DORA is a new EU regulation (with the resounding name “Regulation (EU) 2022/2554”) targeting financial institutions and their ICT (Information and Communication Technology) suppliers. The goal of DORA is to make critical financial institutions more resilient against attacks on their ICT infrastructure.
DORA builds upon earlier foundations (e.g. TIBER-EU) as well as established cybersecurity frameworks and best practices. In contrast to the TIBER-EU framework, however, the requirements within DORA are mandatory and have to be implemented in the following months and years by the regulated parties.
It shall apply from 17 January 2025.
In short, DORA applies to the following entities (see Art. 2 of the regulation for details):
- Financial entities such as banks, insurance companies and investment firms
- Third parties that provide ICT-related services to financial entities
The regulation also lists some very specific exemptions to whom it does not apply.
A good rule of thumb here might be: If you weren’t excluded in a former directive, you aren’t most likely now. For example, insurance undertakings that were already excluded in Article 4 of Directive 2009/138/EC are now also excluded.
DORA requires that financial entities establish internal governance and controls to effectively manage ICT risks. It introduces a mandatory ICT risk management framework that is divided into the following subprocesses (akin to The Five Functions of the NIST Cybersecurity Framework):
- Identification
- Protection and prevention
- Detection
- Response and recovery
It also includes regulations for backup and disaster recovery policies and procedures, as well as regulations to establish an incident management process, perform digital operational resilience testing and manage third-party risks.
Keep in mind however, that Article 4, the “Proportionality principle” overshadows all the requirements above, meaning that the implementation of the regulations above should be proportional to the size and risk profile of the financial entity.
DORA recognises that small financial institutions may not have the resources to implement the full ICT risk management framework. Thus, it includes a simplified ICT risk management framework for small financial entities.
Chapter IV “Digital operational resilience testing” lays down the fundamentals for a comprehensive digital operational resilience testing programme. Article 24 states the following (highlight is ours):
Financial entities, other than microenterprises, shall ensure, at least yearly, that appropriate tests are conducted on all ICT systems and applications supporting critical or important functions.
These appropriate tests must be undertaken by independent parties and are for example vulnerability assessments and scans, physical security reviews, source code reviews and penetration testing.
In addition to these regular tests, DORA requires financial entities to perform regular advanced tests, so-called threat-led penetration tests (TLPT).
Threat-led penetration tests (TLPTs) are not a new concept. In 2016, the G7 Cyber Expert Group published their “Fundamental Elements of Cybersecurity” which were amended many times in the years after. One such amendment was the G7FE-TLPT which specified the fundamental elements of TLPTs. In the same year, the ECB released the TIBER-EU framework, which provides detailed guidance how to perform threat intelligence-based ethical red teaming.
DORA formalizes these earlier efforts and makes them mandatory now. As a matter of fact, the European Supervisor Authorities (ESAs) are currently publishing draft versions of future Regulatory Technical Standards (RTS) for DORA. The draft RTS related to TLPTs explicitly states that DORA TLPT currently differs in some points from the TIBER-EU framework. However, it also states that “the TIBER-EU framework should be updated to comply with these requirements”, implying that performing security assessments in accordance with TIBER-EU will satisfy the requirements of DORA TLPTs in the future.
Need help?
Navigating DORA and other legislation can seem complex and is daunting at first. Our experts bring you clarity and will help you on your way into a secure future.
FAQ
No. TLPTs aren’t just regular pentests and definitely aren’t a simple vulnerability scan which many vendors might want you to believe.
TLPT essentially describes red team engagements with a threat intelligence (TI) phase where a TI team gathers intelligence about the threats that the company might face. Those threats are then mimicked during the attack phase by the red team to create a realistic assessment.
After the attack phase of the engagement, the red team and the blue team will work together to review the course of events. This includes determining what went well and what went wrong as well as finding and closing gaps in the detection capabilities. This will be achieved with so-called Purple Teaming.
All in all such an assessment takes at least 12 weeks and is the ultimate test for your IT security.
DORA specifies two different intervals for security assessments:
- Appropriate tests (e.g. vulnerability assessments and scans, physical security reviews, source code reviews and penetration testing) at least yearly on all ICT systems and applications supporting critical or important functions.
