Article 24 Digital Operational Resilience Act (DORA), Requirements For Testers

Sep 9, 2024

The Digital Operational Resilience Act (DORA) places a strong emphasis on ensuring that financial entities within the European Union are resilient against Information and Communication Technology (ICT)-related threats. One of the key components of DORA’s regulatory framework is the requirement for advanced testing through threat-led penetration testing. Article 24 outlines the specific obligations that financial entities must fulfill to carry out this form of testing, which is designed to simulate real-world cyberattacks on critical systems to assess and improve their operational resilience.

Article 24 Digital Operational Resilience Act (DORA), Requirements For Testers

Mandatory Advanced Testing Every Three Years

Financial entities identified by competent authorities must conduct advanced testing via threat-led penetration testing at least once every three years. This rigorous testing process is vital for identifying vulnerabilities in critical systems and ensuring that financial entities can withstand sophisticated cyber threats. The frequency of every three years ensures that financial entities remain vigilant and continuously adapt their defenses to the evolving threat landscape.

The focus on critical functions and services means that the testing is targeted where it matters most. The testing is conducted on live production systems, providing a realistic assessment of how these systems would perform under a real cyberattack. This approach ensures that the testing results are relevant and actionable, leading to meaningful improvements in the entity’s digital operational resilience.

Defining The Scope and Involvement of Third-Party Providers

The scope of threat-led penetration testing is determined by the financial entity based on an assessment of its critical functions and services. This scope must be validated by competent authorities to ensure that the testing is comprehensive and aligned with regulatory expectations. Financial entities must identify all relevant ICT processes, systems, and technologies that support these critical functions and services, including those that are outsourced to third-party providers.

When third-party providers are involved in the testing, the financial entity is responsible for ensuring their participation. This is crucial because many financial entities rely heavily on third-party ICT services, and any vulnerabilities in these external systems could have significant implications for the entity’s overall operational resilience. Effective collaboration with third-party providers during testing helps to uncover and address these external risks, ensuring a more holistic approach to cybersecurity.

Risk Management and Documentation

Throughout the testing process, financial entities must apply effective risk management controls to minimize potential impacts on data integrity, assets, and the continuity of critical services. This is particularly important when testing is conducted on live production systems, as there is an inherent risk of disruption. By implementing strong risk management measures, financial entities can conduct thorough testing without jeopardizing their day-to-day operations or the stability of the broader financial sector.

At the conclusion of the threat-led penetration testing, financial entities and the external testers are required to provide documentation to the competent authority. This documentation confirms that the testing has been conducted in accordance with the requirements outlined in DORA. Competent authorities then validate the documentation and issue an attestation, which serves as official recognition that the financial entity has fulfilled its regulatory obligations and is taking appropriate steps to enhance its digital operational resilience.

DORA Compliance Framework

Contracting Testers and Proportionality in Testing Requirements

To carry out threat-led penetration testing, financial entities must contract testers in accordance with Article 24 of DORA. These testers must possess the necessary expertise and independence to conduct the testing effectively. The selection of testers is a critical step in the process, as it ensures that the testing is objective and that the results are reliable.

Competent authorities play a key role in identifying which financial entities must perform threat-led penetration testing. This identification is based on a proportional assessment of the entity’s size, scale, activity, and overall risk profile. Specifically, authorities consider factors such as the criticality of the services provided by the entity, potential financial stability concerns, and the entity’s specific ICT risk profile. By taking these factors into account, authorities ensure that the testing requirements are proportionate and that the most significant risks are addressed.

Development of Regulatory Technical Standards

The European Banking Authority (EBA), the European Securities and Markets Authority (ESMA), and the European Insurance and Occupational Pensions Authority (EIOPA), in consultation with the European Central Bank (ECB), are tasked with developing draft regulatory technical standards to further specify the criteria and requirements for threat-led penetration testing. These standards will provide detailed guidance on the scope of testing, the methodologies to be used, and the procedures for reporting and remediation.

In addition, the regulatory technical standards will address the type of supervisory cooperation needed for implementing threat-led penetration testing across financial entities that operate in multiple Member States. This is particularly important for ensuring that testing is consistent and effective across the EU, while also allowing for flexibility to accommodate the specificities of different financial sub-sectors and local markets.

Once developed, these draft regulatory technical standards will be submitted to the European Commission for adoption. The Commission has the authority to supplement DORA by adopting these standards, which will then become binding on financial entities across the EU.

Conclusion

Article 24 of DORA establishes a robust framework for advanced testing through threat-led penetration testing, ensuring that financial entities are well-prepared to withstand sophisticated cyber threats. By requiring regular testing, involving third-party providers, and applying effective risk management, DORA enhances the digital operational resilience of the EU’s financial sector. The development of detailed regulatory technical standards further strengthens this framework, providing clear guidance and ensuring consistency across the Union.

DORA Compliance Framework