Chapter IV – Digital operational resilience testing (Art. 24-27)
Art. 24 DORA - General requirements for the performance of digital operational resilience testing
Art. 25 DORA - Testing of ICT tools and systems
Art. 26 DORA - Advanced testing of ICT tools, systems and processes based on TLPT
Art. 27 DORA - Requirements for testers for the carrying out of TLPT
- Financial entities shall only use testers for the carrying out of TLPT, that:
- are of the highest suitability and reputability;
- possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing;
- are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks;
- provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT, including the due protection of the financial entity’s confidential information and redress for the business risks of the financial entity;
- are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.
- When using internal testers, financial entities shall ensure that, in addition to the requirements in paragraph 1, the following conditions are met:
- such use has been approved by the relevant competent authority or by the single public authority designated in accordance with Article 26(9) and (10);
- the relevant competent authority has verified that the financial entity has sufficient dedicated resources and ensured that conflicts of interest are avoided throughout the design and execution phases of the test; and
- the threat intelligence provider is external to the financial entity.
- Financial entities shall ensure that contracts concluded with external testers require a sound management of the TLPT results and that any data processing thereof, including any generation, store, aggregation, draft, report, communication or destruction, do not create risks to the financial entity.
Pooled testing within the meaning of this Regulation – involving the participation of several financial entities in a TLPT and for which an ICT third-party service provider can directly enter into contractual arrangements with an external tester – should be allowed only where the quality or security of services delivered by the ICT third-party service provider to customers that are entities falling outside the scope of this Regulation, or the confidentiality of the data related to such services, are reasonably expected to be adversely impacted. Pooled testing should also be subject to safeguards (direction by one designated financial entity, calibration of the number of participating financial entities) to ensure a rigorous testing exercise for the financial entities involved which meet the objectives of the TLPT pursuant to this Regulation.
In order to take advantage of internal resources available at corporate level, this Regulation should allow the use of internal testers for the purposes of carrying out TLPT, provided there is supervisory approval, no conflicts of interest, and periodical alternation of the use of internal and external testers (every three tests), while also requiring the provider of the threat intelligence in the TLPT to always be external to the financial entity. The responsibility for conducting TLPT should remain fully with the financial entity. Attestations provided by authorities should be solely for the purpose of mutual recognition and should not preclude any follow-up action needed to address the ICT risk to which the financial entity is exposed, nor should they be seen as a supervisory endorsement of a financial entity’s ICT risk management and mitigation capabilities.