 |
Digital Operational Resilience Act (DORA) will apply to over 22,000 financial entities and ICT service providers operating within the EU. It is a regulatory framework proposed by the European Commission as part of the broader European Digital Finance Strategy. DORA deadline is officially January 17, 2025, and failure to meet the compliance deadline will result in substantial penalties, i.e., up to one percent of the average daily worldwide turnover in the preceding fiscal year, which can be levied daily.
It aims to consolidate and upgrade ICT (Information and Communication Technology) security and governance across the entire financial sector within the European Union (EU). DORA seeks to enhance the digital operational resilience of financial entities, ensuring that they can withstand, respond to, repair, and recover from ICT-related disruptions and threats.
Why is the Digital Operational Resilience Act (DORA) Needed?
The Digital Operational Resilience Act (DORA, Regulation (EU) 2022/2554) is formulated to address a crucial gap in EU financial regulations. Generally, before DORA, financial organizations mainly used capital to manage operational risks, overlooking aspects of operational resilience. On the other hand, DORA directly focuses on ICT risks, setting standards for managing them, reporting incidents, testing operational resilience, and monitoring risks from third-party ICT services. DORA recognizes that ICT problems and a lack of operational resilience can hinder a financial system’s stability. This issue will exist even if there is enough capital to cover their traditional risks.
The proposal of DORA reflects the increasing digitization of financial services and the corresponding rise in cyber threats and ICT-related incidents. With the strong digital operational resilience of the financial sector, DORA brings stability and integrity to the financial system, protects consumers, and promotes trust in the digital economy.
Key Objectives of DORA
-
Strengthening ICT Risk Management: DORA requires financial entities to identify, classify, and actively mitigate ICT risks. This means having robust risk management frameworks that are capable of addressing potential vulnerabilities and threats to their ICT systems.
Example: A bank implements an ICT risk management framework that includes regular risk assessments and adopting secure development practices for its digital banking platforms. It establishes a dedicated cybersecurity team responsible for monitoring and addressing ICT risks.
-
Improving Incident Reporting: Financial entities should have timely reporting of major ICT-related incidents to competent authorities. These mechanisms enhance the sector’s ability to respond to and recover from such incidents.
Example: An investment firm develops a standardized incident reporting system that quickly identifies and categorizes ICT-related incidents based on their severity. The system is designed to automatically notify the relevant regulatory authorities within 24 hours of detecting a significant incident. Such systems align with DORA’s requirements.
-
Using Digital Operational Resilience Testing: DORA requires that financial institutions conduct regular and rigorous testing of their ICT systems. They should use vulnerability assessments, penetration testing, and threat-led penetration testing to ensure their systems are resilient against cyberattacks.
Example: An insurance company conducts annual penetration tests and bi-annual threat-led penetration testing exercises to identify vulnerabilities in its ICT systems and applications. The results of these tests are used to strengthen the company’s defenses against potential cyberattacks.
-
Managing Third-Party Risks: With increasing reliance on third-party ICT service providers, DORA requires financial entities to carefully manage and monitor the ICT-related risks arising from such relationships. This includes stringent audit rights over third-party providers, especially critical ones.
Example: A payment services provider evaluates and selects third-party ICT service providers based on a thorough assessment of their cybersecurity practices and resilience capabilities. Contracts with these providers include specific requirements for adherence to cybersecurity standards and regular audits. In case of any incident, immediate incident reporting should be in place to ensure alignment with DORA’s objectives.
-
Harmonizing ICT Regulations Across the EU: DORA aims to eliminate inconsistencies across EU member states regarding handling ICT risks in the financial sector through a unified set of rules. This harmonization facilitates a coordinated response to ICT risks and enhances the overall resilience of the EU’s financial system.
Example: After the implementation of DORA, a fintech startup operating in multiple EU countries adopts a unified approach to ICT risk management and compliance reporting. This approach ensures that the startup meets DORA’s digital operational resilience standards across all EU jurisdictions in which it operates. This facilitates smoother cross-border operations and regulatory compliance.
