Chapter IV: Digital Operational Resilience Testing (Articles 24-27)

How DORAedge enables compliance with DORA

PreviousChapter III: Incident Reporting (Articles 17-23)NextChapter V: Managing of ICT third-party risk (Articles 28-44)

Last updated 6 months ago

Chapter IV: Digital Operational Resilience Testing (Articles 24-27)

How DORAedge enables compliance with DORA

Article 24.1: Establishing a Digital Operational Resilience Testing Program

Financial entities, other than microenterprises, must establish, maintain, and review a comprehensive digital operational resilience testing program as part of their ICT risk-management framework to identify weaknesses, deficiencies, and gaps, and to implement corrective measures promptly.

How DORAedge Assists:

Provides tools for creating and maintaining a comprehensive testing program including fetching timely certifications, and easing the effort required for internal audits.
DORAedge does not carry out audits or penetration tests, but maintains a healthy catalogue of partnerships to providers that can assist.

Article 24.2: Testing Methodologies

The testing program must include a range of assessments, tests, methodologies, practices, and tools, as outlined in Articles 25 and 26.

Article 24.3: Risk-Based Approach

Entities must follow a risk-based approach when conducting tests, taking into account specific risks, criticality of information assets, and evolving ICT threats.

Article 24.4: Independent Testing

Tests must be conducted by independent parties, either internal or external, with sufficient resources, and conflict of interest must be avoided.

How DORAedge Assists:

Tracks independent testers and ensures proper segregation of duties.
Provides audit logs to verify that no conflicts of interest arise during the testing process.

Article 24.5: Prioritizing and Remedying Issues

Entities must establish procedures and policies to prioritize, classify, and remedy issues revealed by testing, and validate that weaknesses are addressed.

How DORAedge Assists:

Provides issue tracking and prioritization tools for managing findings from tests.

Article 24.6: Annual Testing Requirements

Financial entities must ensure that all ICT systems and applications supporting critical or important functions are tested at least annually.

How DORAedge Assists:

Automates the scheduling and execution of annual tests across critical systems.

Article 25.1: Testing of ICT Tools and Systems

The digital operational resilience testing program must include a variety of tests such as vulnerability assessments, network security assessments, source code reviews, scenario-based tests, and penetration testing.

How DORAedge Assists:

Offers automated tools for conducting vulnerability scans, network security assessments, and other tests.
Supports scenario-based testing and penetration testing using integrated platforms.
Ensures consistent and comprehensive testing across ICT systems and tools.

Article 25.2: Pre-Deployment Vulnerability Assessments

Central securities depositories and central counterparties must conduct vulnerability assessments before deploying or redeploying applications or ICT services that support critical functions.

How DORAedge Assists:

Facilitates pre-deployment assessments and tracks changes in applications and services.
Automates vulnerability assessments to detect issues before deployment.
Provides reporting tools to ensure readiness of applications and services for deployment.

Article 25.3: ICT Testing for Microenterprises

Microenterprises must perform ICT testing by balancing resource allocation with the urgency, type of risk, and criticality of information assets.

How DORAedge Assists:

Supports resource-optimized testing strategies tailored for microenterprises.
Allows flexibility in balancing resource constraints with critical testing needs.
Provides simplified tools and templates to assist microenterprises in conducting necessary tests.

Article 26.1: Threat-Led Penetration Testing (TLPT)

Financial entities must conduct TLPT at least every three years, covering critical functions and live production systems, with the frequency adjusted by the competent authority based on the risk profile.

How DORAedge Assists:

Facilitates scheduling and execution of TLPT within the three-year period.
Provides tools for assessing risk profiles to determine the need for more frequent testing.
Supports real-time testing on live systems without compromising service availability.

Article 26.2: Scope of TLPT

TLPT must cover critical functions and ICT systems, including those outsourced to third-party providers.

How DORAedge Assists:

Assists in identifying and documenting critical systems and outsourced functions.
Tracks third-party involvement and ensures their participation in TLPT.
Helps validate testing scope and ensures regulatory compliance for critical functions.

Article 26.3: Third-Party Provider Participation in TLPT

Financial entities must ensure third-party ICT service providers participate in TLPT and remain responsible for regulatory compliance.

How DORAedge Assists:

Manages third-party provider participation and tracks their involvement in TLPT.
Provides templates for third-party contracts and ensures compliance with regulatory requirements.
Automates oversight of third-party services during testing.

Article 26.4: Pooled Testing with Third-Party Providers

If third-party providers cannot participate directly in TLPT without impacting their services, entities may use pooled testing involving multiple financial entities.

How DORAedge Assists:

Supports pooled testing by coordinating multiple entities and third-party providers.
Tracks pooled testing activities and ensures documentation aligns with regulatory standards.
Facilitates communication and reporting between all participants.

