-
Adversary Simulation
Our best in class red team can deliver a holistic cyber attack simulation to provide a true evaluation of your organisation’s cyber resilience.
-
Application
SecurityLeverage the team behind the industry-leading Web Application and Mobile Hacker’s Handbook series.
-
Penetration
TestingMDSec’s penetration testing team is trusted by companies from the world’s leading technology firms to global financial institutions.
-
Response
Our certified team work with customers at all stages of the Incident Response lifecycle through our range of proactive and reactive services.
Finding DORA
The Digital Operational Resilience Act (DORA) is a landmark European Union (EU) regulatory framework that requires mandatory compliance from January 2025.
DORA emphasises the importance of resilience for digital assets in maintaining financial stability. It goes beyond the foundations of other regulatory frameworks and mandates a unified supervisory approach to firms within the financial markets through Regulatory Technical Standards (RTS).
This approach requires that firms operating in these markets must be in a position to prevent, mitigate and respond to cyber threats. It mandates financial entities adhere to standardised Threat Led Penetration Testing (TLPT) to ensure they can withstand and respond to cyber threats effectively.
The second batch of policy products were published mid July and contains the final draft standards for Threat-Led Penetration Testing (TLPT).
Why DORA is Needed
DORA addresses the increasing cybersecurity risks in the financial sector due to digitalisation. By setting a common standard for cyber resilience, it aims to protect the stability of the EU financial system, ensure trust in digital services, and promote a unified approach to cybersecurity practices.
We have already seen the benefit from other independent frameworks such as CBEST and TIBER; DORA seeks to provide a common standard to this with broader remit.
DORA Scope
There are two different testing requirements for entities falling under the scope of DORA. The first is Article 24 that applies to all entities in scope for DORA, with the exception of micro-enterprises. These entities must implement a digital operational resilience testing programme within their risk framework and comes with an annual testing requirement.
In addition to this, financial entities that meet certain criteria under DORA must perform Threat Led Penetration Testing (TLPT) every three years. In short, this is a TIBER-EU exercise with some subtle twists.
The entities in scope for TLPT testing are detailed as:
- Credit institutions identified as globally systemically important institutions,
- Payment institutions, exceeding in each of the previous two financial years 150 billion EURO in total transactions,
- Electronic money institutions, exceeding in each of the previous two financial years 150 billion EURO in total transactions,
- Central securities depositories,
- Central counterparties,
- Trading venues,
- Insurance and reinsurance undertakings.
DORA grants supervisory authorities the power to impose significant penalties and corrective measures on entities that fail to comply with the established cybersecurity standards. Penalties could range from fines to restrictions on operations, depending on the severity of non-compliance.
DORA TLPT Testing
As previously mentioned, entities falling under the scope of DORA have mandated TLPT testing requirements and should be done in accordance with the TIBER-EU framework. DORA does however have some subtle differences from TIBER-EU. Firstly, DORA offers greater flexibility in accommodating the use of internal resources within the red team, something that is not permitted under the TIBER-EU framework. However, despite this there still remains an on-going commitment to complete an external test every three years.
In addition to this, Purple Teaming is considered a mandatory element within DORA, while in TIBER-EU, despite being tremendously beneficial, remains optional.
How Can MDSec Help?
Navigating the TLPT regulatory landscape can be a minefield for many organisations and having an experienced and trusted partner is essential to ease this process. As an inaugural member in many of the TLPT frameworks, MDSec’s best in class red team has many years experience in delivering TLPT services to financial institutions, having delivered a variety of regulatory tests including CBEST, STAR-FS, TIBER, iCAST, AASE and more.
Our team is able to help develop a tailored DORA compliance programme for your organisation, blending a mixture of Threat Intelligence and Red and Purple Team testing. In addition to this, we have specialist experience in testing for payment systems such as SWIFT, Murex, RTGS, T24, Base24 and more.
To discuss your DORA requirements, please get in touch.
