Digital resilience testing under DORA for financial and crypto firms
- Admin
- Mar 7
- 2 min read
The Digital Operational Resilience Act (hereinafter referred as: ‘DORA Regulation’) establishes uniform requirements for the security of network and information systems that support the business processes of financial institutions and MiCA authorized CASPs (‘regulated entities’). Chapter IV of DORA is dedicated to digital operational resilience testing.
General requirements for conducting operational resilience tests include:
Establishment of a testing program: Regulated entities, with the exception of microenterprises, are required to establish, maintain, and review a digital operational resilience testing program. This program must be an integral part of the ICT risk management framework.
Objective of the testing program: The program aims to assess preparedness for handling ICT-related incidents, identify weaknesses and gaps in operational resilience, and promptly implement corrective measures.
Scope of tests: The digital operational resilience testing program should include a variety of assessments, tests, methodologies, practices, and tools.
Risk-based approach: Tests should be carried out using a risk-based approach that takes into account the changing ICT risk landscape, the specific risks for a given regulated entity, the criticality of information assets, and the services provided.
Additionally, certain financial institutions (entities indicated in Art. 26(1) of the DORA Regulation) are required to carry out advanced ICT testing based on TLPT (Threat-led penetration testing):
TLPT testing obligation: Financial institutions that have been identified as mature in terms of ICT are required to carry out advanced penetration tests based on threat analysis (TLPT) at least once every 3 years.
Frequency of tests: Depending on the risk profile of the financial entity, the competent authority may request a reduction or increase in the frequency of tests.
Participation of external ICT providers: If external ICT service providers participate in the TLPT test, the financial entity must ensure their participation and bears full responsibility for compliance with the regulation.
