Understanding DORA: Implications for Penetration Testing Practices

Digital operational resilience Act (DORA)

Description

This blog post delves into the implications of the Digital Operational Resilience Act (DORA) on penetration testing, offering a curated summary of relevant DORA articles. It carefully highlights critical insights across key domains, including:

  • companies in scope
  • details on penetration testing (including Threat-Led Penetration Testing – TLPT)
  • guidelines on the recommended frequency for conducting TLPT
  • the use of internal versus external penetration testers
  • contractual terms required in agreements with Information and Communication Technology (ICT) service providers

General provisions (Chapter I)

TLDR : This DORA chapter outlines key definitions crucial for understanding the regulation’s scope, including ‘digital operational resilience,’ ‘threat intelligence,’ and ‘threat-led penetration testing (TLPT).’ The regulation starts its enforcement on January 17, 2025, and applies to a wide range of financial entities and ICT third-party service providers across EU member states. It establishes uniform requirements for ensuring the security of network and information systems supporting financial entities’ business processes, covering areas such as ICT risk management, incident reporting, digital operational resilience testing, information sharing on cyber threats, management of ICT third-party risks, contractual arrangements, and oversight framework establishment.

Definitions (Article 3)

  • digital operational resiliencemeans the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT (Information and communication technology) third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses, and which support the continued provision of financial services and their quality, including throughout disruptions;
  • ‘threat intelligence’ means information that has been aggregated, transformed, analysed, interpreted or enriched to provide the necessary context for decision-making and to enable relevant and sufficient understanding in order to mitigate the impact of an ICT-related incident or of a cyber threat, including the technical details of a cyber-attack, those responsible for the attack and their modus operandi and motivations;
  • ‘threat-led penetration testing (TLPT)’ means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems;

Start date (Article 64)

The regulation will apply from 17th January 2025.
This Regulation shall be binding in its entirety and directly applicable in all EU Member States.

Scope (Article 2)

This Regulation applies to:

  • Financial entities such as: credit institutions, payment institutions, investment firms, crypto-asset service providers, trading venues, management companies, insurance and reinsurance undertakings, insurance intermediaries, credit rating agencies, crowdfunding service providers, and others. The full list of financial entities that this regulation applies to, can be seen in the Article 2.
  • ICT 3rd-party service providers

Subject matter (Article 1)

This Regulation lays down uniform requirements concerning the security of network and information systems supporting the business processes of financial entities as follows:

  • requirements applicable to financial entities in relation to:
    • information and communication technology (ICT) risk management; (Chapter 2: Article 5-16)
    • reporting of major ICT-related incidents and notifying, on a voluntary basis, significant cyber threats to the competent authorities; (Article 17-23)
    • reporting of major operational or security payment-related incidents to the competent authorities by financial entities referred to in Article 2(1), points (a) to (d);
    • digital operational resilience testing; (Chapter IV: Article 24-27)
    • information and intelligence sharing in relation to cyber threats and vulnerabilities; (Chapter 6: Article 45)
    • measures for the sound management of ICT third-party risk;
  • requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities;
  • rules for the establishment and conduct of the Oversight Framework for critical ICT third-party service providers when providing services to financial entities;
  • rules on cooperation among competent authorities, and rules on supervision and enforcement by competent authorities in relation to all matters covered by this Regulation.

Digital Operational Resilience Testing (Chapter IV)

TLDR : This chapter outlines the requirements for digital operational resilience testing (DORT) to assess ICT incident preparedness, identify weaknesses, and implement corrective measures promptly. Financial entities are mandated to establish and maintain a comprehensive DORT program within their ICT risk-management framework, employing a risk-based approach and independent testers. The program encompasses various assessments, methodologies, and tools. It also includes advanced testing via threat-led penetration testing (TLPT) every three years, ensuring coverage of critical functions and involvement of ICT third-party service providers where applicable. Financial entities must ensure testers meet stringent criteria and adhere to professional standards. Additionally, procedures for handling test results and contracts with external testers must prioritize the security and confidentiality of data.

General requirements for the performance of digital operational resilience testing (Article 24)

  1. For the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience, and of promptly implementing corrective measures, financial entities, other than micro-enterprises, shall, […], establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework referred to in Article 6.
  2. The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with Articles 25 and 26.
  3. When conducting the digital operational resilience testing programme referred to in paragraph 1 of this Article, financial entities, […], shall follow a risk-based approach taking into account the criteria set out in Article 4(2) duly considering the evolving landscape of ICT risk, any specific risks to which the financial entity concerned is or might be exposed, the criticality of information assets and of services provided, as well as any other factor the financial entity deems appropriate.
  4. Financial entities, […], shall ensure that tests are undertaken by independent parties, whether internal or external. Where tests are undertaken by an internal tester, financial entities shall dedicate sufficient resources and ensure that conflicts of interest are avoided throughout the design and execution phases of the test.
  5. Financial entities, […], shall establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.
  6. Financial entities, […], shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions.

