DORA

Preamble (Recital 1 – 106)

Recitals

Chapter I (Article 1 – 4)

General provisions

Article 1

Subject matter

Article 2

Scope

Article 3

Definitions

Article 4

Proportionality principle

Chapter II (Article 5 – 16)

ICT risk management

Section I

Article 5

Governance and organisation

Section II

Article 6

ICT risk management framework

Article 7

ICT systems, protocols and tools

Article 8

Identification

Article 9

Protection and prevention

Article 10

Detection

Article 11

Response and recovery

Article 12

Backup policies and procedures, restoration and recovery procedures and methods

Article 13

Learning and evolving

Article 14

Communication

Article 15

Further harmonisation of ICT risk management tools, methods, processes and policies

Article 16

Simplified ICT risk management framework

Chapter III (Article 17 – 23)

ICT-related incident management, classification and reporting

Article 17

ICT-related incident management process

Article 18

Classification of ICT-related incidents and cyber threats

Article 19

Reporting of major ICT-related incidents and voluntary notification of significant cyber threats

Article 20

Harmonisation of reporting content and templates

Article 21

Centralisation of reporting of major ICT-related incidents

Article 22

Supervisory feedback

Article 23

Operational or security payment-related incidents concerning credit institutions, payment institutions

Chapter IV (Article 24 – 27)

Digital operational resilience testing

Article 24

General requirements for the performance of digital operational resilience testing

Article 25

Testing of ICT tools and systems

Article 26

Advanced testing of ICT tools, systems and processes based on TLPT

Article 27

Requirements for testers for the carrying out of TLPT

Chapter V (Article 28 – 44)

Managing of ICT third-party risk

Section I

Key principles for a sound management of ICT third-party risk

Article 28

General principles

Article 29

Preliminary assessment of ICT concentration risk at entity level

Article 30

Key contractual provisions

Section II

Oversight framework of critical ITC third-party service providers

Article 31

Designation of critical ICT third-party service providers

Article 32

Structure of the Oversight Framework

Article 33

Tasks of the Lead Overseer

Article 34

Operational coordination between Lead Overseers

Article 35

Powers of the Lead Overseer

Article 36

Exercise of the powers of the Lead Overseer outside the Union

Article 37

Request for information

Article 38

General investigations

Article 39

Inspections

Article 40

Ongoing oversight

Article 41

Harmonisation of conditions enabling the conduct of the oversight activities

Article 42

Follow-up by competent authorities

Article 43

Oversight fees

Article 44

International cooperation

Chapter VI (Article 45 – 45)

Information-sharing arrangements

Article 45

Information-sharing arrangements on cyber threat information and intelligence

Chapter VII (Article 46 – 56)

Competent authorities

Article 46

Competent authorities

Article 47

Cooperation with structures and authorities established by Directive (EU) 2022/2555

Article 48

Cooperation between authorities

Article 49

Financial cross-sector exercises, communication and cooperation

Article 50

Administrative penalties and remedial measures

Article 51

Exercise of the power to impose administrative penalties and remedial measures

Article 52

Criminal penalties

Article 53

Notification duties

Article 54

Publication of administrative penalties

Article 55

Professional secrecy

Article 56

Data Protection

Chapter VIII (Article 57 – 57)

Delegated acts

Article 57

Exercise of the delegation

Chapter IX (Article 58 – 64)

Transitional and final provisions

Section I

Article 58

Review clause

Section II

Amendments

Article 59

Amendments to Regulation (EC) No 1060/2009

Article 60

Amendments to Regulation (EU) No 648/2012

Article 61

Amendments to Regulation (EU) No 909/2014

Article 62

Amendments to Regulation (EU) No 600/2014

Article 63

Amendment to Regulation (EU) 2016/1011

Article 64

Entry into force and application

Article 26

Advanced testing of ICT tools, systems and processes based on TLPT

TL;DR The Digital Operations Resilience Act from the EU states that financial entities, with the exception of microenterprises and those in Article 16(1), are required to complete advanced testing via Threat-Led Penetration Testing (TLPT) at least every three years. The scope of the test must cover critical or important functions of the financial entity and must involve ICT third-party service providers contracted by the financial entity. In cases where ICT third-party service providers are included in the scope, the financial entity must take the necessary measures to ensure their compliance. Furthermore, if testing is expected to have an adverse impact on services or data, the financial entity and ICT third-party service providers can agree to jointly conduct pooled testing with external testers. Risk management controls must be implemented to mitigate risks from data damage and disruption of functions. The financial entity must provide to the authority a summary of results and remediation plans, receive an attestation from the authority, and notify the competent authority of the summary and plans. When contracting testers, the financial entity must use external testers once every three tests. The ESAs will develop joint draft regulatory technical standards to specify further criteria, requirements, standards, and cooperation for the implementation of TLPT.