Entities Covered Under DORA
This regulation applies to the following financial entities:
- Credit institutions
- Payment institutions
- Electronic money institutions
- Investment firms
- Crypto-asset service providers, issuers of crypto-assets/ asset-referenced tokens/ significant asset-referenced tokens
- Central securities depositories/ counterparties
- Trading venues/ repositories
- Managers of alternative investment funds
- Management companies
- Data reporting service providers
- Insurance and reinsurance undertakings
- Insurance intermediaries, reinsurance intermediaries, and ancillary insurance intermediaries
- Institutions for occupational retirement pensions
- Credit rating agencies
- Statutory auditors and audit firms
- Administrators of critical benchmarks
- Crowdfunding service providers
- Securitization repositories
- ICT third-party service providers
Steps to Achieve DORA Compliance
DORA ensures that all participants in the financial system have the necessary safeguards to mitigate cyber-attacks and other risks. Here is a general guide on how to achieve compliance:
1. Understand the Requirements
- Scope and Applicability: Evaluate if your organization falls under the scope of DORA. It applies to various entities within the financial sector, including credit institutions, investment firms, insurance companies, etc.
- Key Requirements: Familiarize yourself with the key requirements of DORA, which include ICT risk management, incident reporting, digital operational resilience testing, and managing third-party risks.
2. Assess Current Capabilities
- Risk Management: Assess your current ICT (Information and Communication Technology) risk management practices. DORA requires entities to identify, document, and manage ICT risks.
- Incident Reporting: Review your current incident reporting mechanisms. DORA mandates timely reporting of major ICT-related incidents to relevant authorities.
- Resilience Testing: Evaluate your current resilience testing practices. DORA requires regular advanced testing of ICT systems to ensure resilience.
3. Develop and Implement an Action Plan
- Risk Management Framework: Develop or enhance your ICT risk management framework to comply with DORA’s requirements. This includes risk identification, protection, detection, response, and recovery measures.
- Incident Response Plan: Formulate or update an incident response plan that includes procedures for quickly identifying and mitigating the impact of ICT-related incidents.
- Resilience Testing Program: Create a resilience testing program that includes scenario-based, penetration, and potentially threat-led penetration testing.
4. Manage Third-Party Risks
- Third-Party Risk Assessment: Conduct thorough risk assessments of third-party service providers, especially those providing critical ICT services.
- Contracts and Agreements: Ensure that contracts with third-party providers comply with DORA’s requirements on ICT risk management and incident reporting.
5. Training and Awareness
- Staff Training: Conduct regular training and awareness programs for staff on ICT risk management, incident reporting, and response procedures.
- Board and Senior Management: Ensure that the board of directors and senior management are informed about DORA’s requirements. They should be involved in overseeing the implementation of compliance measures.
6. Continuous Monitoring and Improvement
- Monitoring and Reporting: Implement mechanisms for continuous monitoring of ICT risks and reporting of incidents as required by DORA.
- Review and Update: Regularly review and update your ICT risk management practices, resilience testing program, and third-party risk management strategies to maintain ongoing compliance with DORA.
7. Liaise with Regulatory Authorities
- Engagement: Engage with relevant regulatory authorities to understand their specific expectations and requirements under DORA.
- Compliance Reporting: Prepare for and comply with any regulatory reporting requirements related to DORA compliance.
DORA Compliance and Role of Testing
DORA Article 25, Testing of ICT Tools and Systems, mentions the below testing types that should be carried out:
Vulnerability Assessments and Scans
If you are a financial institution, you should regularly use automated scanning tools to search your banking applications and underlying infrastructure for vulnerabilities. This will help identify and patch security flaws before cybercriminals can exploit customer data and financial transactions. For example, a bank conducts monthly vulnerability assessments and scans on its online banking platform to identify and address potential security weaknesses. This proactive measure prevents attackers from exploiting vulnerabilities to steal customer data or funds.
Tools that support vulnerability assessment include Qualys’s various products; Nessus is another option.
Open Source Analysis
Start-ups and small businesses may rely on open-source technologies to save costs. For example, if you are a tech startup that relies heavily on open-source software to speed up development. Then, use specialized tools to scan your codebase for outdated or vulnerable open-source components. It will ensure that your application remains secure against known vulnerabilities.
An insurance company uses software to analyze the open-source components in its claim processing system. This helps identify any known vulnerabilities or licensing issues in the open-source libraries they rely on. They maintain compliance and reduce the risk of security breaches.
Supportive tools include Black Duck, an open-source software that checks for vulnerabilities and license compliance issues.
Another one is WhiteSource, which can automate open-source component selection, approval, and management, including identifying vulnerable open-source components.
Compatibility Testing
Compatibility testing across different devices, operating systems, and browsers is essential for DORA compliance. This ensures that applications are resilient and deliver a consistent user experience across all supported platforms, which is necessary for operational resilience. For example, an investment management firm tests its client portal across various web browsers and mobile devices. Compatibility testing ensures that all clients, regardless of how they access the portal/application, have a consistent and secure experience.
testRigor is an intelligent tool that performs most testing types and helps you to achieve the required compliance within the deadline. You can perform cross-browser and cross-platform testing with testRigor singlehandedly. Execute test cases on the web, mobile (native, hybrid), desktop, and API using plain English commands.
login as manager navigate to Pending Approvals Dashboard click on table "pending" at row "45" and column "Title" check customer's credit score compare customer's credit score with threshold click on “Conditionally Approved” enter stored value “conditionalApprovalMessage” into “Feedback” click on “Done” navigate to Pending Approvals Dashboard check that table "pending" at row "45" and column "Status" contains "Waiting for documents"
With testRigor, you can automate complex scenarios with simplicity in plain English. Anyone on your team can contribute to test case writing and execution using such simple steps. You can create reusable rules that are like reusable methods that can be used across test cases. In the above example, statements like ‘login as manager‘ or ‘check customer’s credit score‘ are reusable rules.
Performance Testing
A crypto-asset provider should execute performance tests before launching a new asset to ensure that their servers can handle the increased load of users when accessing the app simultaneously. Many testing tools, such as Apache JMeter, LoadRunner, Gatling, etc., are already available.
testRigor’s primary focus is on functional testing, and its automated tests can indirectly support performance testing by identifying performance-related issues that arise during functional tests. For example, a functionality that consistently takes too long to respond may indicate a performance issue.
End-to-end Testing
If you are an online brokerage firm, then you should conduct end-to-end testing of its account opening process, from application through identity verification, funding, and the first trade execution. This detailed testing ensures a seamless and secure experience for new customers.
testRigor specializes in end-to-end testing, ensuring that every aspect of an application, from front-end user interactions to back-end processing and integrations, works as expected. This comprehensive testing approach is vital for verifying the operational resilience of ICT systems as mandated by DORA Article 25. Read here how to perform end-to-end testing with testRigor.
testRigor helps you validate files, audio, 2FA, video, email, SMS, phone calls, mathematical validations/calculations of formulas, APIs, Chrome extensions, and many more complex scenarios. Access testRigor documentation and top testRigor’s features to learn about more valuable capabilities.
Scenario-based Tests
A securities trading platform simulates various market scenarios, including high volatility and trading volume. This ensures the platform remains robust and transactions are processed correctly under stress/volume. Intelligent generative AI-powered tools such as testRigor excel in scenario-based testing using plain English. It allows teams to run complex user scenarios out of the box and mimic real-world use cases in their own language. This capability ensures that ICT systems can handle expected/unexpected user behaviors, thereby contributing to operational resilience.
Network Security Assessments
An application should function as expected in various network conditions. This indirectly supports the resilience of the application to network-related vulnerabilities. For example, a fintech startup regularly performs network security assessments to test whether its infrastructure is secure against external threats. This includes testing for weaknesses in its firewall configurations and intrusion detection systems to safeguard sensitive financial transactions.
Nmap is an open-source tool for network exploration and security auditing. It is helpful in identifying devices running on a network and discovering open ports and the services they are exposing. You can also use Wireshark, a network protocol analyzer that lets you capture and interactively browse the traffic running on a computer network.
Gap Analyses
Identify functional discrepancies and gaps in application behavior and requirements. This contributes to gap analyses by ensuring that all functional requirements are met. Any deviations are promptly addressed to achieve operational resilience.
For example, a financial advisory firm conducts a gap analysis to compare its current cybersecurity practices against the financial industry’s regulatory requirements. The analysis helps identify areas for improvement in data protection and client privacy measures.
Microsoft Secure Score is a measurement of an organization’s security posture. While not exclusively for financial services, it can help in identifying gaps in Microsoft product usage. Another tool is RSA Archer, which provides a framework for managing governance, risk management, and compliance (GRC) strategies, including gap analysis for cybersecurity risks.
Physical Security Reviews
A data center housing critical infrastructure for multiple businesses conducts physical security reviews to assess risks like unauthorized access or damage to hardware. This includes evaluating security camera coverage, access control systems, and environmental controls to protect against fire and flooding. Similarly, a central bank must review the physical security measures at its data centers, which store critical financial data.
Questionnaires and Scanning Software Solutions
Use questionnaires and automated scanning tools to assess the infrastructure’s security posture regularly. This helps to understand the technical and procedural vulnerabilities and guides towards setting up security measures. An example is a credit union that uses questionnaires and automated scanning solutions to assess the security posture of its vendors and third-party service providers. This ensures that all parties handling customer information adhere to stringent security standards.
Qualys Cloud Platform provides compliance monitoring and web application scanning, which can be done based on questionnaire insights. Tenable.io helps with comprehensive vulnerability scanning and can be tailored based on questionnaire responses to focus on specific areas of concern.
Source Code Reviews
Before releasing a new mobile payment app, a mobile payments company conducts thorough source code reviews. This step is crucial for identifying security flaws that could be exploited to compromise payment transactions. For example, if a source code review identifies potential functional issues, testRigor can automate tests designed to verify those issues have been resolved.
Penetration Testing
Penetration testing, or pen testing, is a crucial security practice for financial entities. This helps simulate cyber attacks to identify vulnerabilities in their systems and networks. For example, a large multinational bank conducts an annual penetration test to enhance its cybersecurity posture. The bank’s IT security team outlines a plan to simulate an external attack on their online banking platform and an internal attack simulating a malicious insider. The objectives include identifying vulnerabilities that could be exploited to gain unauthorized access to customer accounts, escalate privileges within the bank’s network, or execute a denial of service (DoS) attack that could take banking services offline.
Tools that support it are Burp Suite, Metaspoilt, OWASP ZAP (Zed Attack Proxy), etc.
Conclusion
“Financial entities, other than microenterprises, shall establish procedures and policies to prioritize, classify and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.” – DORA, Article 24(5)
The purpose is to identify the gaps, show resilience, and recover from these deficiencies. Being tied to a deadline, you need supportive tools that ease your testing process and let you achieve compliance as soon as possible. Use intelligent and practical tools such as testRigor to automate most of the tests in plain English and achieve great test coverage within the DORA compliance deadline.
Frequently Asked Questions (FAQs)
-
What are the other compliances that testRigor supports?
Answer: testRigor is SOC2 and HIPAA compliant and supports FDA 21 CFR Part 11 reporting. You can efficiently perform accessibility testing through testRigor. Read here how to build an ADA-compliant app.
-
What if I do not want to write test cases myself?
Answer: You can use testRigor’s record-and-playback capabilities to let the tool create test cases in plain English based on your actions. Here is the testRigor’s recorder, which you can use to record a test, just like with any similar tool. Otherwise, you can use the generative AI features to generate most test cases automatically. You can also import your manual test cases and tweak them a bit to make them executable by testRigor.
-
What are the popular financial platforms that I can test via testRigor?
Answer: You can test MyBanco, BankPoint, FinancialForce, FinCell, Oracle Financials Cloud, Mifos X, and almost every financial platform using testRigor. Using plain English, it effectively supports testing cross-platform, cross-browser, parallel, web, mobile, desktop, API, database, and many more complex scenarios.
