DORA compliance Part 3: Testing for digital operational resilience

By Katalin Jakucs DORA
DORA compliance Part 3: Testing for digital operational resilience

The Digital Operational Resilience Act (DORA) has been binding since January 17, 2025. It is supposed to make finance companies resilient against risks relating to digitalization and interconnectedness. One of the five central pillars of the regulation is the introduction and description of obligatory frequent testing for digital operational resilience.

Resilience put through its paces

Digital operational resilience refers to a company’s ability to maintain operation despite technological disruptions or cyberattacks. Strategically building and continuously monitoring this digital resilience helps to mitigate risks, identify vulnerabilities, and finally ensure the availability of central services even under extreme conditions. An essential tool for this is the obligatory performance of tests, with which companies regularly and thoroughly vet their IT structures and systems.

Which tests are stipulated by DORA?

All finance companies governed by DORA  are required to perform security tests according to Chapter IV, Article 24 to 27. The tests cover a broad spectrum, from penetration tests (pentesting) to crisis simulations and testing for the ability to restore data. They empower companies to regularly and systematically identify operational resilience vulnerabilities according to state-of-the-art technology, and to take corrective measures based on this.

DORA differentiates between two primary ways of testing:

Security tests

These must be carried out for all ICT systems and applications that support critical or important functions and must be performed by an independent party. This could be an external third-party provider or an internal department—as long as there are no conflicts of interest and plenty of resources available.

Threat-Led-Penetration tests

This testing obligation applies to selected large companies within the industry. TLPT simulate various threat scenarios and techniques and are subject to strict requirements. They are significantly more sophisticated than common pentests. Financial entities deemed important (DORA Art. 6) can only perform TLPT with the help of external providers.

Which other obligations apply?

Companies must develop test plans based on risks specific to the organization. Depending on the company size and risk profile, testing must be carried out at a certain frequency, the minimum being once a year. The organizations are required to report the test results to the relevant authorities, document them for audits, and directly incorporate findings into their operational and strategic risk planning.

DORA compliance: DORA testing checklist

  • Have you conducted a thorough ICT risk analysis?
  • Is your test plan up to date?
  • Are your systems prepared for of penetration testing?
  • Have you implemented clear processes for crisis simulations?
  • Are your backup systems tested and operational?
  • Do you involve your service providers in these tests?
  • Can you guarantee comprehensive documentation of all tests?
  • Have you prepared your reporting procedures to the authorities?

One step ahead of risks

DORA marks a crucial step in strengthening IT security and resilience for companies within the European Union, enhancing their competitiveness in the global financial market. The required tests help identify vulnerabilities early, ensuring they are addressed and mitigated promptly.

Learn more about how Tresorit can help financial organizations manage their data in a safe and compliant manner.

Suggested Articles