DORA has been enforceable since January 2025, and if you're reading this, you're probably somewhere between "we need to sort out our privileged access" and "our current PAM vendor is making this harder than it needs to be."
This guide is for people actually buying PAM tooling for DORA-regulated financial services organisations. Not a vendor comparison chart. Not a compliance checklist you can hand to an auditor and forget about.
Just the stuff that actually matters when you're the one making the decision, living with the consequences, and explaining it to your board.
What DORA actually requires for privileged access
Before you talk to a single vendor, you need to understand what DORA actually says. Not what vendors tell you it says, but what the regulation itself requires. There are five articles that directly affect your PAM decision.
Article 9. Access control and authentication.
This is the big one. DORA requires strong authentication for all privileged access, access controls based on least privilege, and separation of duties so that no single person can complete a critical transaction alone. It also requires that every credential retrieval is auditable.
Articles 28 and 29. Third-party concentration risk.
This is the one most PAM buyers underestimate. DORA explicitly requires you to assess whether your ICT service providers are easily substitutable. You need a documented multi-vendor strategy, and you need to evaluate whether contracting with a PAM vendor would reinforce ICT concentration risk.
If your entire privileged access capability depends on one vendor's cloud platform staying up, that's a problem.
Article 28(8). Exit strategies.
You must have comprehensive, documented, and tested exit plans for every critical ICT provider. That includes your PAM vendor. Can you actually leave your current PAM tool without disrupting operations? For most organisations, the honest answer is no.
Article 12. Audit trails.
Access to critical systems must be logged and reviewable. Not just "we have logs somewhere" but tamper-proof, auditable records that you can produce for your regulator.
The penalties are real. Up to 2% of worldwide annual turnover. Personal fines up to EUR 1 million for executives. Public disclosure. This isn't one of those regulations you can quietly ignore.
The problems you'll actually hit
Here's what the compliance checklist won't tell you. The hardest part of PAM for DORA isn't meeting the technical requirements. It's avoiding the traps that make your life miserable for the next three to five years.
Trap 1. Implementation complexity
56% of IT leaders who deployed PAM systems failed to reach their objectives. Not because the tools don't work, but because the implementations are brutal.
CyberArk deployments routinely take three to six months. BeyondTrust is faster (typically a month), but that's still a month of your team doing nothing else. Delinea's Secret Server can be operational in days, but users describe the broader platform as "not feeling finished" with "many bugs."
The real cost isn't the license fee you see on the quote. It's the professional services, the integration work, and the six months of your security team's time that you'll never get back.
Trap 2. Vendor lock-in (which DORA explicitly warns you about)
This is the trap that should scare you most, because DORA was essentially written to address it. Every major PAM vendor creates deep lock-in through proprietary integrations, custom agents, and workflows that are expensive to replicate elsewhere.
On G2 and PeerSpot, the pattern is consistent.
CyberArk. "Insanely expensive" and "very complex." The native console is powerful but hard to navigate. Support cases where "they don't know why errors are happening."
BeyondTrust. Tools "not unified" across separate interfaces. "Much more expensive than market average." Documentation that's "few and often requires opening a ticket even for simple fixes."
Delinea. "Confusing" licensing with "significant crossover in features product-to-product." Migration from on-premises to cloud was "substantially more expensive." Platform teams that locked down API access found "CI/CD pipelines never using the product."
None of these vendors publish pricing. All require sales calls. All require professional services for deployment. And once you're in, switching costs are enormous. That is exactly the kind of concentration risk DORA is trying to prevent.
Trap 3. Confusing "has audit logs" with "is auditable"
Most PAM tools will show you an audit log screen during the demo. That's not what DORA Article 12 is asking for. DORA wants tamper-proof, reviewable records that demonstrate who accessed what, when, and why. Produced on demand for your regulator.
The question to ask isn't "do you have audit logs?" It's "can someone access a credential without an audit record being created?"
With most tools, the answer is yes. Logs can be disabled, misconfigured, or bypassed in break-glass scenarios. That's a gap your auditor will find.
What to actually prioritise
After watching teams go through this, here's what actually matters, in order of importance.
1. Separation of duties, enforced architecturally
DORA Article 9 requires that no single person can complete critical transactions alone. Most PAM tools handle this through approval workflows. Someone requests access, someone else approves it.
That works until someone has admin access to the PAM tool itself, or until an emergency exception becomes permanent.
The better question is whether separation of duties is enforced by the architecture, or by policy that can be overridden. There's a meaningful difference between "our policy says two people must approve" and "the system physically cannot reconstruct a credential without multiple parties."