Testing of ICT tools and systems (Article 25)

  1. The digital operational resilience testing programme referred to in Article 24 shall provide, in accordance with the criteria set out in Article 4(2), for the execution of appropriate tests, such as vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing, end-to-end testing and penetration testing.
  2. Central securities depositories and central counterparties shall perform vulnerability assessments before any deployment or redeployment of new or existing applications and infrastructure components, and ICT services supporting critical or important functions of the financial entity.
  3. Micro-enterprises shall perform the tests referred to in paragraph 1 by combining a risk-based approach with a strategic planning of ICT testing, by duly considering the need to maintain a balanced approach between the scale of resources and the time to be allocated to the ICT testing provided for in this Article, on the one hand, and the urgency, type of risk, criticality of information assets and of services provided, as well as any other relevant factor, including the financial entity’s ability to take calculated risks, on the other hand.

Advanced testing of ICT tools, systems and processes based on TLPT (Article 26)

  1. Financial entities, […], shall carry out at least every 3 years advanced testing by means of TLPT. Based on the risk profile of the financial entity and taking into account operational circumstances, the competent authority may, where necessary, request the financial entity to reduce or increase this frequency.
  2. Each threat-led penetration test shall cover several or all critical or important functions of a financial entity, and shall be performed on live production systems supporting such functions.
    Financial entities shall identify all relevant underlying ICT systems, processes and technologies supporting critical or important functions and ICT services, including those supporting the critical or important functions which have been outsourced or contracted to ICT third-party service providers.
    Financial entities shall assess which critical or important functions need to be covered by the TLPT. The result of this assessment shall determine the precise scope of TLPT and shall be validated by the competent authorities.
  3. Where ICT third-party service providers are included in the scope of TLPT, the financial entity shall take the necessary measures and safeguards to ensure the participation of such ICT third-party service providers in the TLPT and shall retain at all times full responsibility for ensuring compliance with this Regulation.
  4. Without prejudice to paragraph 2, first and second subparagraphs, where the participation of an ICT third-party service provider in the TLPT, referred to in paragraph 3, is reasonably expected to have an adverse impact on the quality or security of services delivered by the ICT third-party service provider to customers that are entities falling outside the scope of this Regulation, or on the confidentiality of the data related to such services, the financial entity and the ICT third-party service provider may agree in writing that the ICT third-party service provider directly enters into contractual arrangements with an external tester, for the purpose of conducting, under the direction of one designated financial entity, a pooled TLPT involving several financial entities (pooled testing) to which the ICT third-party service provider provides ICT services.That pooled testing shall cover the relevant range of ICT services supporting critical or important functions contracted to the respective ICT third-party service provider by the financial entities. The pooled testing shall be considered TLPT carried out by the financial entities participating in the pooled testing.
  5. Financial entities shall, with the cooperation of ICT third-party service providers and other parties involved, including the testers but excluding the competent authorities, apply effective risk management controls to mitigate the risks of any potential impact on data, damage to assets, and disruption to critical or important functions, services or operations at the financial entity itself, its counterparts or to the financial sector.
  6. At the end of the testing, after reports and remediation plans have been agreed, the financial entity and, where applicable, the external testers shall provide to the authority, designated in accordance with paragraph 9 or 10, a summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT has been conducted in accordance with the requirements.
  7. Authorities shall provide financial entities with an attestation confirming that the test was performed in accordance with the requirements as evidenced in the documentation in order to allow for mutual recognition of threat led penetration tests between competent authorities. The financial entity shall notify the relevant competent authority of the attestation, the summary of the relevant findings and the remediation plans.Without prejudice to such attestation, financial entities shall remain at all times fully responsible for the impact of the tests referred to in paragraph 4.
  8. Financial entities shall contract testers for the purposes of undertaking TLPT in accordance with Article 27. When financial entities use internal testers for the purposes of undertaking TLPT, they shall contract external testers every three tests. Credit institutions that are classified as significant in accordance with Article 6(4) of Regulation (EU) No 1024/2013, shall only use external testers in accordance with Article 27(1), points (a) to (e).
    Competent authorities shall identify financial entities that are required to perform TLPT taking into account the criteria set out in Article 4(2), based on an assessment of the following:
    (a) impact-related factors, in particular the extent to which the services provided and activities undertaken by the financial entity impact the financial sector;
    (b) possible financial stability concerns, including the systemic character of the financial entity at Union or national level, as applicable;
    (c) specific ICT risk profile, level of ICT maturity of the financial entity or technology features involved.
  9. Member States may designate a single public authority in the financial sector to be responsible for TLPT-related matters in the financial sector at national level and shall entrust it with all competences and tasks to that effect.
  10. In the absence of a designation in accordance with paragraph 9 of this Article, and without prejudice to the power to identify the financial entities that are required to perform TLPT, a competent authority may delegate the exercise of some or all of the tasks referred to in this Article and Article 27 to another national authority in the financial sector.
  11. The ESAs (European Supervisory Authorities: EBA, EIOPA and ESMA) shall, in agreement with the ECB, develop joint draft regulatory technical standards in accordance with the TIBER-EU framework in order to specify further:
    (a) the criteria used for the purpose of the application of paragraph 8, second subparagraph;
    (b) the requirements and standards governing the use of internal testers;
    (c) the requirements in relation to:
    (i) the scope of TLPT referred to in paragraph 2;
    (ii) the testing methodology and approach to be followed for each specific phase of the testing process;
    (iii) the results, closure and remediation stages of the testing;
    (d) the type of supervisory and other relevant cooperation which are needed for the implementation of TLPT, and for the facilitation of mutual recognition of that testing, in the context of financial entities that operate in more than one Member State, to allow an appropriate level of supervisory involvement and a flexible implementation to cater for specificities of financial sub-sectors or local financial markets.
    When developing those draft regulatory technical standards, the ESAs shall give due consideration to any specific feature arising from the distinct nature of activities across different financial services sectors.
    The ESAs shall submit those draft regulatory technical standards to the Commission by 17 July 2024.
    Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

