The new provisions of Regulation 2022/2554 on operational digital resilience of the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014, (EU) No. 909/2014 and (EU) 2016/1011 commonly referred to as “DORA” impose a number of obligations on all financial market players, with the aim of ensuring operational resilience in the event of a major disruption related to cyber-security and ICT (information and communications technology).
One of the requirements that will take effect for national payment institutions and small payment institutions, among others, is the establishment of a comprehensive digital operational resilience testing program. Testing of all ICT systems and applications is to be carried out by financial entities at least once a year (the condition does not apply to microenterprises) in terms of:
-
- oceny podatności i skanowania pod tym kątem,
- analizy otwartego oprogramowania,
- oceny bezpieczeństwa sieci,
- fizycznych kontroli bezpieczeństwa,
- kwestionariuszy i rozwiązań w zakresie oprogramowania skanującego,
- przeglądu kodu źródłowego,
- testów scenariuszowych, testów kompatybilności, testów wydajności, testów kompleksowych i testów penetracyjnych.
Periodic obligation to conduct advanced testing using TLPT (Threat-Led Penetration Testing)
An additional obligation imposed on NIPs (excluding small payment institutions), among others, is also to conduct advanced threat-logging penetration testing at least every 3 years. The scope of the TLPT is defined by the financial entity itself, but is then also subject to approval by the relevant designated authority. Each threat search penetration test is to cover several critical or essential functions of the financial entity and is to be conducted on operational production systems supporting such functions. It is important to note that if the scope of the TLPT includes third-party ICT service providers, the financial entity is required to apply the necessary measures and safeguards to ensure the participation of these third-party ICT service providers in the TLPT.
Upon completion of the testing, reconciliation of reports and remediation plans, the financial entity and the third-party testers used to conduct the TLPT shall submit to the designated national authority in the financial sector a summary of the most significant findings, remediation plans and documentation demonstrating that the TLPT was conducted in accordance with the requirements indicated in DORA.
Requirements for testers to conduct TLPTs are set forth in Article 27 of the DORA Regulation and in draft regulatory technical standards (RTS) being developed in accordance with the TIBER-EU framework by the ESAs. The aforementioned RTS are to be submitted to the EU Commission by July 17, 2024, and will be created to also clarify, among other things, the requirements for the exact scope of the TLPT, the testing methodology and approach to be used at each specific stage of the testing process, and the testing stages relating to performance, closure and corrective measures.