Article 26.5: Risk Management During TLPT

Financial entities must apply effective risk management controls during TLPT to mitigate impacts on data, assets, and services.

How DORAedge Assists:

Monitors potential risks to data and assets during TLPT.
Implements risk management controls to minimize disruptions during testing.
Tracks remediation efforts and ensures systems are fully operational post-testing.

Article 26.6: Reporting TLPT Findings

After testing, entities must submit a summary of findings, remediation plans, and documentation to the competent authority.

How DORAedge Assists:

Automatically generates reports based on TLPT findings.
Tracks remediation plans and provides ongoing status updates to the competent authority.
Stores all testing documentation for easy retrieval during audits.

Article 26.7: Attestation of TLPT Results

Competent authorities must provide an attestation confirming that TLPT was conducted according to requirements, enabling mutual recognition across authorities.

How DORAedge Assists:

Manages documentation for obtaining attestation from the competent authority.
Tracks the submission and approval of TLPT reports and findings.
Provides templates and workflows to facilitate the mutual recognition process.

Article 26.8: Contracting External Testers for TLPT

Entities must contract external testers for every three TLPT cycles or for significant institutions, ensuring external expertise is engaged.

How DORAedge Assists:

Tracks testing cycles to ensure compliance with external testing requirements.
Provides a database of certified external testers and manages contracts with them.
Automates the onboarding process for external testers and ensures they meet regulatory criteria.

Article 26.9–26.10: National Competent Authorities for TLPT

Member States may designate a single public authority to handle TLPT matters, or delegate tasks to another authority.

How DORAedge Assists:

Facilitates communication and coordination with national competent authorities.
Manages the delegation of TLPT tasks and tracks authority involvement.
Provides reporting templates to ensure compliance with national-level requirements.

Article 27.1: Requirements for Testers

Testers performing TLPT must be reputable, technically capable, certified, and covered by professional indemnity insurance.

How DORAedge Assists:

Maintains a database of qualified and certified TLPT testers.
Tracks professional indemnity insurance coverage and verifies tester credentials.
Ensures testers adhere to ethical frameworks and best practices.

Article 27.2: Using Internal Testers for TLPT

Internal testers may be used under specific conditions, including approval from the competent authority and external threat intelligence involvement.

How DORAedge Assists:

Tracks internal testing approval from competent authorities.
Ensures external threat intelligence providers are engaged for internal testing scenarios.
Monitors conflicts of interest during internal testing and ensures compliance with regulations.

Article 27.3: Managing TLPT Results

Contracts with external testers must ensure sound management of TLPT results, including proper data handling and storage.

How DORAedge Assists:

Manages contracts with external testers to ensure compliance with data handling policies.
Tracks the generation, storage, and destruction of test data.
Provides audit logs and assurances to minimize business risks during TLPT.

PreviousChapter III: Incident Reporting (Articles 17-23)NextChapter V: Managing of ICT third-party risk (Articles 28-44)

Last updated 6 months ago

Article 24.1: Establishing a Digital Operational Resilience Testing Program

How DORAedge Assists:

Provides tools for creating and maintaining a comprehensive testing program including fetching timely certifications, and easing the effort required for internal audits.
DORAedge does not carry out audits or penetration tests, but maintains a healthy catalogue of partnerships to providers that can assist.

Article 24.2: Testing Methodologies

The testing program must include a range of assessments, tests, methodologies, practices, and tools, as outlined in Articles 25 and 26.

Article 24.3: Risk-Based Approach

Entities must follow a risk-based approach when conducting tests, taking into account specific risks, criticality of information assets, and evolving ICT threats.

Article 24.4: Independent Testing

Tests must be conducted by independent parties, either internal or external, with sufficient resources, and conflict of interest must be avoided.

How DORAedge Assists:

Tracks independent testers and ensures proper segregation of duties.
Provides audit logs to verify that no conflicts of interest arise during the testing process.

Article 24.5: Prioritizing and Remedying Issues

Entities must establish procedures and policies to prioritize, classify, and remedy issues revealed by testing, and validate that weaknesses are addressed.

How DORAedge Assists:

Tests contents of policies to verify whether this is included in policies
Provides issue tracking and prioritization tools for managing findings from tests.

Article 24.6: Annual Testing Requirements

Financial entities must ensure that all ICT systems and applications supporting critical or important functions are tested at least annually.

How DORAedge Assists:

Automates the scheduling and execution of annual tests across critical systems.

Article 25.1: Testing of ICT Tools and Systems

How DORAedge Assists:

Offers automated tools for conducting vulnerability scans, network security assessments, and other tests.
Supports scenario-based testing and penetration testing using integrated platforms.
Ensures consistent and comprehensive testing across ICT systems and tools.

Article 25.2: Pre-Deployment Vulnerability Assessments

Central securities depositories and central counterparties must conduct vulnerability assessments before deploying or redeploying applications or ICT services that support critical functions.