  1. Financial entitiesas defined in Article 2, points (a) to (t), other than entities referred to in Article 16(1), first subparagraph, and other than microenterprisesa financial entity, other than a trading venue, a central counterparty, a trade repository or a central securities depository, which employs fewer than 10 persons and has an annual turnover and/or annual balance sheet total that does not exceed EUR 2 million, which are identified in accordance with paragraph 8, third subparagraph, of this Article, shall carry out at least every 3 years advanced testing by means of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. Based on the risk profile of the financial entity and taking into account operational circumstances, the competent authorityas defined in Article 46 may, where necessary, request the financial entity to reduce or increase this frequency.

    exemption Paragraph has a reduced scope, i.e., it does not apply to all financial entities in Article 2(1) but some or only those of a certain size.

  2. Each threat-led penetration test shall cover several or all critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law of a financial entity, and shall be performed on live production systems supporting such functions.

    Financial entitiesas defined in Article 2, points (a) to (t) shall identify all relevant underlying ICT systems, processes and technologies supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law and ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services, including those supporting the critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law which have been outsourced or contracted to ICT third-party service providersan undertaking providing ICT services.

    Financial entitiesas defined in Article 2, points (a) to (t) shall assess which critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law need to be covered by the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems. The result of this assessment shall determine the precise scope of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and shall be validated by the competent authoritiesas defined in Article 46.

    COIF Paragraph has special considerations for 'critical or important functions' as defined by Article 3 point 22.

  3. Where ICT third-party service providersan undertaking providing ICT services are included in the scope of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, the financial entity shall take the necessary measures and safeguards to ensure the participation of such ICT third-party service providersan undertaking providing ICT services in the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems and shall retain at all times full responsibility for ensuring compliance with this Regulation.

  4. Without prejudice to paragraph 2, first and second subparagraphs, where the participation of an ICT third-party service provideran undertaking providing ICT services in the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, referred to in paragraph 3, is reasonably expected to have an adverse impact on the quality or security of services delivered by the ICT third-party service provideran undertaking providing ICT services to customers that are entities falling outside the scope of this Regulation, or on the confidentiality of the data related to such services, the financial entity and the ICT third-party service provideran undertaking providing ICT services may agree in writing that the ICT third-party service provideran undertaking providing ICT services directly enters into contractual arrangements with an external tester, for the purpose of conducting, under the direction of one designated financial entity, a pooled TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems involving several financial entitiesas defined in Article 2, points (a) to (t) (pooled testing) to which the ICT third-party service provideran undertaking providing ICT services provides ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services.

    That pooled testing shall cover the relevant range of ICT servicesdigital and data services provided through ICT systems to one or more internal or external users on an ongoing basis, including hardware as a service and hardware services which includes the provision of technical support via software or firmware updates by the hardware provider, excluding traditional analogue telephone services supporting critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law contracted to the respective ICT third-party service provideran undertaking providing ICT services by the financial entitiesas defined in Article 2, points (a) to (t). The pooled testing shall be considered TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems carried out by the financial entitiesas defined in Article 2, points (a) to (t) participating in the pooled testing.

    The number of financial entitiesas defined in Article 2, points (a) to (t) participating in the pooled testing shall be duly calibrated taking into account the complexity and types of services involved.

    COIF Paragraph has special considerations for 'critical or important functions' as defined by Article 3 point 22.

  5. Financial entitiesas defined in Article 2, points (a) to (t) shall, with the cooperation of ICT third-party service providersan undertaking providing ICT services and other parties involved, including the testers but excluding the competent authoritiesas defined in Article 46, apply effective risk management controls to mitigate the risks of any potential impact on data, damage to assets, and disruption to critical or important functionsa function the disruption of which would materially impair the financial performance of a financial entity, or the soundness or continuity of its services and activities, or the discontinued, defective or failed performance of that function would materially impair the continuing compliance of a financial entity with the conditions and obligations of its authorisation, or with its other obligations under applicable financial services law, services or operations at the financial entity itself, its counterparts or to the financial sector.

