Article 23 Digital Operational Resilience Act (DORA), Advanced Testing of ICT Tools, Systems and Processes Based on Threat Led Penetration Testing

To ensure robust cybersecurity and resilience, financial entities must conduct advanced threat-led penetration testing at least once every three years. This requirement applies to entities specified under paragraph 4, underscoring the importance of regularly assessing and fortifying their defenses against sophisticated threats. By adhering to this mandate, financial entities can proactively identify vulnerabilities and address potential weaknesses before they are exploited.

Scope and Execution of Testing

Advanced threat-led penetration testing must encompass critical functions and services essential to the financial entity’s operations. The testing should be conducted on live production systems supporting these functions to accurately reflect the real-world security posture. The scope of the testing is determined based on an assessment of critical functions and services performed by the financial entity and validated by competent authorities. This ensures that the testing is comprehensive and focused on areas with the highest potential impact.

Identification of Relevant ICT Processes and Technologies

Financial entities are responsible for identifying all relevant underlying ICT processes, systems, and technologies that support critical functions and services. This includes systems managed internally as well as those outsourced to third-party service providers. When third-party providers are included within the testing scope, financial entities must ensure their active participation to obtain a complete assessment of the security landscape.

Risk Management and Documentation

During the testing process, effective risk management controls must be implemented to mitigate potential impacts on data, assets, and critical services. This includes ensuring that the testing does not disrupt normal operations or compromise sensitive information. Upon completing the test, both the financial entities and external testers are required to provide documentation to the competent authority. This documentation must confirm that the testing was conducted according to the specified requirements. The competent authority will then validate the documentation and issue an attestation, certifying that the testing was completed in compliance with regulatory standards.

Contracting Testers

Financial entities must engage qualified testers in accordance with Article 24 to perform advanced threat-led penetration testing. The selection of testers should be based on their expertise and ability to conduct thorough and unbiased assessments. Competent authorities will identify which financial entities require testing based on various factors:

• Impact-Related Factors: The criticality of the services provided and the activities undertaken by the financial entity. Entities providing vital financial services or operating on a systemic scale are prioritized for testing.

• Financial Stability Concerns: Consideration of the potential impact on financial stability, including the entity’s systemic importance at the national or Union level.

• Specific ICT Risk Profiles: The entity’s ICT risk profiles, maturity levels, and technological features involved. Entities with complex or high-risk ICT environments will be subjected to more rigorous testing.

Development of Regulatory Technical Standards

The European Banking Authority (EBA), European Securities and Markets Authority (ESMA), and European Insurance and Occupational Pensions Authority (EIOPA), in consultation with the European Central Bank (ECB), will develop draft regulatory technical standards for advanced threat-led penetration testing. These standards aim to further specify:

• Criteria for Application: Clear criteria for applying the requirements set forth in paragraph 6 of this Article, ensuring consistency and relevance across different financial entities.

• Scope of Testing: Detailed requirements regarding the scope of threat-led penetration testing, including the specific critical functions and systems to be tested.

• Testing Methodology and Approach: Guidelines for the methodology and approach to be followed during each phase of the testing process. This includes preparation, execution, reporting, and remediation stages.

• Supervisory Cooperation: Provisions for supervisory cooperation necessary for threat-led penetration testing of financial entities operating across multiple Member States. This ensures appropriate involvement of supervisory authorities and flexibility for specific financial sub-sectors or local markets.

Submission and Adoption of Standards

The ESAs are required to submit the draft regulatory technical standards to the European Commission by [insert date, 2 months before the regulation’s entry into force]. The Commission is then delegated the authority to adopt these standards in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1095/2010, and (EU) No 1094/2010. These standards will provide a structured framework for conducting advanced threat-led penetration testing, enhancing the overall security and resilience of financial entities.

Implementing advanced threat-led penetration testing is a crucial component of a financial entity’s cybersecurity strategy. By conducting these tests regularly and adhering to comprehensive requirements, entities can better protect themselves against evolving threats and ensure their critical functions remain secure. The development and adoption of regulatory technical standards will further support these efforts, providing clear guidelines and ensuring consistent practices across the financial sector.