DORA – Clarifications after the last set of Technical Standards and Guidelines

DORA is the latest addition to the European Union financial regulations. By 17 January 2025, financial institutions must ensure they comply with the Digital Operational Resilience Act (DORA) by demonstrating full visibility into their operations and how they ensure resiliency. The final Regulatory Technical Standard (RTS) specifying elements related to Threat Led Penetration Tests has been published in July 2024, explaining certain aspects that were still unclear.

Digital Operational Resilience Act (DORA) will make compulsory across the EU, for the financial entities in scope, to perform Threat-Led Penetration Testing (TLPT) at a frequency chosen by the Competent Authority. In general, it is widely considered that this will be every three years.

Threat-Led Penetration Testing (TLPT), according to Digital Operational Resilience Act, means a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (Red Team) test of the financial entity’s critical live production systems.

By comparison, according to the TIBER-EU framework, Threat Intelligence-based Ethical Red Teaming tests are to deliver a controlled, bespoke, intelligence led Red Team test of entities’ critical live production systems. Intelligence-led Red Team tests mimic the tactics, techniques and procedures (TTPs) of real-life threat actors who, on the basis of threat intelligence, are perceived as posing a genuine threat to entities. An intelligence-led Red Team test involves the use of a variety of techniques to simulate an attack on an entity’s critical functions (CFs) and underlying systems (i.e., its people, processes and technologies).

The key message is that the TIBER-EU framework will be updated to comply with the requirements in the final form of DORA RTS.  

The European Banking Authority has mentioned under the Regulatory Technical Standards published last month that, the mandate established under Article 26(11) of DORA does not fully cover all requirements of the TIBER-EU framework.

According to this, these requirements can become legal requirements, to the extent possible. DORA Regulatory Technical Standards also stipulates that any jurisdiction who wishes to continue to use its own implementation of the TIBER-EU framework should be able to do so, incorporating any potential additional DORA TLPT requirements should they exist. The TIBER-EU framework and supplementary guidance as well as the various TIBER-EU implementations should thus be seen as providing additional guidance to the DORA TLPT requirements and not as replacing those legal requirements in DORA (ESMA, 2023).

Only DORA TLPT requirements are legally binding and prevail over the TIBER-EU framework. Although, they have been drafted to be in accordance with the TIBER-EU framework its mandate does not cover the whole of the TIBER-EU framework. Austria, Belgium, Denmark, Finland, France, Germany, Iceland, Ireland, Italy, Luxembourg, the Netherlands, Norway, Portugal, Romania, Spain, and Sweden have adopted and implemented TIBER-EU framework, whereas at least two other jurisdictions are working on an implementation. In countries that have transposed the TIBER-EU framework into local regulation these requirements may also be legally binding.

If TIBER-EU has been transposed into local regulation by a competent authority, the document makes it clear that the Threat-Led Penetration Testing requirements under DORA still take precedence. DORA’s TLPT requirements are the mandatory baseline for in-scope financial institutions.

Considering this, a service provider for TLPT related to the Digital Operational Resilience Act must possess not only exceptional technical expertise but also a comprehensive understanding of the legal requirements stemming from the transposed version of TIBER-EU in each country where the financial institution operates.

For instance, in certain European countries, the contract between the service provider and the contracting financial entity must be reviewed by the competent authority, whereas in others, this is not a requirement. Additionally, some TIBER-EU implementations permit leg-ups, while others strictly prohibit them. Leg-ups can broadly be categorized in information and access leg-ups and may for instance consist of the provision of access to ICT system or internal networks to continue with the test and focus on the following attack steps.

Another aspect that has prompted extensive discussion is that DORA’s concept of “testers” is broader than the “Red Team” under the TIBER-EU framework. DORA allows the use of both internal and external testers. The current provision in DORA to use internal testers is deemed justified “to leverage internal resources available at the corporate level.” However, due to the highly sensitive nature of Threat-Led Penetration Tests (TLPTs), it is essential to establish safeguards for both the testers themselves and their use by the financial entity. Financial entities may use internal testers for Threat Led Penetration Testing provided they adhere to the following criteria:

• are directly employed by the financial entity or by an ICT intragroup service provider of the financial entity
• have at least one year tenure at the financial entity
• such use has been approved by the relevant competent authority
• the relevant competent authority has verified that the financial entity has sufficient dedicated resources and ensured that conflicts of interest are avoided throughout the design and execution phases of the test; and
• the threat intelligence provider is external to the financial entity

When financial entities use internal testers for the purposes of undertaking TLPT, they shall contract external testers every three tests.

Purple teaming, collaborative testing activity that involves both the Red Team (the attackers or testers) and the Blue Team (the defenders or security team), is strongly encouraged but not a mandatory element in the original TIBER-EU framework. Under DORA purple teaming becomes mandatory in the closure phase. No later than ten weeks after the end of the active red team testing phase, the blue team and the testers shall carry out a replay of the offensive and defensive actions performed during the TLPT. Considering that the TIBER-EU framework will be updated to comply with DORA requirements we also expect to see modifications regarding purple teaming.

How can CybrOps help?

CybrOps brings both practical expertise and extensive experience, enabling us to conduct these types of testing effectively. Additionally, we are well-equipped to assist in defining the policies and procedures necessary to ensure compliance with the relevant standards.

We can help you along your entire journey towards compliance with DORAs cyber resilience tests , through the execution of Threat-Led Penetration Testing and Controlled Stress Testing (Controlled DDoS). We can assess your current readiness and propose measures to meet the regulatory requirements while customising the remediation plan to your specific environment.

The second set of final draft technical standards and guidelines can be accessed below.

• RTS and ITS on the content, format, templates and timelines for reporting major ICT-related incidents and significant cyber threats
• RTS on threat-led penetration testing (TLPT)
• RTS on the harmonisation of conditions enabling the conduct of the oversight activities
• RTS specifying the criteria for determining the composition of the joint examination team (JET)
• Guidelines on oversight cooperation
• Guidelines on the estimation of aggregated costs/losses caused by major ICT-related incidents
• RTS on subcontracting