With the Digital Operational Resilience Act (DORA), the European Union has introduced a far-reaching regulation that aims to harmonize and strengthen digital resilience in the financial sector across Europe. From 17 January 2025, affected companies must comply with the obligations set out in DORA. The European legislator wants to take account of the ongoing digitalization and increasing networking, which has significantly increased the use of information and communication technologies (ICT) in the financial sector. The DORA aims to counteract the risks posed by cyber threats and operational disruptions. Financial companies and specialized ICT service providers are obliged to take comprehensive measures to strengthen their digital resilience. The affected players include banks, investment firms, payment institutions, cryptocurrency providers and issuers of value-referenced tokens. These companies must thoroughly review their internal processes and procedures and adapt them to the new regulatory requirements before the regulation comes into force. This includes the introduction of robust security precautions, regular risk analyses and the creation of emergency plans in order to be able to react appropriately to cyber-attacks or IT disruptions in the event of an emergency. The implementation of DORA represents a challenge for many companies, as it may require significant adjustments and investments in IT infrastructure and risk management. At the same time, the regulation offers the opportunity to sustainably improve the resilience and security of the entire financial sector. What tests should information and communication technology be subjected to? What do the affected companies need to be prepared for in the future?
Testing ICT Tools and Systems
The fourth chapter of DORA deals with the requirements for testing digital operational resilience. In principle, taking into account the principle of proportionality, a robust and comprehensive digital operational resilience testing program is required to assess preparedness for handling ICT-related incidents, identify weaknesses, deficiencies and gaps in digital operational resilience and implement corrective actions promptly. This is an essential part of the ICT risk management framework to be established by the organizations concerned. The content of the tests can vary in terms of type and scope. When making the selection, the size and overall risk of the financial company as well as the type, scope and complexity of the financial service must be weighed up, taking proportionality into account. Appropriate tests can therefore include vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security checks, questionnaires and scans of software solutions, source code checks (where feasible), scenario-based tests, compatibility tests, performance tests, end-to-end tests and penetration tests. In principle, the tests for all ICT systems and applications that support critical or important functions must be carried out at least once a year. For micro-enterprises, DORA provides for some simplifications in terms of both the frequency of the tests and their implementation, which are strongly characterized by the principle of proportionality.
Advanced Testing of ICT Tools, Systems and Processes Based on TLPT
Even if the above-mentioned tests required by DORA are already very extensive, DORA provides for even more extensive tests for certain companies. This so-called Threat-Led Penetration Testing (TLPT) must be carried out every three years. TLPT, also known as threat-led penetration testing, is defined by DORA as a framework that replicates the tactics, techniques and procedures of real attackers who are considered a real cyber threat and provides a controlled, tailored, intelligence-led (red team) test of the financial firm’s critical live production systems. The exact details will be specified by the ESAs in agreement with the ECB and in line with the TIBER EU framework in the form of regulatory technical standards. As a rule, TLPT will only be relevant for financial undertakings supervised by BaFin that have been identified and informed by BaFin in accordance with the requirements of DORA. The criteria for identifying affected entities are: proportionality, impact-related factors, in particular the extent to which the services provided and activities carried out by the financial undertaking have an impact on the financial sector any financial stability concerns, including the systemic nature of the financial undertaking at Union or national level, as appropriate; and the specific ICT risk profile, ICT maturity of the financial undertaking or relevant technological characteristics. The application of these selection criteria shall also be specified by the ESAs, in agreement with the ECB, in the form of regulatory technical standards in accordance with the TIBER-EU framework.
Attorney Anton Schröder
The lawyer responsible for questions relating to DORA and IT law at our law firm is Attorney Lutz Auffenberg LL.M. (London) with assistance of Attorney Anton Schröder.
subscribe to Newsletter-
Successful Book Launch at FIN LAW for the New MiCAR Handbook by Dr. Johannes Meier
Presentation of the new MiCAR handbook by Dr. Johannes Meier at the book launch event of FIN LAW. -
Lutz Auffenberg and FIN LAW have Again been Recognized by WiWo
WirtschaftsWoche (WiWO) has once again named Attorney Lutz Auffenberg, LL.M., as a top lawyer and FIN LAW as a top law firm. -
The New FIN LAW Website – Familiar Quality in a New Design
We are excited to announce the launch of FIN LAW’s new website. Our website is now faster and more modern than ever.