    COIF Paragraph has special considerations for 'critical or important functions' as defined by Article 3 point 22.

  6. At the end of the testing, after reports and remediation plans have been agreed, the financial entity and, where applicable, the external testers shall provide to the authority, designated in accordance with paragraph 9 or 10, a summary of the relevant findings, the remediation plans and the documentation demonstrating that the TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems has been conducted in accordance with the requirements.

  7. Authorities shall provide financial entitiesas defined in Article 2, points (a) to (t) with an attestation confirming that the test was performed in accordance with the requirements as evidenced in the documentation in order to allow for mutual recognition of threat led penetration tests between competent authoritiesas defined in Article 46. The financial entity shall notify the relevant competent authorityas defined in Article 46 of the attestation, the summary of the relevant findings and the remediation plans.

    Without prejudice to such attestation, financial entitiesas defined in Article 2, points (a) to (t) shall remain at all times fully responsible for the impact of the tests referred to in paragraph 4.

  8. Financial entitiesas defined in Article 2, points (a) to (t) shall contract testers for the purposes of undertaking TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems in accordance with Article 27. When financial entitiesas defined in Article 2, points (a) to (t) use internal testers for the purposes of undertaking TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, they shall contract external testers every three tests.

    Credit institutionsa credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council that are classified as significant in accordance with Article 6(4) of Regulation (EU) No 1024/2013, shall only use external testers in accordance with Article 27(1), points (a) to (e).

    Competent authoritiesas defined in Article 46 shall identify financial entitiesas defined in Article 2, points (a) to (t) that are required to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems taking into account the criteria set out in Article 4(2), based on an assessment of the following:

    1. impact-related factors, in particular the extent to which the services provided and activities undertaken by the financial entity impact the financial sector;

    2. possible financial stability concerns, including the systemic character of the financial entity at Union or national level, as applicable;

    3. specific ICT riskany reasonably identifiable circumstance in relation to the use of network and information systems which, if materialised, may compromise the security of the network and information systems, of any technology dependent tool or process, of operations and processes, or of the provision of services by producing adverse effects in the digital or physical environment profile, level of ICT maturity of the financial entity or technology features involved.

    exemption Paragraph has a reduced scope, i.e., it does not apply to all financial entities in Article 2(1) but some or only those of a certain size.
    proportionality Paragraph allows for application of the proportionality principle according to Article 4.

  9. Member States may designate a single public authorityany government or other public administration entity, including national central banks in the financial sector to be responsible for TLPT-related matters in the financial sector at national level and shall entrust it with all competences and tasks to that effect.

  10. In the absence of a designation in accordance with paragraph 9 of this Article, and without prejudice to the power to identify the financial entitiesas defined in Article 2, points (a) to (t) that are required to perform TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, a competent authorityas defined in Article 46 may delegate the exercise of some or all of the tasks referred to in this Article and Article 27 to another national authority in the financial sector.

  11. The ESAsEuropean Supervisory Authority shall, in agreement with the ECB, develop joint draft regulatory technical standards in accordance with the TIBER-EU framework in order to specify further:

    1. the criteria used for the purpose of the application of paragraph 8, second subparagraph;

    2. the requirements and standards governing the use of internal testers;

    3. the requirements in relation to:

      1. the scope of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems referred to in paragraph 2;

      2. the testing methodology and approach to be followed for each specific phase of the testing process;

      3. the results, closure and remediation stages of the testing;

    4. the type of supervisory and other relevant cooperation which are needed for the implementation of TLPT(threat-led penetration testing) a framework that mimics the tactics, techniques and procedures of real-life threat actors perceived as posing a genuine cyber threat, that delivers a controlled, bespoke, intelligence-led (red team) test of the financial entity’s critical live production systems, and for the facilitation of mutual recognition of that testing, in the context of financial entitiesas defined in Article 2, points (a) to (t) that operate in more than one Member State, to allow an appropriate level of supervisory involvement and a flexible implementation to cater for specificities of financial sub-sectors or local financial markets.

    When developing those draft regulatory technical standards, the ESAsEuropean Supervisory Authority shall give due consideration to any specific feature arising from the distinct nature of activities across different financial services sectors.

    The ESAsEuropean Supervisory Authority shall submit those draft regulatory technical standards to the Commission by 17 July 2024.

    Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph in accordance with Articles 10 to 14 of Regulations (EU) No 1093/2010, (EU) No 1094/2010 and (EU) No 1095/2010.

Table of contents