Article 23 Digital Operational Resilience Act (DORA), Advanced Testing of ICT Tools, Systems and Processes Based on Threat Led Penetration Testing

Sep 9, 2024

The Digital Operational Resilience Act (DORA) sets forth stringent requirements to ensure that financial entities within the European Union (EU) are robust against Information and Communication Technology (ICT)-related risks. Article 23 of DORA specifically mandates advanced testing of ICT tools, systems, and processes through threat-led penetration testing. This article outlines the detailed procedures and requirements that financial entities must follow to maintain and enhance their digital operational resilience.

Article 23 Digital Operational Resilience Act (DORA), Advanced Testing of ICT Tools, Systems and Processes Based on Threat Led Penetration Testing

Mandatory Advanced Testing Every Three Years

Article 23 requires financial entities identified by competent authorities to carry out advanced testing using threat-led penetration testing at least every three years. This form of testing is crucial for simulating real-world cyberattacks on critical systems, enabling financial entities to identify vulnerabilities and assess their preparedness to respond to sophisticated cyber threats. The testing's three-year frequency ensures that entities remain vigilant and adapt their defenses to evolving risks, thereby maintaining a high level of digital operational resilience.

The testing must focus on the entity's critical functions and services, ensuring that the most vital aspects of their operations are tested. By conducting these tests on live production systems, financial entities gain a realistic understanding of how their systems would perform under an actual cyberattack. This approach ensures that any identified vulnerabilities are directly relevant and that the entity can take immediate corrective actions.

Defining the Scope and Inclusion of Third-Party Providers

The precise scope of threat-led penetration testing is determined by the financial entity, based on an assessment of its critical functions and services. This scope must be validated by competent authorities to ensure that the testing is comprehensive and aligned with regulatory requirements. Financial entities must identify all underlying ICT processes, systems, and technologies that support their critical functions and services, including those that are outsourced or contracted to third-party providers.

When third-party ICT service providers are involved in the testing, financial entities must take necessary measures to ensure their participation. Given that many financial entities rely heavily on third-party services, including these providers in the testing process is essential. It allows for a thorough assessment of external risks and ensures that the entity's overall digital operational resilience is not compromised by vulnerabilities in outsourced services.

Risk Management and Documentation

Throughout the testing process, financial entities are required to apply effective risk management controls. These controls are vital to minimizing potential impacts on data integrity, asset protection, and the continuity of critical services. By implementing strong risk management measures, entities can conduct thorough testing without disrupting their operations or endangering the financial sector's stability.

Upon completion of the threat-led penetration testing, financial entities and external testers must provide documentation to the competent authority. This documentation confirms that the testing was conducted according to DORA’s requirements. Competent authorities are responsible for validating this documentation and issuing an attestation, which serves as official proof that the financial entity has met its regulatory obligations.

DORA Compliance Framework

Contracting Testers and Proportionality in Testing Requirements

To ensure the independence and effectiveness of the threat-led penetration testing, financial entities must contract external testers in accordance with Article 24 of DORA. These testers must have the necessary expertise to carry out the testing effectively and objectively. The selection of competent testers is a critical component of the testing process, as it directly impacts the reliability of the results and the entity's ability to address identified vulnerabilities.

Competent authorities play a crucial role in identifying which financial entities must perform threat-led penetration testing. This identification is based on a proportional assessment of the entity’s size, scale, activity, and overall risk profile. Specifically, authorities consider factors such as the criticality of the services provided by the entity, potential financial stability concerns, and the entity’s specific ICT risk profile. By ensuring that testing requirements are proportionate, competent authorities can focus on addressing the most significant risks within the financial sector.

Development of Regulatory Technical Standards

The European Supervisory Authorities (ESAs)—comprising the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA)—in consultation with the European Central Bank (ECB), are tasked with developing draft regulatory technical standards to further specify the criteria and requirements for threat-led penetration testing. These standards will provide detailed guidance on various aspects of the testing process, including the scope, methodology, and procedures for reporting and remediation.

The development of these standards is critical for ensuring consistency and effectiveness across the EU. By providing clear and detailed guidelines, the ESAs ensure that financial entities across the Union conduct threat-led penetration testing in a manner that is both rigorous and aligned with best practices. Once developed, these standards will be submitted to the European Commission for adoption, at which point they will become binding on financial entities throughout the EU.

Conclusion

Article 23 of DORA sets out a comprehensive framework for advanced testing of ICT tools, systems, and processes through threat-led penetration testing. By requiring regular testing, involving third-party providers, and applying effective risk management, DORA ensures that financial entities within the EU are well-prepared to withstand sophisticated cyber threats. The development of regulatory technical standards further strengthens this framework, providing clear guidance and ensuring a consistent approach to digital operational resilience across the Union.

DORA Compliance Framework