DORA – Digital operational resilience testing
Digital operational resilience testing
The requirements regarding digital operational resilience tests cover the general testing programme that all financial entities are required to observe and the threat-led penetration testing (TLPT) required to be conducted on live production systems, that only relate to financial entities that only meet individual prescribed criteria.
General testing programme
Financial entities draw up comprehensive programmes for testing their digital operational resilience, for example containing vulnerability assessments and scans, gap analyses, source code reviews, scenario-based tests or penetration tests.
The tests are conducted by independent internal or external parties. In the case of an internal test being conducted sufficient resources are to be made available, and it must be ensured that no conflicts of interest arise of the duration of the entire test.
All identified weaknesses are prioritised, classified and remedied.
Appropriate tests are conducted on all ICT systems and applications supporting critical or important functions at least yearly.
Threat-Led Penetration Testing
Significant financial entities are required to conduct threat-led penetration tests. Such tests – including those conducted in a production environment focus on the entity’s core IT systems.
The specific methodology to be applied for such tests under DORA is based on the TIBER-EU framework. TIBER stands for “Threat Intelligence-Based Ethical Red Teaming” and is being implemented in Austria by TIBER-AT.
Questions and Answers
The DORA Regulation (DORA) stipulates the criteria for identifying financial entities required to conduct TLPT. They comprise of impact-related factors, possible financial stability concerns, the specific ICT risk profile and the level of ICT maturity of the financial entity (Article 26 (8) DORA).
Article 2 of the Final Report on draft RTS specifying elements related to threat led penetration tests (Draft RTS) specifies these criteria more closely.
The identification of institutions and the planning process for TLPT are currently taking place. National tests are also dependent on the finalisation of European planning (relating to significant institutions as defined in the SSM Regulation in particular on the European Central Bank (ECB)). The final identification will occur at the earlier when DORA rules become applicable at the start of 2025.
Generally a TLPT must be conducted within a three-year window form January 2025 (for example between 17 January 2025 and 16 January 2028). Planning regarding when it is which institution’s turn can only be started once the corresponding methodologies have been determined at European level (see previous question). To avoid extreme strain, where possible (although TLPT and IT audits are conducted by different teams) a collision check will be conducted against ongoing IT audits at the institution.
Generally, all subsidiaries are also obliged to conduct TLPT, although under certain circumstances they may be excluded from having to do so by the competent authority. From proportionality-based considerations this will also especially depend on the size and systemic bearing of the subsidiary institutions within the respective member state,
In addition, the (non-)inclusion of subsidiaries in TLPT also depends on scoping in the preparation for testing. The parent institution’s control team prepares the scoping document, that the competent TIBER test manager then releases in consultation with the competent authority. The added value of also including smaller subsidiary institutions within the same member state in the scoping of the TLPT is expected to be low, especially where they use the same IT infrastructure as the mother institution. Ultimately the (non-)inclusion of subsidiaries always remains a case-by-case decision.
The TLPT as an advanced penetration test in accordance with Article 26 DORA is considered a sophisticated methodology for identifying a financial undertaking’s cybersecurity vulnerabilities. However, the TLPT is also very resource-intensive. The methodology in the RTS currently being drawn up focuses on identifying those institutions based on quantitative criteria, for which the findings of the TLPT justify the additional outlay.
It is generally assumed that the criteria are as selective as possible. Furthermore, as a general rule it is to be assumed that only institutions with a certain level of systemic importance within a specific member state are required to conduct TLPTs. In individual cases, less systemically important parent or subsidiary institutions in another Member State may also be included. Whether it would be disproportionate for an institution to conduct a TLPT in deviation from the envisaged criteria, is also largely determined by its ICT risk profile and its maturity in the areas of ICT risk. In this case, it also remains a decision that is taken based on the case in hand.
Please see the following question regarding regular penetration tests.
The tests listed in Article 25 (1) DORA are to be understood as examples. All financial entities are not expected to conduct all the tests listed therein. Every institution’s testing programmes should however be designed in accordance with the principle of proportionality.
While the rules stated in Articles 24 and 25 DORA generally apply for all financial entities, advanced testing of ICT tools, systems and processes based on TLPT are only required to be conducted by selected financial entities, who are informed by the FMA in a timely manner.
TLPT is defined in Article 3 (17) DORA as: “threat-led penetration testing”. TLPT means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat. TLPT delivers a controlled, bespoke, intelligence-led (red team) test of the respective financial entity’s critical live production systems.
In any case, it is necessary to highlight that only external “red teaming” is intended pursuant to Article 26 (8) DORA for significant institutions under the SSM Regulation definition. This paragraph also defines that financial entities that make use or internal testers must contract external testers for every third test. In addition, we also refer to the rules stated in Article 13 of the Final Report on draft RTS specifying elements related to threat led penetration tests.
The contents on this website as well as hyperlinks to third party websites serve the purpose of providing general and non-binding information. These “Questions and Answers” do not constitute the FMA’s binding interpretation and in particular do not constitute interpretation within the scope of the question and answer processes (Q&As) of the three European Supervisory Authorities (EBA – European Banking Authority, ESMA – European Securities and Markets Authority, and EIOPA – European Insurance and Occupational Pensions Authority). All information on this website is provided without any guarantee, especially with regard to its up-to-dateness, completeness and correctness, and the FMA, including its employees or the persons responsible for this website, assume no liability whatsoever for the content; in addition, the FMA neither guarantees nor assumes liability for the use of hyperlinks or content that can be accessed via them.
Legal bases
Information regarding the legal bases for DORA can be found on the FMA’s “DORA – Digital Operational Resilience in the Financial Sector” web page.