How DORAedge Assists:

Facilitates pre-deployment assessments and tracks changes in applications and services.
Automates vulnerability assessments to detect issues before deployment.
Provides reporting tools to ensure readiness of applications and services for deployment.

Article 25.3: ICT Testing for Microenterprises

Microenterprises must perform ICT testing by balancing resource allocation with the urgency, type of risk, and criticality of information assets.

How DORAedge Assists:

Supports resource-optimized testing strategies tailored for microenterprises.
Allows flexibility in balancing resource constraints with critical testing needs.
Provides simplified tools and templates to assist microenterprises in conducting necessary tests.

Article 26.1: Threat-Led Penetration Testing (TLPT)

How DORAedge Assists:

Facilitates scheduling and execution of TLPT within the three-year period.
Provides tools for assessing risk profiles to determine the need for more frequent testing.
Supports real-time testing on live systems without compromising service availability.

Article 26.2: Scope of TLPT

TLPT must cover critical functions and ICT systems, including those outsourced to third-party providers.

How DORAedge Assists:

Assists in identifying and documenting critical systems and outsourced functions.
Tracks third-party involvement and ensures their participation in TLPT.
Helps validate testing scope and ensures regulatory compliance for critical functions.

Article 26.3: Third-Party Provider Participation in TLPT

Financial entities must ensure third-party ICT service providers participate in TLPT and remain responsible for regulatory compliance.

How DORAedge Assists:

Manages third-party provider participation and tracks their involvement in TLPT.
Provides templates for third-party contracts and ensures compliance with regulatory requirements.
Automates oversight of third-party services during testing.

Article 26.4: Pooled Testing with Third-Party Providers

If third-party providers cannot participate directly in TLPT without impacting their services, entities may use pooled testing involving multiple financial entities.

How DORAedge Assists:

Supports pooled testing by coordinating multiple entities and third-party providers.
Tracks pooled testing activities and ensures documentation aligns with regulatory standards.
Facilitates communication and reporting between all participants.

Article 26.5: Risk Management During TLPT

Financial entities must apply effective risk management controls during TLPT to mitigate impacts on data, assets, and services.

How DORAedge Assists:

Monitors potential risks to data and assets during TLPT.
Implements risk management controls to minimize disruptions during testing.
Tracks remediation efforts and ensures systems are fully operational post-testing.

Article 26.6: Reporting TLPT Findings

After testing, entities must submit a summary of findings, remediation plans, and documentation to the competent authority.

How DORAedge Assists:

Automatically generates reports based on TLPT findings.
Tracks remediation plans and provides ongoing status updates to the competent authority.
Stores all testing documentation for easy retrieval during audits.

Article 26.7: Attestation of TLPT Results

Competent authorities must provide an attestation confirming that TLPT was conducted according to requirements, enabling mutual recognition across authorities.

How DORAedge Assists:

Manages documentation for obtaining attestation from the competent authority.
Tracks the submission and approval of TLPT reports and findings.
Provides templates and workflows to facilitate the mutual recognition process.

Article 26.8: Contracting External Testers for TLPT

Entities must contract external testers for every three TLPT cycles or for significant institutions, ensuring external expertise is engaged.

How DORAedge Assists:

Tracks testing cycles to ensure compliance with external testing requirements.
Provides a database of certified external testers and manages contracts with them.
Automates the onboarding process for external testers and ensures they meet regulatory criteria.

Article 26.9–26.10: National Competent Authorities for TLPT

Member States may designate a single public authority to handle TLPT matters, or delegate tasks to another authority.

How DORAedge Assists:

Facilitates communication and coordination with national competent authorities.
Manages the delegation of TLPT tasks and tracks authority involvement.
Provides reporting templates to ensure compliance with national-level requirements.

Article 27.1: Requirements for Testers

Testers performing TLPT must be reputable, technically capable, certified, and covered by professional indemnity insurance.

How DORAedge Assists:

Maintains a database of qualified and certified TLPT testers.
Tracks professional indemnity insurance coverage and verifies tester credentials.
Ensures testers adhere to ethical frameworks and best practices.

Article 27.2: Using Internal Testers for TLPT

Internal testers may be used under specific conditions, including approval from the competent authority and external threat intelligence involvement.

How DORAedge Assists:

Tracks internal testing approval from competent authorities.
Ensures external threat intelligence providers are engaged for internal testing scenarios.
Monitors conflicts of interest during internal testing and ensures compliance with regulations.

Article 27.3: Managing TLPT Results

Contracts with external testers must ensure sound management of TLPT results, including proper data handling and storage.

How DORAedge Assists:

Manages contracts with external testers to ensure compliance with data handling policies.
Tracks the generation, storage, and destruction of test data.
Provides audit logs and assurances to minimize business risks during TLPT.