In the ever-evolving landscape of digital finance, the need for robust operational resilience has never been more critical. Recognizing this imperative, the European Commission introduced the Digital Operational Resilience Act (DORA) in September 2020. This landmark regulation, which came into force on January 16, 2023, is set to reshape the way financial entities manage and mitigate risks arising from Information and Communication Technology (ICT) and suppliers.
Understanding DORA
At its core, DORA aims to establish a unified regulatory framework across Europe for the management of risks emanating from ICT and suppliers. The overarching goal is to enhance digital operational resilience in the financial sector, ensuring the continued provision of financial services, even in the face of disruptions.
Scope of DORA
DORA extends its regulatory reach to a diverse array of financial entities, including but not limited to credit institutions, payment and electronic money institutions, investment firms, insurance and reinsurance undertakings, and investment fund managers. This broad coverage reflects the recognition of the interconnectedness of modern financial systems and the need for a comprehensive approach to risk management.
Defining Digital Operational Resilience
Digital operational resilience, as per DORA’s definition, encompasses the ability of a financial entity to build, assure, and review its operational integrity and reliability. This is achieved by ensuring the security of network and information systems through either direct measures or indirectly, leveraging services provided by third-party ICT service providers.
DORA’s Testing Mandate
Two key components make up DORA’s obligation to test digital assets: the Digital Operational Resilience Testing Program and Threat-Led Penetration Testing (TLPT). We will now focus on the former, the Digital Operational Resilience Testing Program.
Entities Under the Testing Mandate
All entities falling within the scope of DORA are mandated to undergo resilience testing. This includes a diverse range of financial players such as central securities depositories, crypto-asset service providers, central counterparties, credit institutions, and many others.
Tested Assets and Frequency
DORA requires the testing of a variety of assets critical to digital operational resilience. These include network and information systems, services provided by ICT third-party service providers, and other capabilities supporting the provision of financial services. The frequency of testing is a crucial consideration, and entities need to establish a testing cadence that aligns with DORA’s requirements.
Recommended Test Types
DORA provides guidelines on the types of tests that entities should undertake to ensure digital operational resilience. These may include scenario-based tests, vulnerability assessments, and other methodologies that simulate real-world threats and disruptions.
In-House vs. Outsourced Testing
An essential aspect of DORA’s testing mandate is the delineation between in-house and outsourced testing. Some tests may be conducted internally, leveraging the entity’s expertise and resources, while others may require external expertise to ensure an unbiased and comprehensive evaluation.
Navigating the Digital Operational Resilience Testing Program
As financial entities gear up to comply with DORA’s testing requirements, it becomes paramount to develop a strategic and comprehensive approach. Collaboration between internal teams and external specialists may be necessary to design and implement effective testing programs that not only fulfill regulatory obligations but also strengthen the overall digital resilience of the entity.
In conclusion, DORA heralds a new era of accountability and preparedness in the financial sector. By embracing the Digital Operational Resilience Testing Program, entities can not only meet regulatory standards but also fortify their defenses against an ever-expanding array of digital threats. As the financial landscape continues to digitize, the importance of digital operational resilience cannot be overstated – it is the bedrock upon which the future of financial services will be built.
BSS Unit provides for enterprises “a comprehensive digital operational resilience testing program as a core component of the firm’s ICT risk management framework, which includes a range of assessments, testing, methodologies, tools and an obligation to classify and annual test all ICT systems that are deemed critical;” as well as “plans and frameworks to carry out defined threat-led penetration testing at least every three years. This obligation only applies to specific financial entities that are identified as significant and «cyber mature».”