Receive the latest insights, news and more direct to your inbox.
Overview of Digital Operational Resilience Act (DORA) compliance
The Digital Operations Resiliency Act (DORA) Regulation (EU) 2022/2554 aims to strengthen resilience, reliability and continuity of financial services throughout the European Union (EU). DORA became active in Ireland on January 16th 2023 following publication in the Official Journal of the European Union on December 27, 2022. A two-year implementation period applies until January 17th 2025 after which organisations in-scope are expected to be compliant.
The Act, in the form of a Regulation imposes new requirements upon service providers (and third party suppliers of their critical services) to prevent, mitigate, and reduce the impact of disruptions to digital operational services as provided by Financial Entities[1]. DORA focuses on areas such as risk management, incident detection and reporting (including to regulatory authorities), and regular testing and evaluation of resilience capabilities.
The European Supervisory Authority (ESA) is authorised to develop technical standards (Level 2 Regulations) that apply to all financial entities within the scope of DORA. Regulated Firms in Ireland have been following the guidance issued by the Central Bank of Ireland (along with the European Central Bank) on outsourcing in conjunction with other guidance on operational resilience for some time. Many DORA-specific requirements are already included in the risk-related framework for Irish regulated financial entities.
Nonetheless, existing processes and practices, such as threat-led penetration testing, resilience testing, governance and control frameworks, risk policies, processes, procedures, and contractual arrangements with ICT service providers, are recommended for review to ensure compliance with the new regulation.
Specifically, financial entities must:
- Establish an annually executed programme of security testing (i.e. Network Security Test, Penetration Test, Web-App Test, Social engineering, etc.) to be undertaken by certified and experienced internal or external testers;
- Conduct an Advanced Threat Led Penetration Test (TLPT) at least once every three years on critical infrastructure and services. This must be conducted by certified and experienced internal or external testers[2];
- Include ICT Third party providers of critical services within the scope of TLPT;
- Ensure remediation of all issues identified via re-testing or revalidation;
- Utilise an external Threat Intelligence function; and
- Must issue attestation reports, summary of findings, and remediation plans upon completion of TLPT to competent authorities.
In summary
-
In practice, DORA will: Require EU financial entities to adopt comprehensive capabilities that enable, test, and assure robust and effective Information Communications Technology (ICT) risk management, as well as specific mechanisms and policies to deal with all ICT incidents, and report major ICT-related incidents to the relevant authorities.
-
Moreover, financial entities are expected to have policies in place to examine ICT systems, controls, and processes and to manage third-party ICT risks. Financial entities must implement these requirements in accordance with the principle of proportionality, taking into account the size and overall risk profile, as well as the nature, scale and complexity of the services provided.
Relationship with other laws
DORA, the Digital Operational Resilience Act, is a legislation designed to improve the cybersecurity and operational resiliency of the financial services sector. It complements existing laws such as the Network and Information Security Directive (NISD), including the changes in the Network and Information Security 2 Directive (NIS2), which is expected to be translated into law in October 2024, as well as the General Data Protection Regulation (GDPR).
Digital operational resilience testing
Resilience testing incorporates a risk-based proportional approach considering the evolving ICT risks for critical information assets and services. DORA outlines expectations of a comprehensive testing framework that includes procedures and policies that prioritise, classify and remedy all issues as identified via testing.
DORA expects that testing of all ICT systems and applications supporting critical or important functions will be undertaken at least annually by dedicated and non-conflicted independent parties either internal to, or external from the financial entity.
Additionally, it is expected organisations will establish internal validation methods that “ascertain that all identified weaknesses, deficiencies, or gaps are fully addressed.”[3]
Resilience and advanced testing
A testing programme is required that will include a common range of security tests from vulnerability assessments, through network security assessments and physical security reviews to scenario-based tests and end-to-end penetration testing.
In summary
-
TLPT is the practice of correlation against known good sources of threat information and the organisation’s threat landscape, profile, and mitigations. Utilising threat intelligence and knowledge of an organisation as an input to penetration-testing exercises results in a realistic threat case against which the organisation may demonstrate its capabilities to sustain business operational activities and remain resilient while under active attack.
