Introduction to DORA
The Digital Operational Resilience Act (DORA) was brought in across European Union nations to address risk management gaps and attempt to harmonise these requirements across the EU. The act specifically targets financial service entities, i.e. largely those regulated by central banks, and introduces rules around incident management & reporting, digital testing and management of third-party risk.
What is DORA?
The European Council adopted DORA in November 2022 and will be in full force from 17th January 2025. DORA is an EU regulation that comprehensively addresses Information and Communication Technology (ICT) risk management in the financial sector by ensuring that all providers follow a set of standards to mitigate ICT risks for their operations. Prior to DORA, each EU country had different regulations for ICT risk. DORA aims to create a unified framework for all member states.
Who Does DORA Apply to?
DORA applies to financial entities and ICT third parties providing services to financial institutions, such as cloud platforms or data analytics – DORA does not only apply to traditional banks.
Affected entities include traditional financial institutions, credit and payment institutions, investment firms & funds, crypto-asset providers, data reporting service providers, insurance companies and ancillary service providers, pensions providers, auditors and some ICT third-party service providers.
Key Elements of DORA
There are five crucial elements of DORA which can be broken into the below:
- ICT Risk Management
- ICT-related Incident Management, Classification, and Reporting
- Digital Operational Resilience Testing
- Managing of ICT Third-party Risk
- Information Sharing Arrangements
DORA Testing Requirements
Digital Operation Resilience Testing
Part of the ICT risk management framework DORA requires that financial entities define, document, and maintain a thorough and comprehensive digital operational resilience testing programme. Financial entities will need to ensure that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions on at least a yearly basis. Some of the tests detailed in the DORA regulation include:
- Vulnerability assessments and scans
- Open-source analyses
- Network security assessments gap analyses
- Physical security reviews
- Questionnaires and scanning software solutions
- Source code reviews where feasible
- Scenario-based tests
- Compatibility testing
- Performance testing
- End-to-end testing or penetration testing.
- Threat-Led Penetration Testing (see below)
What Organisations will need to do to meet DORA Requirements:
- Demonstrate that they are conducting an appropriate set of security testing on ‘critical’ systems and applications at least annually
- Fully address’ any vulnerabilities identified by this testing
- For designated significant entities (as yet to be specified by a Regulatory Technical Standard (RTS) to conduct a Threat-Led Penetration Test (TLPT) at least once every three years.
What is Threat-Led Penetration Testing (TLPT)?
In addition to the above types of testing, certain financial entities will be required to carry out Threat-led Penetration Testing (TLPT) at least once every three years. TLPT is essentially red teaming based on threat intelligence and should cover at least the critical functions and services of a financial entity.
Threat intelligence refers to information such as tactics, techniques, and procedures (TTPs) employed by cybercriminals that helps an organization understand the cyber threats it faces. Red teaming is a cybersecurity practice where a team of ethical hackers simulates real-world cyber-attacks to evaluate an organization’s security posture and identify vulnerabilities. Red Teaming is different to a penetration test, in that it is usually focused on a specific goal or objective.
For the lifecycle of a TLPT, the scope shall be determined by the financial entity itself, which is validated by the relevant competent authorities (EBA, ESMA, and EIOPA). Testing must be performed by a suitable testing organisation and it must be performed in a live production environment.
The methodology around conducting the TLPT will likely be based on the ECB’s existing TIBER-EU framework.
What is TIBER-EU?
TIBER-EU is a European framework for conducting threat intelligence-based red-teaming tests, which was introduced in 2018. It outlines the TTPs that should be employed during testing, based on bespoke threat intelligence.
TIBER-EU brings together a number of entities within organisations themselves and outlines third-party providers that are required to carry out the red-team capability and the threat intelligence capability. These providers work together with the organisation to conduct testing.
The testing requirements mandated by TIBER-EU are clear, but it is unclear how they fit in with DORA.
What are the next significant milestones for DORA?
The European Supervisory Agencies (ESAs), along with other European authorities, are leading the development of the technical standards as required by the DORA Regulation. Further clarification on standards is expected to be published for public consultation in late Q3 2023 or early Q4 2023.4
The timelines for further clarification on exact requirements in relation to performing resilience testing is to be expected by late Q4 2023.
An Annual Penetration Test is a Requirement of DORA
The most significant requirement of DORA is the annual penetration testing for critical applications and systems, which can be fulfilled through the use of Edgescan.
Edgescan Penetration Testing Service Meets DORA Requirements
The good news is that most of the types of testing required by the standard are items that financial services organisations will be well familiar with and, indeed, the majority of which will already have ongoing secure testing programmes that include these items. Once organisations identify their critical systems in scope, we can onboard them and start testing immediately.
Edgescan offers world-class penetration testing services globally through our Penetration Testing as a Service (PTaaS) platform.
Testing, Reporting & Remediation!
Our testing methodology more than meets the current criteria to cover the annual tests that are outlined in DORA specifications.
Extensive and detailed reporting via the Edgescan platform, gives you an ongoing view of the security posture for your critical assets, with extensive reporting metrics and on-demand retesting.
Plus with remediation advice direct from our technical testing teams, demonstrating that any vulnerabilities identified have been remediated sufficiently and retested satisfactorily, will not be a problem.
Threat-Led Penetration Testing
Edgescan provides objective-based penetration testing (aka Red Teaming) capabilities using our CREST certified pen testers. The goal of standard penetration testing is to find ‘all the vulnerabilities’ that an adversary could leverage to breach a system or organisation. Red Teaming can be thought of as a narrow-scope penetration test, whereby you focus on an objective or end goal and leverage vulnerabilities to achieve this objective.
The exact requirements for the once-per-three-year TLPT are still being finalized. We will continue to monitor and provide updates via social media and blog posts as more clarity on testing becomes available.
Contact us today to see how Edgescan can help you meet DORA requirements.