obligations reach the channels those entities depend on, and email is one of them.
02
Where email authentication fits
Article 9 requires financial entities to deploy ICT security policies, procedures, and tools that maintain high standards of authenticity, integrity, and confidentiality of data — explicitly including data in transit — and to secure the means by which data is transferred.
Email authentication is not named in Article 9. But DMARC, SPF, and DKIM are recognized, proportionate controls that support exactly those goals for the email channel: they let receivers verify that a message genuinely originates from the domain it claims, protecting the authenticity and integrity of mail in transit. Supervisors assessing a firm's ICT controls will expect to see demonstrable measures here.
03
Where monitoring stops short
A monitoring-only posture — p=none with reports — gives you visibility but does not protect the channel: forged mail in the entity's name still reaches recipients. To function as a genuine ICT security control under Article 9's authenticity and integrity expectations, the policy has to be enforcing. Authex advances the domain to p=reject and maintains it, turning a documented intent into an operating control.
04
Common questions
Does DORA require DMARC?
Not explicitly. DORA Article 9 requires financial entities to ensure the authenticity and integrity of data in transit and to deploy appropriate ICT security tools. Email authentication (DMARC/SPF/DKIM) is a recognized, proportionate control that supports those obligations for the email channel — so it is a sensible and defensible way to evidence them.
When did DORA start applying?
17 January 2025. From that date DORA is fully applicable to the EU financial entities and ICT providers within its scope.
Does p=none satisfy DORA?
p=none provides visibility but no protection — forged mail is still delivered. As an ICT security control supporting Article 9's authenticity and integrity goals, an enforcing policy (p=quarantine or p=reject) is materially stronger, because it actually prevents impersonation of the entity's domain.
Meet the requirement — and actually be protected.
Scan your domain to see where it stands today, then let Authex take it to enforcement and keep it there.