Article 24 Digital Operational Resilience Act (DORA), Requirements For Testers

Article 24 of the Digital Operational Resilience Act (DORA) outlines the qualifications and standards required for testers performing advanced threat-led penetration testing. Financial entities must select testers with the expertise to deliver thorough and unbiased security assessments. These requirements ensure the effectiveness and reliability of the tests, helping entities strengthen their cybersecurity resilience.

Requirements For Testers in Threat-Led Penetration Testing

Financial entities are required to engage testers for threat-led penetration testing who meet rigorous standards to ensure the highest quality and effectiveness of the assessment. The selection process must adhere to the following criteria:

• Highest Suitability and Reputability: Testers must be recognized for their strong reputation in the field of cybersecurity. This includes having a proven track record of delivering high-quality penetration testing services and being well-regarded by peers and industry experts. Their suitability for the task is assessed based on their previous experience and success in similar engagements, ensuring that they are equipped to handle the specific challenges of threat-led penetration testing.

• Technical and Organizational Capabilities: Testers should demonstrate robust technical and organizational capabilities. This includes having specialized expertise in areas such as threat intelligence, penetration testing, or red team testing. Their technical skills must be complemented by sound organizational practices that support the effective execution of the testing, including planning, resource management, and execution. This ensures that the testers can comprehensively assess and address potential vulnerabilities in the financial entity's systems.

• Certification or Adherence to Codes: To ensure adherence to high standards of practice, testers must either be certified by an accreditation body within a Member State or follow formal codes of conduct and ethical frameworks. Certifications from recognized bodies such as the Offensive Security Certified Professional (OSCP) or Certified Ethical Hacker (CEH) provide assurance of the tester’s qualifications and adherence to industry best practices. Alternatively, adherence to established ethical frameworks ensures that testers follow recognized standards of conduct in their testing activities.

• Independent Assurance or Audit Report: External testers must provide an independent assurance or audit report that verifies their sound management of risks associated with threat-led penetration testing. This report should detail how the testers safeguard the financial entity’s confidential information and address potential business risks. It serves as an assurance that the testers have the necessary controls in place to manage the risks associated with the testing process, including the protection of sensitive data.

• Professional Indemnity Insurances: Adequate professional indemnity insurance is mandatory for external testers. This insurance should cover risks related to misconduct, negligence, and other relevant liabilities. By having such insurance in place, testers provide a financial safety net that protects both themselves and the financial entity against potential losses or damages arising from the testing activities.

Management of Testing Results

Financial entities must establish clear agreements with external testers to manage the results of threat-led penetration testing effectively. These agreements should include provisions for:

• Sound Management of Testing Results: The results of threat-led penetration testing must be managed securely and responsibly. This involves ensuring that the findings are handled with the highest level of confidentiality and integrity. The management process should include secure storage, controlled access, and appropriate handling procedures to prevent unauthorized disclosure or misuse of the results.

• Risk-Free Processing: Any processing of testing results—whether it involves generating, storing, aggregating, reporting, communicating, or destroying the results—must be conducted in a manner that does not pose risks to the financial entity. This means implementing stringent controls and procedures to mitigate any potential risks associated with the handling of sensitive information. The aim is to protect the financial entity from potential adverse effects that could arise from mishandling or unauthorized access to the testing results.

The requirements for testers in threat-led penetration testing are designed to ensure that financial entities engage highly qualified and reputable professionals to assess their cybersecurity resilience. By adhering to stringent selection criteria, including technical capabilities, certifications, and insurance coverage, financial entities can ensure that their testing processes are conducted effectively and responsibly. Proper management of testing results further safeguards the integrity and confidentiality of the findings, protecting the financial entity from potential risks and vulnerabilities. These measures are crucial for maintaining robust cybersecurity defenses and ensuring that financial entities are well-prepared to address and mitigate potential threats.