DORA: Digital Operational Resilience Testing
Digital Operational Resilience Testing [Art 24-27]
Rule: Financial entities must establish a testing program proportionate to their size and risk profile. Significant entities must conduct advanced threat-led penetration testing (TLPT).
General Testing Requirements [Art 24]
All financial entities must:
| Requirement | Detail |
|---|---|
| Establish testing program | Sound and comprehensive program |
| Risk-based approach | Consider size, business, risk profile |
| Annual testing | At least annually for critical systems |
| Address vulnerabilities | Assess and remediate identified weaknesses |
| Document results | Record findings and remediation |
| Report to management | Summary of testing activities and findings |
Testing Methods [Art 25]
Basic testing program may include:
| Test Type | Purpose |
|---|---|
| Vulnerability assessments | Identify technical weaknesses |
| Gap analyses | Compare against standards/policies |
| Physical security reviews | Premises and access controls |
| Questionnaire-based assessments | Self-assessment against frameworks |
| Source code reviews | Where feasible |
| Scenario-based testing | Simulate business disruption scenarios |
| Compatibility testing | Integration and interoperability |
| Performance testing | Load, stress, scalability |
| End-to-end testing | Full process validation |
| Penetration testing | Where appropriate (see below) |
Penetration Testing [Art 25(2)]
For critical systems and services:
- Test at least every 3 years (unless TLPT required)
- Conducted by qualified testers
- Proper scoping and risk management
- Findings remediated appropriately
Threat-Led Penetration Testing (TLPT) [Art 26]
Who must conduct TLPT:
- Significant financial entities identified by competent authorities
- Based on systemic importance and risk profile
- At least every 3 years
What is TLPT:
- Real-world threat intelligence-led testing
- Simulates tactics, techniques, procedures of actual threat actors
- Tests live production systems (where feasible)
- Based on TIBER-EU framework
TLPT Requirements [Art 26(3)-(8)]
| Requirement | Detail |
|---|---|
| Scope | All critical/important functions and supporting ICT services |
| Live systems | Performed on live production systems |
| Threat intelligence | Realistic scenarios from threat intelligence |
| Testing phases | Preparation, testing, closure, and remediation |
| Qualified testers | External or internal with specific requirements |
| Remediation plan | Address all identified vulnerabilities |
| Reporting | Summarized report to competent authority |
TLPT Tester Requirements [Art 26(9)]
Testers must:
- Have highest professional suitability and reputation
- Possess technical and organizational capabilities
- Be certified by accreditation body OR adhere to formal codes of conduct
- Provide independent assurance on proper risk management
- Hold professional indemnity insurance
Internal testers allowed if:
- Approved by competent authority
- Resources are dedicated (no conflict of interest)
- Threat intelligence is external
Pooled Testing [Art 26(4)]
For ICT services supporting multiple financial entities:
- Testing can be pooled
- Results shared among participating entities
- Coordinated by designated financial entity
Use of ICT Third-Party Providers in TLPT [Art 26(5)]
Where TLPT covers third-party services:
- Financial entity and ICT provider coordinate
- Provider must allow testing or provide equivalent assurance
- Contractual arrangements must facilitate
Testing Results Management
| Stage | Actions |
|---|---|
| Pre-test | Scope definition, risk management, stakeholder approval |
| During test | Control measures, monitoring, escalation paths |
| Post-test | Findings documentation, risk assessment |
| Remediation | Action plan, implementation, validation |
| Reporting | Management and competent authority reporting |
Exemptions from TLPT
| Entity Type | TLPT Status |
|---|---|
| Significant (designated by authority) | Mandatory every 3 years |
| Non-significant | Not required (unless voluntarily adopted) |
| Simplified framework entities | Not required |
Comparison: Basic Testing vs TLPT
| Aspect | Basic Testing | TLPT |
|---|---|---|
| Frequency | Annual | Every 3 years |
| Scope | Risk-based | All critical functions |
| Method | Various test types | Threat intelligence-led |
| Systems | May be non-production | Live production |
| Testers | Internal/external | Qualified specialists |
| Reporting | Internal | To competent authority |