Article 21 Digital Operational Resilience Act (DORA), General Requirements For The Performance of Digital Operational Resilience Testing

Sep 9, 2024

The Digital Operational Resilience Act (DORA) is a pivotal regulation in the European Union, designed to enhance the operational resilience of financial entities against Information and Communication Technology (ICT)-related incidents. Article 21 of DORA outlines the general requirements for digital operational resilience testing, which is crucial for ensuring that financial entities can effectively manage and mitigate ICT risks. This article details the obligations of financial entities in establishing and maintaining a robust digital operational resilience testing program as part of their overall ICT risk management framework.

Article 21 Digital Operational Resilience Act (DORA), General Requirements For The Performance of Digital Operational Resilience Testing

Establishing a Comprehensive Testing Programme

To assess their preparedness for ICT-related incidents and to identify any weaknesses, deficiencies, or gaps in their digital operational resilience, financial entities are required to establish, maintain, and regularly review a digital operational resilience testing programme. This programme must be tailored to the entity’s size, business nature, and risk profile, ensuring that it is both sound and comprehensive. The goal is to make the testing programme an integral part of the ICT risk management framework, as outlined in Article 5 of DORA.

By doing so, financial entities can ensure that they are continually assessing their resilience to ICT threats and are prepared to implement corrective measures promptly. Regular review and maintenance of the testing programme are essential, as they allow the entity to adapt to evolving risks and changing business environments, ensuring that the programme remains relevant and effective over time.

Components of the Testing Programme

The digital operational resilience testing programme is required to include a diverse range of assessments, tests, methodologies, practices, and tools. These elements should be applied in accordance with the specific provisions set out in Articles 22 and 23 of DORA. The inclusion of various testing components is crucial for providing a comprehensive evaluation of the entity’s digital resilience. Different types of tests can reveal different aspects of the entity’s resilience, from technical vulnerabilities in ICT systems to procedural weaknesses in incident response plans.

The use of a variety of tools and methodologies also ensures that the testing programme is thorough and covers all potential areas of concern. By incorporating different practices, financial entities can identify not only immediate weaknesses but also long-term strategic gaps that could affect their resilience.

Risk-Based Approach to Testing

Financial entities are required to follow a risk-based approach when conducting their digital operational resilience testing programme. This approach takes into account the evolving landscape of ICT risks, specific risks to which the entity might be exposed, the criticality of information assets, and the importance of the services provided.

A risk-based approach ensures that the testing programme is focused on the most significant risks facing the entity. By prioritizing these risks, the entity can allocate resources more effectively, ensuring that the most critical areas of their ICT infrastructure are adequately tested and protected. Additionally, this approach allows for flexibility, as the entity can adjust its testing programme in response to new or emerging threats, ensuring that it remains relevant in a constantly changing digital environment.

DORA Compliance Framework

Independent Testing and Validation

To ensure the objectivity and reliability of the testing programme, financial entities must ensure that the tests are conducted by independent parties. These independent parties can be internal teams that are not involved in the daily operations of the systems being tested, or they can be external firms specializing in ICT risk management and testing.

Independent testing is critical for uncovering issues that internal teams might overlook due to familiarity or bias. It provides an external perspective on the entity’s digital resilience, helping to ensure that the tests are thorough and that any weaknesses identified are genuine and not the result of testing errors or oversights.

Prioritization and Remediation of Issues

Financial entities are also required to establish procedures and policies for prioritizing, classifying, and remedying all issues identified during the testing process. This involves not only addressing immediate vulnerabilities but also ensuring that long-term strategic gaps are closed.

In addition, entities must develop internal validation methodologies to confirm that all identified weaknesses, deficiencies, or gaps are fully addressed. This step is crucial for ensuring that the corrective actions taken are effective and that the entity’s digital resilience is genuinely improved as a result of the testing programme.

Annual Testing of Critical ICT Systems

Finally, Article 21 mandates that financial entities test all critical ICT systems and applications at least once a year. This annual testing requirement ensures that critical systems are regularly evaluated for vulnerabilities, helping to prevent potential ICT-related incidents before they occur.

Regular testing is essential for maintaining a high level of digital resilience, as it allows entities to stay ahead of potential threats and ensure that their ICT systems remain secure and functional. By conducting these tests annually, financial entities can identify and address vulnerabilities in a timely manner, reducing the risk of ICT-related incidents that could disrupt their operations or harm their customers.

Conclusion

Article 21 of DORA establishes a comprehensive framework for digital operational resilience testing, requiring financial entities to implement and maintain robust testing programmes tailored to their specific risks and business profiles. By following these requirements, financial entities can enhance their resilience to ICT-related incidents, ensuring that they are prepared to manage and mitigate risks effectively in an increasingly digital and interconnected world.

DORA Compliance Framework