Requirements for testers for the carrying out of TLPT (Article 27)

  1. Financial entities shall only use testers for the carrying out of TLPT, that:
    (a) are of the highest suitability and reputability;
    (b) possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing;
    (c) are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks;
    (d) provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT, including the due protection of the financial entity’s confidential information and redress for the business risks of the financial entity;
    (e) are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.
  2. When using internal testers, financial entities shall ensure that, in addition to the requirements in paragraph 1, the following conditions are met:  
    (a) such use has been approved by the relevant competent authority or by the single public authority designated in accordance with Article 26(9) and (10);
    (b) the relevant competent authority has verified that the financial entity has sufficient dedicated resources and ensured that conflicts of interest are avoided throughout the design and execution phases of the test; and   
    (c) the threat intelligence provider is external to the financial entity.
  3. Financial entities shall ensure that contracts concluded with external testers require a sound management of the TLPT results and that any data processing thereof, including any generation, store, aggregation, draft, report, communication or destruction, do not create risks to the financial entity.

Managing of ICT third-party risk (Chapter V)

TLDR : This chapter emphasizes the importance of clearly defining rights and obligations between financial entities and ICT third-party service providers through written contracts. Key elements include detailed descriptions of services, locations of service provision and data processing, data protection provisions, assistance during ICT incidents, cooperation with authorities, termination rights, and participation in security awareness programs and resilience training. Contracts involving critical or important functions additionally require provisions for ICT third-party involvement in threat-led penetration testing (TLPT). These measures aim to ensure transparency, accountability, and effective management of ICT third-party risks.

Key contractual provisions (Article 30)

  1. The rights and obligations of the financial entity and of the ICT third-party service provider shall be clearly allocated and set out in writing. The full contract shall include the service level agreements and be documented in one written document which shall be available to the parties on paper, or in a document with another downloadable, durable and accessible format.
  2. The contractual arrangements on the use of ICT services shall include at least the following elements:
    (a) a clear and complete description of all functions and ICT services to be provided by the ICT third-party service provider, indicating whether subcontracting of an ICT service supporting a critical or important function, or material parts thereof, is permitted and, when that is the case, the conditions applying to such subcontracting;
    (b) the locations, namely the regions or countries, where the contracted or subcontracted functions and ICT services are to be provided and where data is to be processed, including the storage location, and the requirement for the ICT third-party service provider to notify the financial entity in advance if it envisages changing such locations;
    (c) provisions on availability, authenticity, integrity and confidentiality in relation to the protection of data, including personal data;
    […]
    (f) the obligation of the ICT third-party service provider to provide assistance to the financial entity at no additional cost, or at a cost that is determined ex-ante, when an ICT incident that is related to the ICT service provided to the financial entity occurs;
    (g) the obligation of the ICT third-party service provider to fully cooperate with the competent authorities and the resolution authorities of the financial entity, including persons appointed by them
    (h) termination rights and related minimum notice periods for the termination of the contractual arrangements, in accordance with the expectations of competent authorities and resolution authorities;
    (i) the conditions for the participation of ICT third-party service providers in the financial entities’ ICT security awareness programmes and digital operational resilience training in accordance with Article 13(6).
  3. The contractual arrangements on the use of ICT services supporting critical or important functions shall include, in addition to the elements referred to in paragraph 2, at least the following:
    […]
    (d) the obligation of the ICT third-party service provider to participate and fully cooperate in the financial entity’s TLPT as referred to in Articles 26 and 27;

Understanding Cybersecurity Across Borders: The UK’s PSTIA 2024

As we examine the intricate requirements of the DORA legislation and its impact on European financial entities, it’s important to also consider similar cybersecurity initiatives outside the EU. The Product Security and Telecommunications Infrastructure Act (PSTIA) 2024 sets a new standard for cybersecurity in the UK, introducing rigorous mandates for connectable product manufacturers. To gain a comprehensive understanding of how these UK regulations compare and what they entail for businesses operating internationally, read our in-depth analysis of PSTIA 2024.

References

https://eur-lex.europa.eu/eli/reg/2022/2554/oj – The DORA regulation published on the Eur-Lex. Eur-Lex is an official website of the European Union law and other public documents of the EU, published in 24 official languages of the EU. 

About Post Author