Table of Contents
Speed up your DORA compliance with this four-chapter guide to security testing requirements for entities regulated by the Digital Operational Resilience Act.
The Digital Operational Resilience Act (DORA), aka Regulation n°2022/2554, is a major piece of European Union legislation on the cybersecurity of financial entities such as banks and credit institutions. It aims to raise the overall level of digital resilience in the financial sector, through individual obligations applicable to each regulated institution.
Among these obligations, one deserves particular attention: security testing. Cybersecurity tests are an essential aspect of the regulation, which devotes its entire Chapter IV to them. The subject is rich and complex, which is why we have decided to make a comprehensive study of it, namely this document.
You can continue reading this guide in the form of articles on our blog, or download it below in PDF format for easier reading.
DORA: A Guide to Security Testing for Regulated Entities
A 60-page compliance guide to walk security managers of DORA-regulated entities through the regulation's security testing obligations: the resilience testing program, and Threat-Led Penetration Testing (TLPT).
Exploring Security Testing and Its Implications for Financial Entities
Over the next few pages, we’ll explore :
- the different security testing obligations introduced by DORA, with regular references to the official text;
- the challenges faced by CISOs and other risk managers at regulated institutions, to provide food for thought and, in some cases, solutions.
First and foremost, let’s make it clear that these few lines — as exhaustive as they are intended to be — are no substitute for the necessary compliance diligence of regulated entities, nor for the expertise of a legal expert. It is up to each entity to ensure its own compliance, and this document should not be taken for more than what it is: a specific contribution to the discussions on the implementation of the DORA Regulation.
It should also be pointed out that security testing is just one of the many subjects covered by DORA. For a first and more holistic approach to the legislation, we recommend that you read our comprehensive DORA Compliance Guide; a 17-point checklist to help you prepare for the various aspects of the legislation — ICT risk management framework, BCP and DRP, incident response processes, crisis communication plans…
DORA: A Complete Guide to Compliance for the Financial Sector
A 50-page guide to walk CISOs, DPOs and legal departments through the EU regulation. No mumbo jumbo, only useful and actionable insights.
Now to the serious stuff: DORA and security testing.
Why Does DORA Introduce an Obligation to Test Assets?
Before examining the security tests introduced by DORA, it is important to understand why the regulation requires financial entities to test their assets.
Faced with the risks posed by information systems, national and then European regulators have published rules and recommendations. This necessary first step fuelled a logic of compliance that could have supplanted a culture of results. A few years ago, both bug bounty service providers and the designers of TIBER-EU were quick to identify this unfavorable development, whose treatment is now integrated into global regulations.
Organizations have every interest in testing their digital assets to identify and remediate potential vulnerabilities. Testing enables attacks to be simulated, providing a realistic view of security flaws and how they might be exploited. By understanding their weaknesses, organizations can adapt their defenses, and improve the protection of sensitive data. This not only reduces risk and the likelihood of serious financial consequences, but also preserves the trust that citizens place in financial institutions.
Investing in security testing leads to robust cybersecurity and strengthens the digital resilience of financial entities, which is DORA’s primary objective.
Two Distinct Testing Obligations: Resilience Testing and Threat-Led Penetration Testing
The obligation to test digital assets introduced by DORA is twofold:
- 1. A digital operational resilience testing program:
- mandatory for all entities regulated by DORA;
- to be carried out at least once a year for systems and applications supporting critical or important functions
- 2. Threat-Led Penetration Testing (TLPT):
- mandatory for the most important financial entities, designated by the competent authorities in each country;
- to be carried out at least every 3 years.
Resilience tests are mandatory for all entities within the scope of DORA, whereas TLPTs are more stringent tests reserved for financial entities whose failure would have systemic effects.
Mirroring the DORA text, this document will focus on :
- firstly, resilience testing and its implications
- secondly, TLPT and the TIBER-EU framework.
The importance of mapping the information system
In order to conduct tests as efficiently as possible, it is important to map the entire information system. This comprehensive inventory is not only dictated by common sense, but also by the final text of DORA, as it is a mandatory element of the ICT risk management framework. This step will give you an overview of all your organization’s assets, and enable you to classify them by criticality and risk level. This holistic view, coupled with a prioritization of assets, will enable you to best frame your security testing strategy.
Nevertheless, without ignoring the value of the exhaustive IS mapping recommended by DORA, there are some obvious and urgent matters when it comes to testing critical systems — which should be carried out without delay, in order to meet the enforcement deadlines of the aforementioned regulation.
Links to the Following Chapters
Let’s move on to the first major chapter of this guide:
If you wish, you can also skip to the following chapters:
