Offensive Security Under the EU Digital Operational Resilience Act (DORA)

TL;DR: The Digital Operational Resilience Act (DORA) is an EU regulation aimed at enhancing the digital resilience of financial institutions through mandatory cybersecurity measures, including regular penetration testing and stringent ICT risk management practices.

With the compliance deadline set for January 2025, financial entities and their ICT vendors must promptly align their security frameworks with DORA's requirements to mitigate potential risks and ensure operational stability.

The Digital Operational Resilience Act (DORA) regulation is part of the European Union’s (EU) strategy to enhance the overall stability of the EU financial system by ensuring that financial entities are resilient to digital operational disruptions.

DORA introduces a framework for risk management of Information and Communication Technology (ICT), focusing on cybersecurity and operational resilience. Key components of DORA include penetration testing and other offensive security measures aimed at identifying and mitigating vulnerabilities within financial institutions and their ICT providers.

The compliance deadline for DORA is January 17, 2025. With this deadline approaching, we recommend financial services organizations and ICT vendors take steps now to be prepared for DORA.

Applicability and Enforcement

DORA applies to a wide range of financial institutions operating in the EU. [Art. 2] This includes banks, insurance companies, investment firms, crypto-asset service providers, payment service providers, and their third-party ICT vendors, such as cloud and software-as-a-service providers.

Enforcement of DORA is carried out by national-level authorities and three primary European Supervisory Authorities: the European Banking Authority (for the banking sector), the European Securities and Markets Authority (for securities markets), and the European Insurance and Occupational Pensions Authority (overseeing the insurance and pensions sector). [Art. 46]

The authorities have powers to carry out on-site inspections, compel information from regulated entities, require remedial measures, and impose administrative and criminal penalties for DORA violations. [Art. 50-52]

Security Requirements

Among the key components of DORA is its emphasis on offensive security measures, particularly penetration testing. These measures are highlighted in Chapter IV of DORA [Art. 24-27] and are aimed at enhancing the digital resilience of financial entities through rigorous testing and validation of their ICT systems by independent parties. The tests must be conducted yearly for systems and applications supporting critical or important functions. [Art. 24]

• Testing, Scanning, and Assessments [Art. 25.1]: DORA requires financial institutions to periodically conduct appropriate tests to identify and address security weaknesses before they can be exploited by malicious actors. These can include vulnerability scans, network security assessments, scenario-based tests, and penetration testing.
• Threat-Led Penetration Testing [Art. 26-27]: Financial entities must conduct advanced threat-led penetration testing (TLPT) at least every three years.
  • TLPT focuses on simulating real-life attack scenarios, mimicking the tactics of actual threat actors, to test the institution's protection, detection, and response capabilities. [Art. 3.17]
  • The tests must cover the entity’s critical or important functions, including live production systems, as well as those outsourced to ICT third-party service providers. Such third parties must participate in the TLPT. [Art. 26.2-4]
  • Financial entities may use internal testers, but must use an external tester for at least one of every three TLPT engagements. Significant credit institutions (as defined) must use only external testers. [Art 26.8]
  • The precise testing scope and methodologies are still being finalized in accordance with the European Framework for Threat Intelligence-Based Ethical Red Reaming (TIBER-EU). [Art. 26.11]
• External Penetration Tester Standards [Art. 26.8, 27]: DORA requires use of external TLPT testers to ensure unbiased and comprehensive evaluation of the institution's security posture. External testers must meet stringent criteria, including technical expertise, independence, and professional indemnity insurance.
• Vulnerability Assessments [Art. 25.2]: Central securities depositories and central counterparties must perform vulnerability assessments before deploying or redeploying ICT systems. This helps ensure that applications and infrastructure components supporting critical functions are secure.
• Remediation After Testing [Art. 26.5-6]: At the end of testing, the financial entity and other test participants must apply controls to mitigate identified risks.

At a high level, DORA establishes several other important categories of security requirements, including:

• Risk Management [Art. 6, 16-17, 24, 28]: Entities must have robust ICT risk management frameworks. This includes a resilience strategy, internal governance, and incident response plans.
• Digital Resilience Safeguards and Testing [Art. 9-10, 24-26]: Entities must regularly test ICT systems to ensure resilience, including penetration testing, continuous monitoring, threat detection, and mitigation of identified deficiencies.
• Incident Response and Reporting [Art. 11-12, 19]: Entities must establish incident response and business continuity policies and provide timely and accurate reporting of major cybersecurity incidents to relevant authorities, clients, and users.
• Third-Party Risk Management [Art. 28-30]: Entities must perform due diligence of ICT service providers’ security measures and incorporate mandatory contractual provisions. While all third-party ICT providers are subject to mandatory contract provisions under DORA, providers that support critical or important functions have more prescriptive requirements.

Business Implications

To comply with DORA's security requirements, businesses should undertake several key actions:

• Preparation for Compliance: Financial institutions should consider conducting gap analyses to identify current weaknesses in their ICT risk management frameworks. This involves a review of existing security measures, aligning them with DORA's requirements, establishing partnerships with qualified external testers, and developing internal capabilities for continuous security assessments.
• Adapting Security Programs: Organizations must integrate regular TLPT and other security measures into their security programs:
  • External Penetration Testing Services: Engaging accredited external testers to perform TLPT.
  • Training and Awareness: Ensuring staff are trained on cybersecurity best practices and incident response protocols.
  • Incident Reporting: Implementing systems for timely and accurate reporting of cybersecurity incidents.
• Updating Contracts: Financial institutions subject to DORA should prepare to update their ICT vendor contracts. This may include identifying vendors that provide critical or important functions and preparing a contract addendum with required contractual terms. ICT service providers should also prepare for contract updates with EU financial institutions.

DORA's offensive security requirements are designed to fortify the digital resilience of the EU's financial sector through rigorous testing and proactive security measures. Financial institutions should act swiftly to align their security programs with these requirements, ensuring compliance and safeguarding their operations against evolving cyber threats.

This blog post originally appeared at Venable.com and can be directly accessed here: https://www.venable.com/insights/publications/2024/07/offensive-security-under-the-eu.