Source: OJ L 333, 27.12.2022, p. 1–79Current language: EN
- Digital operational resilience in the financial sector
Basic legislative acts
- DORA regulation
Article 24 General requirements for the performance of digital operational resilience testing
Summary What does Article 24 of the DORA regulation say?
This article introduces the requirement for financial entities to establish, maintain and review a digital operational resilience testing programme, embedding it as an integral part of the ICT risk management framework set out in Article 6.
The purpose is to assess incident readiness, identify gaps in resilience, and implement corrective measures.
The article sets out the general framework for this testing obligation, while pointing to Articles 25 and 26 for the specific tests and methodologies that must be applied.
Notably, microenterprises are carved out from most of the obligations in this article, meaning the detailed requirements around independence, remediation procedures, and minimum testing frequency apply only to larger financial entities.
Important points:
- Establish, maintain and review a digital operational resilience testing programme as part of your ICT risk management framework.
- Tests must be carried out by independent parties, and where internal testers are used, sufficient resources must be dedicated and conflicts of interest must be avoided throughout design and execution.
- Conduct appropriate tests on all ICT systems and applications supporting critical or important functions at least once a year.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
For the purpose of assessing preparedness for handling ICT-related incidents, of identifying weaknesses, deficiencies and gaps in digital operational resilience, and of promptly implementing corrective measures, financial entities, other than microenterprises, shall, taking into account the criteria set out in Article 4(2), establish, maintain and review a sound and comprehensive digital operational resilience testing programme as an integral part of the ICT risk-management framework referred to in Article 6.
The digital operational resilience testing programme shall include a range of assessments, tests, methodologies, practices and tools to be applied in accordance with Articles 25 and 26.
When conducting the digital operational resilience testing programme referred to in paragraph 1 of this Article, financial entities, other than microenterprises, shall follow a risk-based approach taking into account the criteria set out in Article 4(2) duly considering the evolving landscape of ICT risk, any specific risks to which the financial entity concerned is or might be exposed, the criticality of information assets and of services provided, as well as any other factor the financial entity deems appropriate.
Financial entities, other than microenterprises, shall ensure that tests are undertaken by independent parties, whether internal or external. Where tests are undertaken by an internal tester, financial entities shall dedicate sufficient resources and ensure that conflicts of interest are avoided throughout the design and execution phases of the test.
Financial entities, other than microenterprises, shall establish procedures and policies to prioritise, classify and remedy all issues revealed throughout the performance of the tests and shall establish internal validation methodologies to ascertain that all identified weaknesses, deficiencies or gaps are fully addressed.
Financial entities, other than microenterprises, shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions.
Relevant recitals
Recital 25 Inconsistent digital operational resilience testing requirements
Digital operational resilience testing requirements have been developed in certain financial subsectors setting out frameworks that are not always fully aligned. This leads to a potential duplication of costs for cross-border financial entities and makes the mutual recognition of the results of digital operational resilience testing complex which, in turn, can fragment the internal market.
Recital 56 Regular security testing of ICT systems and staff
In order to achieve a high level of digital operational resilience, and in line with both the relevant international standards (e.g. the G7 Fundamental Elements for Threat-Led Penetration Testing) and with the frameworks applied in the Union, such as the TIBER-EU, financial entities should regularly test their ICT systems and staff having ICT-related responsibilities with regard to the effectiveness of their preventive, detection, response and recovery capabilities, to uncover and address potential ICT vulnerabilities. To reflect differences that exist across, and within, the various financial subsectors as regards financial entities’ level of cybersecurity preparedness, testing should include a wide variety of tools and actions, ranging from the assessment of basic requirements (e.g. vulnerability assessments and scans, open source analyses, network security assessments, gap analyses, physical security reviews, questionnaires and scanning software solutions, source code reviews where feasible, scenario-based tests, compatibility testing, performance testing or end-to-end testing) to more advanced testing by means of TLPT. Such advanced testing should be required only of financial entities that are mature enough from an ICT perspective to reasonably carry it out. The digital operational resilience testing required by this Regulation should thus be more demanding for those financial entities meeting the criteria set out in this Regulation (for example, large, systemic and ICT-mature credit institutions, stock exchanges, central securities depositories and central counterparties) than for other financial entities. At the same time, the digital operational resilience testing by means of TLPT should be more relevant for financial entities operating in core financial services subsectors and playing a systemic role (for example, payments, banking, and clearing and settlement), and less relevant for other subsectors (for example, asset managers and credit rating agencies).
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
credit rating agency
Definition
central counterparty
Definition
ICT risk
Definition
ICT third-party service provider
Definition
trading venue
Definition
network and information system
Definition
trade repository
Definition
microenterprise
Definition
information asset
Definition
vulnerability
Definition
credit institution
Definition
digital operational resilience
Definition
ICT services
Definition
ICT-related incident
Definition
critical or important function
Definition
central securities depository