TLPT exists in another format as Threat Intelligence-based Ethical Red Teaming (TIBER) framework introduced by the EU in March 2018 as TIBER-EU[4]. The Central Bank of Ireland as the designated authority for Ireland and has issued the framework nationally as TIBER-IE[5]. Participation in those frameworks remains voluntary, a direct contrast to the expectations of DORA.
Article 25 sets out expectations of Advanced Testing of ICT tools, systems, and processes based on Threat Led Penetration Testing (TLPT), and the frequency of at least one test every three years. Importantly, there is scope for the competent authority to reduce this frequency based on the financial entity’s operational circumstances.
TLPT is required for “several or all critical or important functions of a financial entity”[6], and must be executed within a live production environment. The precise scope of TLPT is a responsibility of the financial entity while validation of the scope is a responsibility of the competent authority. Inclusion within TLPT extends to ICT third party providers of critical services.
There is provision to facilitate an ICT third party TLPT test under direct contractual arrangements with an external tester in circumstances where an adverse impact may be experienced in the quality, security, or confidentiality of services delivered to the financial entity.
Such an arrangement under the direction of one financial entity may include the services of the ICT third party provider as provisioned to several financial entities. (i.e. a single ICT third party provider of common services to multiple financial entities). This provision is known as ‘pooled testing’. Contractual requirements with ICT Third party providers may need to be updated to include the obligation of the third party to participate in TLPT.
A summary of TLPT report is expected to be issued by external testers directly to the competent authorities that demonstrates that TLPT has been executed against the testing requirements of DORA. The competent authority will then provide an attestation of compliance. Thereafter, the financial entities are expected to notify the relevant authority of the attestation, summary of findings, and remediation plans.
Advanced TLPT is required at least once each three years and may be conducted by internal or external testers. On the occasion of the third test, it is required to use external testers. A difference applies to Credit Institutions whereby only external testers may conduct Threat Led Penetration Testing. (i.e. no option of using internal testers for TLPT)
It is the responsibility of the competent authority to identify those financial entities that are required to perform TLPT. Identification will include assessment of criteria such as; impact related factors, financial stability, and specific ICT risk profiles and ICT maturity of the financial entity or technology features in-scope.
Requirements for TLPT testers
A contracting financial entity must ensure that testers undertaking TLPT are:
- Certified by a recognised accreditation body in a member state or adhere to formal codes of conduct or ethical frameworks;
- Possess technical and organisational capabilities and can demonstrate expertise in the practice of threat intelligence, penetration testing, and red team testing;
- Are covered by professional indemnity insurances with inclusions for risk of misconduct and negligence;
- Of verifiable suitability and reputability;
- Can provide their own independent assurances of practice in relation to management of risks for the conduct of TLPT, due-protection of the financial entity’s confidential information and redress for associated business risks.
Further requirements for financial entities utilising internal testers are outlined as:
- Use of internal testers has been approved by the relevant competent authority, or the designated public authority;
- The relevant competent authority has verified sufficient dedicated resources are not conflicted; and
- Threat Intelligence provider is external to the financial entity.
It is a responsibility of the financial entities to ensure that contracts with external testers are managed and that TLPT reports comply with data processing, storage, and use requirements of the financial entity to reduce risk of dissemination or non-compliance with General Data Protection Regulation (GDPR).
What are the common types of cybersecurity testing expected?
Security testing is utilised across business sectors. Commonly executed as a component of a mature security programme to identify, assess, and report upon identified weakness as exist within hardware, software, processes, and technologies.
Identification of weaknesses allows organisations to create and implement remediation and mitigation plans that limit risk. Mimicking the Tactics, Techniques, and Procedures (TTP) of real-world threat actors, security testing assesses the organisations resilience, defence, detection, and effectiveness of existing security controls.
Penetration tests (Pen Tests) are a type of security testing and differ in approach and depth ranging from fully automated scan and report-type tests, to increasingly complex manual exploit creation and multi-phase attacks.
