EU DORA: All You Need to Know About its Resilience Testing Requirement

The European Union's Digital Operational Resilience Act (DORA) is set to transform the financial sector's approach to cybersecurity. DORA lays significant emphasis on many aspects of Information and Communication Technology (ICT) Risk management for financial entities. Digital Operational Resilience Testing for ICT-related incidents is one of DORA’s key pillars. And this is what we’re going to explore through this article. 

Understanding the resilience testing requirement of DORA is crucial for financial institutions to ensure compliance and robust digital defences. We’ve created this concise guide that condenses everything you need to know about DORA’s resilience testing mandate. 

You’ll also find guidance from our cybersecurity experts on how to achieve this mandate. 

Always remember - Testing regularly ensures that you are not just theoretically prepared for cyber threats, but practically resilient too.

Topics covered in this article: 

1. What does DORA say about Digital Operational Resilience Testing? 
2. DORA mandate on Threat Led Penetration Testing
3. Requirements for Testers
4. How Can We Help?

What the EU DORA says on Digital Operational Resilience Testing

Chapter IV of the Final DORA text is dedicated to Digital Operational Resilience Testing. The chapter contains 4 articles (24-27). They cover the general requirements, how to test ICT tools and systems, advanced testing of ICT tools and requirements for testers. 

Article 25 prescribes the following tests for financial entities in the EU: 

1. Vulnerability assessments and scans 
2. Open source analyses 
3. Network security assessments 
4. Gap analyses 
5. Physical security reviews 
6. Questionnaires and scanning software solutions 
7. Source code reviews (where feasible) 
8. Scenario testing 
9. Compatibility testing 
10. Performance testing 
11. End-to-end testing 
12. Penetration testing (aka, threat lead pt or TLPT)

DORA necessitates that financial entities must conduct these resilience tests regularly. The frequency may vary based on the size, nature, and complexity of the organisation. The tests must also cover all critical ICT systems and tools, including those managed by third-party providers.

In the next few sections, we look at the DORA mandate for Threat-Led Penetration Testing. This is definitely the most critical component in Chapter IV with two dedicated chapters. 

If you’re interested in conducting a scenario-based resilience test, do read our detailed blog:  EU DORA Regulation: Scenario-based Testing for Operational Resilience.  

For detailed information on the ICT Risk Management Framework, Information Sharing and Third-party Risk Management mandates, read this blog: 5 Pillars of DORA.  

Back To Top

EU DORA & Threat-Led Penetration Testing: Quick Summary 

Article 26 of DORA goes deeper into its mandate for Threat Led Penetration Testing (TLPT). Here’s a brief look at what the Advanced testing of ICT tools, systems and processes based on TLPT requires: 

1. Frequency: Financial entities, other than microenterprises, must carry out advanced testing (TLPT) at least once every three years. The competent authority may increase or decrease this frequency based on the risk profile of the institution. 
   
   
2. Scope: Each test must cover critical or important functions of the organisation and the tests must be conducted on live production systems. Based on the institution's assessment of critical functions (including those outsourced to critical ICT third party service providers), the scope of the TLPT will be decided. This scope will then be validated by the competent authority.  
   
   

3. ICT Third Party Risk: The onus of ensuring third party participation in the test (if they fall into the scope of the TLPT), lies with the financial institution. 
   
   
4. Pooled Testing: EU DORA allows financial entities to conduct pooled threat-led penetration testing (TLPT) for third-party service providers. This means multiple financial entities can collaborate to test a shared ICT service provider's security. This pooled test can be performed by an external tester but under the direction of one designated financial entity.  

Back To Top

DORA’s Requirements for Testers: Brief Overview

Chapter 27 of Article IV focuses entirely on Requirements for Testers to carry out Threat Led Penetration Tests. 

Here’s a quick summary of these requirements. As per the DORA mandate, testers should be: 

1. Highly capable and reputable with demonstrable expertise in threat intelligence, red teaming and pentesting. 
2. Capable of providing an independent audit report while protecting all sensitive data during the test. 
3. Fully covered by relevant professional indemnity insurances. 
4. Under strong contracts with the financial entity. The contracts must ensure complete data protection of the financial entity. It should also ensure sound management of the TLPT results.   
5. Approved by competent authority in case of internal testers. In such cases, the threat intel provider must be external to the organisation. If a financial entity uses internal testers, they must ensure every third test is conducted by an external pentester. 

Back To Top

How we can help you with Operational Resilience Testing for DORA Compliance

The long list of tests, requirements for TLPT and compliance with other clauses of DORA can seem overwhelming. However, the good news is that it doesn’t have to be so. 

Cyber Management Alliance offers a complete suite of services that can take care of all your DORA compliance requirements, especially those pertaining to Digital Operational Resilience Testing. 

Take a quick look at how we can help: 

1. Scenario-Based Testing: Cyber Management Alliance is the world leader in conducting Cyber Tabletop Exercises. These exercises simulate cyber attack scenarios most relevant to your business. The carefully chosen participants for the exercise are coaxed to think and respond like they would in an actual attack scenario. 
   
   These exercises test the viability of your Cyber Incident Response Plans in the event of an ICT-related incident. They show you the gaps in your digital resilience posture, your strengths and weaknesses. Overall, they help you refine your maturity to respond to cybersecurity and digital disruptions.  
   
   
   
2. Penetration Testing: Our Certified Penetration Testing Services stand out in the market for being cost-effective and customisable. Our expert team of pentesters, complemented by the leadership of our cybersecurity experts, help you identify the threats to your business before attackers do.  
   
   Our certified engineers conduct a thorough technical reconnaissance of your assets and identify all possible entry points. They then try to 'gain access' and exploit vulnerabilities to simulate a prolonged attack and assess potential damage. Based on the test, the vulnerabilities found, their characteristics and the possible damage, we created a detailed report. The findings are complemented by effective remediation steps, in order to help you address your vulnerabilities faster and achieve DORA compliance. 
   
   It’s worth noting, however, that regular pentests also help you achieve compliance with several other regulatory standards and frameworks including the GDPR, ISO 27001, PCI DSS and SOC 2 amongst many others. 
   
   
   
3. Risk Assessment and Gap Analysis: Our Virtual Cyber Assistants can help you improve your digital operational resilience in nearly every way possible. In the most cost-effective and flexible package, you can get your cyber incident response plans, policies and playbooks in order.  
   
   They can also help you implement a robust Cybersecurity and/or Risk Management Framework. They’ll help you review your Business Continuity and Disaster Recovery plans. And in the context of DORA, they can assist you with conducting a Risk Assessment and/or Security Gap Analysis. 

Back To Top

Final Word 

DORA's resilience testing requirement is a significant step towards fortifying the financial sector against cyber threats. By regularly testing and enhancing ICT systems, financial institutions can not only comply with regulatory requirements but also safeguard their operations, data, and customer trust. 

Always remember, preparing for DORA is not just about compliance. It's about building a resilient, secure future for the financial industry.