2. A real exit strategy (not a theoretical one)
DORA Article 28(8) requires you to test your exit plans. Actually test them, not just document them.
Ask yourself this. If your PAM vendor went down tomorrow, or if you decided to leave, could your team still access the credentials they need?
For most organisations using cloud-based PAM, the honest answer is "probably not without significant disruption." That's a compliance gap, and it's one that's hard to close retroactively.
3. Implementation speed vs. implementation depth
58% of CISOs want better PAM but find it too expensive. The hidden cost is time. A tool that takes six months to deploy means six months of partial compliance.
If you're choosing between a comprehensive solution that takes two quarters to roll out and a focused solution you can deploy in days, the focused solution might actually reduce your risk faster, even if it covers fewer accounts.
4. Audit trails that can't be circumvented
Don't settle for "we have logging." Ask specifically.
Can a privileged user access a credential without generating an audit record? Can an admin disable logging? Can break-glass procedures bypass the audit trail?
If the answer to any of these is yes, you have a DORA Article 12 problem.
Our recommendations
For your highest-sensitivity accounts. SplitSecure
SplitSecure takes a fundamentally different approach that addresses DORA's hardest requirements by default. Instead of storing credentials in a vault, it splits them across multiple devices using Shamir Secret Sharing. No single device ever holds a complete credential.
Why this matters for DORA specifically.
Article 9 separation of duties. Enforced mathematically, not by policy. Secret reconstruction physically requires a threshold of devices. It can't be bypassed through social engineering, admin access, or emergency exceptions.
Articles 28/29 concentration risk. SplitSecure never sees your credentials. If SplitSecure ceased to exist tomorrow, your secrets would still work. That's not an aspirational exit strategy. It's an architectural fact.
Article 12 audit trails. You cannot access a credential without creating an audit record. It's not a feature you enable. It's a consequence of the distributed reconstruction process.
SplitSecure is purpose-built for the 10-20 accounts where a breach means catastrophe. AWS root credentials, domain admin, encryption keys, backup admin accounts. It's not trying to replace your enterprise PAM across thousands of service accounts. It's protecting the credentials that would end up in the incident report.
As SplitSecure's own DORA mapping puts it, "The easiest way to meet any regulation is to be architecturally compliant. Have systems in place so compliance does not need to be enforced by policy or process, but rather occurs as a technological default."
For broad enterprise PAM
If you need full-featured PAM across your entire organisation (session recording, automated account discovery, thousands of service accounts) you're looking at the traditional vendors. Our honest take.
CyberArk remains the deepest platform if you have the budget and the team to run it. Budget for six months of implementation and ongoing dedicated staff.
BeyondTrust is the strongest alternative if you need endpoint privilege management alongside PAM. Faster to deploy than CyberArk, but still requires professional services.
Delinea Secret Server is the pragmatic choice for mid-market organisations. Faster deployment, lower cost, but less depth. Be cautious about the broader Delinea Platform. The mature product is Secret Server specifically.
The layered approach
For DORA compliance specifically, the approach gaining traction in financial services is layered. A traditional PAM tool for broad coverage, and SplitSecure for the accounts that matter most.
This gives you the compliance checkbox coverage of enterprise PAM while addressing the concentration risk and separation of duties requirements that traditional tools structurally can't solve.
The questions to ask vendors
Before your next PAM vendor call, here are the questions that will actually tell you something.
"If your platform goes offline, can we still access our credentials?" If the answer is no, you have an Article 28 concentration risk problem.
"Can a platform administrator access our stored credentials?" If yes, you have a separation of duties gap.
"Can someone access a credential without generating an audit record?" If yes, you have an Article 12 problem.
"What does a complete exit from your platform look like, in terms of time, cost, and risk?" If they can't answer this clearly, you can't satisfy Article 28(8).
"What does implementation actually look like? How long, how many of my people, and what happens if it takes longer?" The answer to this will tell you more than any feature comparison.
The bottom line
DORA isn't asking you to buy the most expensive PAM tool on the market. It's asking you to demonstrate that your privileged access controls are resilient, auditable, and not dependent on any single vendor.
The irony is that the traditional approach to PAM, putting all your credentials in one vendor's vault, creates exactly the kind of concentration risk the regulation was designed to prevent.
The organisations getting this right aren't choosing between traditional PAM and something new. They're using the right tool for each tier of risk. Broad PAM for operational coverage. Architectural security for the accounts where policy-based controls aren't enough.
Only 18% of security teams considered themselves fully ready for DORA by end of 2025. If you're still working through it, you're in good company. The goal isn't perfection. It's making defensible decisions that your regulator can understand and your team can actually operate.