Examples of security testing include;
Evaluate the effectiveness of security controls using tools to probe and identify known weaknesses within hardware or software based solutions. As weaknesses and vulnerabilities are constantly evolving, pen tests are commonly executed on a schedule to ensure that updated or new weaknesses are routinely identified.
Is used to examine the networks from inside (internal) and outside (external). This will commonly include WiFi networks, access points, and infrastructure such as Firewalls, Routers, and Switches to identify weaknesses that may allow a real-world threat actor to gain access.
Commonly uses published methods such as Open Web Application Security Project (OWASP) top 10 threats to identify errors in configuration, weaknesses, logic flaws, and code issues that may allow threat actors to gain access, manipulate, or otherwise control organisational resources.
Discovers how applications designed for use on mobile devices may introduce weaknesses that may be exploited by knowledgeable threat actors.
Considers the organisational use of and interaction with cloud based infrastructure, applications, and resources to measure security effectiveness.
Includes techniques such as direct phone calls, physical interactions, and phishing to gain access to organisations resources.
Goal or objective based testing that utilises some or all of the above security testing types towards achieving specific goals. Commonly used to measure an organisations ability to detect and contain a real-world threat.
It is noted that consultation papers are due to be issued in the latter half of this year and will include a framework to support TLPT, including further information on the scope, testing methodologies, the utilisation of internal testers, and the requirements for the remediation stages of testing. The final details supporting TLPT will be published in July 2024.
To learn more, or discuss opportunities for testing please contact Mike Harris.
Footnotes
[1] Insurance and reinsurance firms, pension funds (IORPS), credit institutions, payment institutions, electronic money institutions, investment firms, crypto-asset service providers, UCITS and AIF fund managers, and insurance intermediaries, collectively known as "Financial Entities".
[2] With exception to Credit Institutions, where TLPT must be conducted by external testers.
[3] https://data.consilium.europa.eu/doc/document/PE-41-2022-INIT/en/pdf (Section 5, page 146)
[4] https://www.ecb.europa.eu/paym/cyber-resilience/tiber-eu/html/index.en.html
[5] https://www.centralbank.ie/docs/default-source/financial-system/tiber-ie/tiber-ie-national-guide-december-2019.pdf?sfvrsn=dcb0801d_14
[6] https://data.consilium.europa.eu/doc/document/PE-41-2022-INIT/en/pdf (Section 2, page 148)
References
- Dillon Eustace, 2023. DORA to enter into force. [Online]
Available at: https://www.dilloneustace.com/legal-updates/dora-to-enter-into-force
[Accessed 21 March 2023]. - Grant Thornton Ireland, 2021. DORA (Digital Operational Resilience Act). [Online] Available at: https://www.grantthornton.ie/insights/factsheets/dora-digital-operational-resilience-act/ [Accessed 21 March 2023].
- Pierre E. Berger, J. P. C. E. N. K., 2023. DORA: A harmonized framework to strengthen the digital operational resilience of the EU financial sector. [Online] Available at: https://www.dlapiper.com/en-ca/insights/publications/2023/01/dora-a-harmonized-framework-to-strengthen-the-digital-operational-resilience [Accessed 21 March 2023].
- The European Parliament And The Council Of The European Union, 2022. Regulation (EU) 2022/2554 of the European Parliament and of the Council of 14 December 2022 on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014, (EU) No 909/2014 and (EU) 2016/1011. [Online] Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554&from=en [Accessed 21 March 2023].
- The European Parliament, 2022. Regulation Of The European Parliament And Of The Council on digital operational resilience for the financial sector. [Online] Available at: https://data.consilium.europa.eu/doc/document/PE-41-2022-INIT/en/pdf [Accessed 23 March 2023].
- Union, T. E. P. A. T. C. O. T. E., 2022. Directive (EU) 2022/2555 Of The European Parliament And Of The Council on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive). [Online] Available at: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555&from=EN [Accessed 21 March 2023].