If your institution is covered by the Digital Operational Resilience Act (DORA), do you need to perform regular DORA penetration testing?
The short answer is yes. Penetration testing is most likely needed as part of your appropriate testing requirements.
The DORA regulation makes the requirement for testing IT systems very clear. All covered entities must test their systems using what DORA refers to as "appropriate tests” to ensure they are resilient.
Reading this requirement, or the full DORA regulation, you might wonder… What is an “appropriate test”?
Can an entity “get away” with a vulnerability assessment (which is not a pen test), or do you need to do network pen testing or other penetration testing of various IT systems to meet the appropriate requirement?
We asked SECFORCE’s DORA consulting team to give their insights into how someone responsible for compliance at a DORA-impacted institution should approach the testing requirement.
In the rest of this article, we share those insights and help you:
- Understand what DORA pen testing means.
- Where to start when defining what critical systems should be part of a DORA pen testing program.
- What to know about how to test critical systems for DORA compliance, i.e., is pen testing even necessary for your company to be DORA compliant?
Note: Threat-Led Penetration Testing (TLPT), DORA’s advanced red-team exercise, is outside the scope of this article. If you’re interested in TLPT specifically, see our “Threat-Led Penetration Testing Explained” article.
What Is DORA Pen Testing?
DORA pen testing is a type of security testing (identifying vulnerabilities in systems and applications) that an entity covered by DORA can perform to test its systems and business operations.
In a broader sense, the DORA requirement for security testing is to (a) ensure a secure baseline and (b) establish a vulnerability management program. These requirements, in turn, help organisations become more resilient by eradicating exploitable vulnerabilities.
Conducting regular and risk-based testing can demonstrate due diligence in the event of a breach and may reduce the risk of regulatory penalties.
Looking for assistance with DORA penetration testing? Contact us for expert advice.
Who Needs to Do DORA Pen Testing?
Every organisation covered by DORA needs to conduct some form of testing. Testing is mandatory for everyone covered by DORA, regardless of their size or impact.
However, the scope and rigour of testing are risk-based and proportionate. This means that the level and type of testing depend on an entity’s size, complexity, and risk profile.
For small or low-risk institutions, “appropriate tests” may be less extensive than for large ones.
This means that DORA testing means different things.
For all DORA-covered entities except microenterprises
Under the DORA law, the basic testing requirement is this:
Financial entities, other than microenterprises, shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions.
Penetration testing is one of several methods organisations can use to fulfil DORA’s requirement for “appropriate testing” of critical ICT systems.
In general, DORA-covered entities can run the following tests to ensure DORA compliance:
- Vulnerability assessments
- Penetration tests
- Application tests (Web, Mobile, Thin/Thick Client)
- Configuration reviews (Workstation, Server, Cloud, Firewalls)
- Source code reviews (where applicable).
All of these are ideally done on a regular basis on all the systems that touch your core operations.
For some financial institutions, this kind of testing will be business as usual. For others, it will be important to conduct a thorough gap analysis between their current cyber resilience practices and the requirements set by DORA.
For DORA microenterprises
Microenterprises, entities with fewer than 10 employees or a revenue of less than € 2 million (learn more about who qualifies as a microenterprise), still need to conduct testing under DORA.
However, they do not have to test their systems annually.
Microenterprises have a simplified testing regime compared to other DORA-covered entities.
Microenterprises must run the tests listed in DORA Article 25 (e.g., vulnerability scans, network security reviews, penetration tests, scenario-based tests), but may tailor the frequency, depth, and tooling to balance resources and risk.
The Key to DORA Pen Testing Success
DORA specifically requires covered entities to do annual testing that covers critical or important functions (with the exception of microenterprises).
But how does a DORA-covered entity define what are critical or important functions?
The answer our DORA consultants like to give is that “critical or important functions are, in simple terms, the functions that, if they go down, the business cannot operate”
So what are “critical or important” functions?
The best way to figure this out is to conduct a Business Impact Analysis (BIA). This is a structured process that can help you pinpoint critical functions and assess the consequences of their failure.
DORA explicitly requires financial entities to conduct a BIA as part of their resilience planning:
As part of the overall business continuity policy, financial entities shall conduct a business impact analysis (BIA) of their exposures to severe business disruptions.
The BIA should consider the criticality of each business function along with its supporting IT assets and interdependencies, using impact analysis to prioritise which are most important.
The output of the BIA is a list (or tiered catalogue) of critical and important functions, along with the IT resources that underpin them. Those items on the list become the primary scope for DORA penetration testing.
For many DORA-covered entities, partnering with a DORA consultant can simplify the process of inventorying assets and determining which functions are truly critical.
How to Define DORA “Appropriate” Tests for Your Organisation
Once you know what critical systems you have, the next step is figuring out how much to test them.
Under DORA, financial entities (except for microenterprises) must run “appropriate tests” yearly on all ICT systems and applications supporting critical or important business functions.
How do you define “appropriate”?
Our advice is that if a system or project is critical, then a vulnerability scan will likely not be sufficient. It’s in your best interest to actually find vulnerabilities before an attacker does.
Ultimately, this is highly variable depending on the company and situation, but it is also exactly where a consultancy can add significant value.
SECFORCE are experts in helping FSI companies understand exactly what and how to test, saving time and money within your DORA compliance and overall security program.
Get Expert DORA Pen Testing Advice and Support
SECFORCE has extensive experience helping FSI firms build resilience, test their systems, and navigate compliance journeys like the ones they will encounter with DORA.
Contact SECFORCE for expert DORA testing support and unbiased assessment of your needs.
