Source: OJ L 333, 27.12.2022, p. 1–79Current language: EN
- Digital operational resilience in the financial sector
Basic legislative acts
- DORA regulation
Article 27 Requirements for testers for the carrying out of TLPT
Summary What does Article 27 of the DORA regulation say?
This article directly supports Article 26, which establishes the requirement for threat-led penetration testing (TLPT).
Here, the focus shifts to the qualification standards that testers must meet in order to carry out TLPT on behalf of financial entities.
It sets out a baseline of criteria for all testers, adds further conditions specific to the use of internal testers, and places obligations on financial entities regarding how TLPT results are handled by external testers.
Important points:
- Only use testers for TLPT who meet specific standards of suitability, expertise, certification, independent assurance, and professional indemnity insurance coverage.
- When using internal testers, obtain approval from the relevant competent authority, and ensure the threat intelligence provider is external to the financial entity.
- Ensure that contracts with external testers require sound management of TLPT results, so that all data processing related to those results does not create risks to the financial entity.
Springlex's summary of the article, a reading aid, not a substitute for the legal text.
Financial entities shall only use testers for the carrying out of TLPT, that:
are of the highest suitability and reputability;
possess technical and organisational capabilities and demonstrate specific expertise in threat intelligence, penetration testing and red team testing;
are certified by an accreditation body in a Member State or adhere to formal codes of conduct or ethical frameworks;
provide an independent assurance, or an audit report, in relation to the sound management of risks associated with the carrying out of TLPT, including the due protection of the financial entity’s confidential information and redress for the business risks of the financial entity;
are duly and fully covered by relevant professional indemnity insurances, including against risks of misconduct and negligence.
When using internal testers, financial entities shall ensure that, in addition to the requirements in paragraph 1, the following conditions are met:
such use has been approved by the relevant competent authority or by the single public authority designated in accordance with Article 26(9) and (10);
the relevant competent authority has verified that the financial entity has sufficient dedicated resources and ensured that conflicts of interest are avoided throughout the design and execution phases of the test; and
the threat intelligence provider is external to the financial entity.
Financial entities shall ensure that contracts concluded with external testers require a sound management of the TLPT results and that any data processing thereof, including any generation, store, aggregation, draft, report, communication or destruction, do not create risks to the financial entity.
Relevant recitals
Recital 25 Inconsistent digital operational resilience testing requirements
Digital operational resilience testing requirements have been developed in certain financial subsectors setting out frameworks that are not always fully aligned. This leads to a potential duplication of costs for cross-border financial entities and makes the mutual recognition of the results of digital operational resilience testing complex which, in turn, can fragment the internal market.
Recital 44 Costs of advanced digital resilience testing
As only those financial entities identified for the purposes of the advanced digital resilience testing should be required to conduct threat-led penetration tests, the administrative processes and financial costs entailed in the performance of such tests should be borne by a small percentage of financial entities.
Recital 57 Harmonised TLPT requirements for cross-border financial entities
Financial entities involved in cross-border activities and exercising the freedoms of establishment, or of provision of services within the Union, should comply with a single set of advanced testing requirements (i.e. TLPT) in their home Member State, which should include the ICT infrastructures in all jurisdictions where the cross-border financial group operates within the Union, thus allowing such cross-border financial groups to incur related ICT testing costs in one jurisdiction only.
Recital 61 Internal and external testers for TLPT
In order to take advantage of internal resources available at corporate level, this Regulation should allow the use of internal testers for the purposes of carrying out TLPT, provided there is supervisory approval, no conflicts of interest, and periodical alternation of the use of internal and external testers (every three tests), while also requiring the provider of the threat intelligence in the TLPT to always be external to the financial entity. The responsibility for conducting TLPT should remain fully with the financial entity. Attestations provided by authorities should be solely for the purpose of mutual recognition and should not preclude any follow-up action needed to address the ICT risk to which the financial entity is exposed, nor should they be seen as a supervisory endorsement of a financial entity’s ICT risk management and mitigation capabilities.
Springlex and this text is meant purely as a documentation tool and has no legal effect. No liability is assumed for its content. The authentic version of this act is the one published in the Official Journal of the European Union.
Definition
ICT risk
Definition
ICT third-party service provider
Definition
network and information system
Definition
cyber threat
Definition
threat intelligence
Definition
cyber-attack
Definition
group
Definition
public authority
Definition
digital operational resilience
Definition
ICT services
Definition
ICT-related incident