- Threat-led penetration testing at least every 3 years (the competent authority may, however, change this interval).
That depends on the current state of affairs within your company. If you are performing regular internal and external audits and have an IT risk management framework in place (e.g. based on ISO 27001), you most likely just need to perform a TLPT every three years.
TLPTs are however a cost to budget for. The RTS specifying the TLPT test procedure requires currently that “the active red teaming test has to be a minimum of 12 weeks”. In combination with all necessary preparations, the TI phase and the closure phase with purple teaming and reporting, you should plan for a duration of at least half a year. In our experience, it is better to calculate with one year from start to finish.
If you are just starting to implement a risk management framework, you should plan with at least a year to setup the necessary risk management processes and procedures.
Dora only mandates TLPT and not TIBER-EU in particular. However, TIBER-EU is planned to satisfy the requirements for TLPT in the future. That means if you already perform security assessments according to the TIBER-EU framework, you should be fine.
The entities affected are defined in Art. 2 of DORA. It includes financial entities (e.g. banks, insurance companies, investment firms) as well as so-called ICT third-party service providers. The latter includes all third parties that provide ICT (Information Communication Technologies)-related services to the financial entities themselves.
Plainly speaking: If you are managing money in some way or another or you provide ICT services (e.g. software engineering) to those who do, you are most likely affected.
Art. 4 of DORA defines the “Proportionality Principle”:
“Financial entities shall implement the rules laid down in Chapter II in accordance with the principle of proportionality, taking into account their size and overall risk profile, and the nature, scale and complexity of their services, activities and operations.”
This is manifested at multiple places within DORA itself, e.g.:
- DORA allows smaller companies to implement just a Simplified ICT risk management framework.
- Smaller companies don’t need to perform threat-led penetration tests.
- “Microenterprises” have a set of further exemptions and amendments, e.g. they are mostly excluded from the regulations related to digital operational resilience testing, but should instead perform ICT testing based on a risk-based approach.
- TLPTs are a real-life attack simulation consisting of a threat-intel phase and an at least twelve-week-long red teaming phase.
- TLPTs are not simple scans, vulnerability assessments or pentests.
- TIBER-EU is an older framework that provides comprehensive guidance on how to perform threat intelligence-based ethical red-teaming.
- TIBER-EU (soon) complies with the requirements for DORA TLPT.
The requirements for external testers who can perform TLPTs can be found in the RTS but aren’t final yet.
At the time of writing the requirements for the red team are roughly as follows:
- A team consisting of a manager with at least five years of experience plus two additional testers each with at least two years of experience
- A broad range and appropriate level of professional knowledge
- Combined participation in at least five previous assessments related to TLPTs
Now. At least if you are new to the realm of pentesting and red teaming. TLPTs are complex and are performed on production systems. Therefore, they need to be properly prepared, with at least basic security and recovery measures in place.
DORA itself will apply from the 17.01.2025. Until then, you will have to comply with the regulation. That means, among other things, having an effective ICT risk management framework in place and performing regular resilience tests.
During the so-called Purple Teaming, the Red Team and Blue Team work closely together. The goal is to refine the capabilities of the Blue Team through active communication and replaying the assessment. What went wrong? What went well? How can the detection and response capabilities be improved?
What our customers say
Lutra Security convinced me with their flexibility, well thought-out presentation of the offer and their competence in modern technologies and methods. The precise execution and the comprehensive final report far exceeded my expectations. As a customer, I felt well informed at all times and could easily understand the different phases of the red-teaming approach. I can recommend Lutra Security with a clear conscience to anyone who really takes the issue of security seriously and wants to get more for their money.
— Martin Heiland (CISO, Open-Xchange)
The cooperation with Lutra Security was very constructive. The execution of the penetration test was handled with flexibility and we were always kept informed about the current status. With the very well edited final report, we were able to work on our vulnerabilities. As the professional approach convinced us, our next penetration test will certainly be done with Lutra Security again.
— Claudia Maier (Product Owner, Sopra Financial Technology)
